Bug#912414: fwupd: Impossible to refresh metadata from remote server

To: 912414@bugs.debian.org
Subject: Bug#912414: fwupd: Impossible to refresh metadata from remote server
From: Justin Steven <justin@justinsteven.com>
Date: Wed, 10 Jun 2020 09:50:31 +1000
Message-id: <[🔎] CAHZU0yT5CAH3UzP8Ctm+eUnzqnREw9fWHTv8g1UTXWUDm1eHNA@mail.gmail.com>
Reply-to: Justin Steven <justin@justinsteven.com>, 912414@bugs.debian.org
References: <154097983344.10338.17012587840827629266.reportbug@dellai.station>

This is still not fixed.

fwupd 0.7.4-2 ships with a DownloadURI value (s3.amazonaws.com) that points to
an unmaintained and unsupported metadata repository. CVE-2020-10759 (#962517)
was made readily exploitable against Debian Stretch users due to this stale
value.

Now that the S3 bucket is back in the safe hands of the LVFS/fwupd project,
CVE-2020-10759 is less exploitable against Debian Stretch. But the
functionality breakage remains, and users are needlessly running up the costs
of a deprecated S3 bucket.

Maintainer, can you please consider:

1. Backporting the fixes necessary to no longer use s3.amazonaws.com AND the
   fixes necessary to fix the functionality breakage (i.e. to have 0.7.4 accept
   the new metadata format); OR

2. Proposing an update so that Stretch uses the fwupd in Testing

If option 1 is taken, consider backporting the fix for CVE-2020-10759 at the
same time

The discussion on #961490 (A similar issue as it relates to Buster) might be
relevant.

--
Justin

Reply to:

Prev by Date: fwupd-arm64-signed_1.3.10+1_source.changes ACCEPTED into unstable
Next by Date: Processing of efivar_37-2.1_source.changes
Previous by thread: fwupd-arm64-signed_1.3.10+1_source.changes ACCEPTED into unstable
Next by thread: Processing of efivar_37-2.1_source.changes
Index(es):
- Date
- Thread