Your message dated Wed, 25 Aug 2021 14:38:04 +0200 with message-id <ysy5rmnwmfbx5...@photino.stro.at> and subject line Re: firmware-brcm80211: security updates for wifi FragAttacks has caused the Debian Bug report #991968, regarding firmware-brcm80211: security updates for wifi FragAttacks to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 991968: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991968 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: firmware-brcm80211 Version: 20210315-3 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> A whole bunch of wifi (protocol-level) security flaws were published here: https://www.fragattacks.com/ Cypress (AKA Infineon), who maintains some of the broadcom firmware blobs, published this in response: https://community.cypress.com/t5/Security-Bulletin/Potential-Fragmentation-Vulnerabilities-for-Wi-Fi-Devices/ba-p/276441 You can see from that that CVE-2020-24587, CVE-2020-24588, CVE-2020-26145, and CVE-2020-26146 DEFINITELY impact their wifi chipsets, while CVE-2020-26142 and CVE-2020-26144 MAY impact their devices. They have since released updated firmwares to mitigate those security issues. They appear to already be upstream: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/log/cypress https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/cypress?id=f97e316775237ca5d46a4bc0614a3073ebec5a9e Please provided updated packages for sid and bullseye, if possible (I understand that non-free doesn't necessarily get security updates). I don't know if they changed anything else, but I'm happy to test out a security update package on my Pi 4b (which uses the 43455-sdio blob) if it's helpful for a bullseye update.
--- End Message ---
--- Begin Message ---Version: 20210818-1 includes the fixes that went into 20210716 for cypress sec. Once this firmware sees more real world usage (testing && backports), it might be interesting to package it for bullseye update. thank you for the report. -- makssignature.asc
Description: PGP signature
--- End Message ---