On Fri, 2019-03-01 at 14:05 +0100, Emilio Pozuelo Monfort wrote:
> Hi Ben,
>
> I have prepared an update for CVE-2018-5383/firmware-nonfree by backporting the
> fixed firmware from the upstream repo that I could find. See my two commits in:
>
> https://salsa.debian.org/pochu/firmware-nonfree/commits/jessie-security
>
> I built the packages and compared one of the non-affected packages (qlogic) and
> only the changelog has changed. Comparing atheros, the two drivers are updated,
> and for intel some of the files are updated. However I see that for intel there
> are some drivers that we don't ship in that version of firmware-nonfree, e.g.
> ibt-{17,18}-*. For those, I wonder if we should update and ship them. If there's
> any user with that hardware, they would need a firmware update I suppose.
firmware-nonfree is meant to support the kernel version(s) shipped in
the same suite, in the previous release, or in intermediate versions.
So for jessie that's 3.2-4.9 inclusive. If one of those kernel
versions may request the added files then they should be packaged.
Otherwise it's not necessary - users installing a newer kernel package
from another suite can get the firmware packages from there too.
> (It
> may be unlikely for old suites to have users with new hardware, however it's
> possible and users that don't have it will be unaffected by the new firmware, so
> it wouldn't hurt to ship it.)
>
> My branch is for jessie but I can prepare it for stretch too if you think that's
> worth it.
The current jessie-security version of firmware-nonfree is really a
backport from stretch. So I would prefer it if you update the stretch
branch first and then merge that to jessie-security.
Ben.
--
Ben Hutchings
friends: People who know you well, but like you anyway.
Attachment:
signature.asc
Description: This is a digitally signed message part