Re: Firmware-nonfree update for buster?

[Ola Lundqvist <ola@inguza.com>]

Hi Moritz

I only briefly looked at the CVEs. I relied on that front-desk had considered that the package needs to be fixed.

This means that we need to fix both the kernel and the firmware-nonfree packages to fix the problems.

The question remains however, do you think these are important enough to warrant an update and do you plan to do that for stable?

Cheers

// Ola

On Mon, 17 May 2021 at 12:43, Moritz Muehlenhoff <jmm@inutil.org> wrote:

On Mon, May 17, 2021 at 11:54:05AM +0200, Ola Lundqvist wrote:
> Hi firmware-nonfree maintainers
>
> I have a question from an LTS perspective about the possible security
> updates we have for the firmware-nonfree package.
>
> You can find them here:
> https://security-tracker.debian.org/tracker/source-package/firmware-nonfree

Did you even look at the CVEs in question? CVE-2020-1236[2,3,4] need
a kernel patch to actually allow to use the new firmware and that patch
isn't present in 4.19 (and ofc also not in 4.9)

Cheers,
        Moritz

--

 --- Inguza Technology AB --- MSc in Information Technology ----

|  ola@inguza.com                    opal@debian.org            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

 ---------------------------------------------------------------