[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#912414: fwupd: Impossible to refresh metadata from remote server

This is still not fixed.

fwupd 0.7.4-2 ships with a DownloadURI value (s3.amazonaws.com) that points to
an unmaintained and unsupported metadata repository. CVE-2020-10759 (#962517)
was made readily exploitable against Debian Stretch users due to this stale

Now that the S3 bucket is back in the safe hands of the LVFS/fwupd project,
CVE-2020-10759 is less exploitable against Debian Stretch. But the
functionality breakage remains, and users are needlessly running up the costs
of a deprecated S3 bucket.

Maintainer, can you please consider:

1. Backporting the fixes necessary to no longer use s3.amazonaws.com AND the
   fixes necessary to fix the functionality breakage (i.e. to have 0.7.4 accept
   the new metadata format); OR

2. Proposing an update so that Stretch uses the fwupd in Testing

If option 1 is taken, consider backporting the fix for CVE-2020-10759 at the
same time

The discussion on #961490 (A similar issue as it relates to Buster) might be


Reply to: