Bug#962517: marked as done (CVE-2020-10759)
Your message dated Thu, 09 Jul 2020 19:17:31 + with message-id and subject line Bug#962517: fixed in fwupd 1.2.13-1 has caused the Debian Bug report #962517, regarding CVE-2020-10759 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 962517: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962517 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: fwupd Severity: grave Tags: security https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md Cheers, Moritz --- End Message --- --- Begin Message --- Source: fwupd Source-Version: 1.2.13-1 Done: Mario Limonciello We believe that the bug you reported is fixed in the latest version of fwupd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 962...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mario Limonciello (supplier of updated fwupd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 07 Jul 2020 23:13:40 -0500 Source: fwupd Architecture: source Version: 1.2.13-1 Distribution: stable Urgency: medium Maintainer: Debian EFI Changed-By: Mario Limonciello Closes: 946623 961490 962517 Changes: fwupd (1.2.13-1) stable; urgency=medium . * Update to 1.2.13 stable release. - Fixes issues on stable release (Closes: #961490) - Fixes vendor id hard requirement (Closes: #946623) - Fixes CVE-2020-10759 (Closes: #962517) * Add patch to revert new libxmlb requirement to allow working with libxmlb available in Buster. * debian/* changes backported from testing: - Refresh symbols - Install fwupdoffline binary - Install fwupd shutdown systemd unit - Refresh dependencies for modem manager plugin - Update copyright for new new contributors - Update watch file for correct upstream URL. Checksums-Sha1: 71b3188ec7c73c6efcd8caa583f15c54a6481bde 3685 fwupd_1.2.13-1.dsc 1626d8b5793a28380345cb1535d5873d65fc59f4 1946644 fwupd_1.2.13.orig.tar.gz 934fd18367b04f63c9286e72458972156afedfc4 19164 fwupd_1.2.13-1.debian.tar.xz 7b2ede1e1ee2a3e7c6e34fb3befd234e89c6dcd1 14419 fwupd_1.2.13-1_source.buildinfo Checksums-Sha256: 0eb5fe27d62067cb617f99e4ec15987eb95f3a7169be67d3c9b7ed5c31cd3a81 3685 fwupd_1.2.13-1.dsc 38c8803640c5a8d194706373e7782c78c11d765a873123e630b96519400bfbf9 1946644 fwupd_1.2.13.orig.tar.gz ef7000951c6256f57c69072a206b6fddd16c8345c649d6f025e235434e85c683 19164 fwupd_1.2.13-1.debian.tar.xz 01007c81db56a2d57dc436ac0ba8b73e69696f3c9097174ab2c6a4fd838f4640 14419 fwupd_1.2.13-1_source.buildinfo Files: f0c7b7d07afddd9d29b241f649fa4aec 3685 admin optional fwupd_1.2.13-1.dsc e205c79b43f343c56b340593f4d00c9f 1946644 admin optional fwupd_1.2.13.orig.tar.gz 7f1f680ccc01a2ed005472c5e4a0963e 19164 admin optional fwupd_1.2.13-1.debian.tar.xz 9d9487dc547346af3164babdae903248 14419 admin optional fwupd_1.2.13-1_source.buildinfo -BEGIN PGP SIGNATURE- iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAl8HA1MRHDkzc2FtQGRl Ymlhbi5vcmcACgkQWHl5VzRCaE5H2RAAhWikrZZOQ8o56eK0gvseRFnBKmaHmQdr jKFfkXiJIhAcXFNKE64sipuXwQJFMzvhnELC54O5UQdTDzhBLXzgOkEH9qos+soP hw/BYpl9Q5PX25zRSH5SPRRx1EmF6Mb97KW5z/VZnIa8fcbvV9wn+aZ46u4kmrbR uRD8XNY2/RwYatCD0+dWr/pOoVrtgvu3mue5SIbuKc+TWdwOZC5EYTZHAVKyCHze nY0B8Zz/FHdcrpjjjeQO7TVrJWnwGenFTH2arpAFS+ohvXiPseCb7p1ZZOm6qHXJ g88z/WRfbYSVl/HGIJIiAHF+Jp0lQ1y+ZTMQY5NYB5H+713dY26O2B4twnt1gNzO SY0vWC6rJcSGthB6dqhkVW5J+e0GsJ6FJukuG8X04AXrWNkrkOmQ5sy+tKLjaQ0w qokOb6J2hb+2/hnGnyYKfRGfWEzGJLi2o5WUoOAngxrwtT6TXwXxVRCq+j2UXhSo mexxoeELBkn0fZKnlHCdWL0HGPIB2GeadNip3I8ayFl8by9/xW/tfhx7MympC3e+ GjY79Lo01uwj4YNk8lEubSS2V0EqudIXG6YKyRZkhIX/mXd0ZiqQbN1V4YvHr4EK UmbAdjDHauwb9iyLwRutAwmjBYw7lvXpmZLUWUcQBJj18IWJU07PeoA4GMN6FP4e EAFwyvnUgB0= =xHAW -END PGP SIGNATURE End Message ---
Bug#962517: marked as done (CVE-2020-10759)
Your message dated Thu, 09 Jul 2020 18:47:31 + with message-id and subject line Bug#962517: fixed in fwupd 0.8.3-1 has caused the Debian Bug report #962517, regarding CVE-2020-10759 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 962517: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962517 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: fwupd Severity: grave Tags: security https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md Cheers, Moritz --- End Message --- --- Begin Message --- Source: fwupd Source-Version: 0.8.3-1 Done: Mario Limonciello We believe that the bug you reported is fixed in the latest version of fwupd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 962...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mario Limonciello (supplier of updated fwupd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 07 Jul 2020 23:15:59 -0500 Source: fwupd Binary: libfwupd1 libdfu1 fwupd fwupd-doc libfwupd-dev gir1.2-fwupd-1.0 libdfu-dev Architecture: source Version: 0.8.3-1 Distribution: oldstable Urgency: medium Maintainer: Debian EFI Changed-By: Mario Limonciello Description: fwupd - Firmware update daemon fwupd-doc - Firmware update daemon documentation (HTML format) gir1.2-fwupd-1.0 - GObject introspection data for libfwupd libdfu-dev - development files for libdfu libdfu1- Firmware update daemon library for DFU support libfwupd-dev - development files for libfwupd libfwupd1 - Firmware update daemon library Closes: 961490 962517 Changes: fwupd (0.8.3-1) oldstable; urgency=medium . * Update to 0.8.3 point release - Upstream no longer supports the 0.7.x series * Drop existing patches all merged into 0.8.3 release. * Drop no longer used libebitdo1 and libebitdo-dev packages * Refresh symbols * Backport series of commits to allow better longevity on 0.8.x - Use a CNAME to redirect to the correct CDN for metadata (Closes: #961490) - Do not abort startup if the XML metadata file is invalid - Add the Linux Foundation public GPG keys for firmware and metadata - Raise the metadata limit to 10Mb - Validate that gpgme_op_verify_result() returned at least one signature (Closes: #962517) Checksums-Sha1: ed25811d2ed70573d32e3edfcfd5f530c5b54c49 3082 fwupd_0.8.3-1.dsc 4188a585fc2baae3b8df280a18a24b9b94ec5759 1299619 fwupd_0.8.3.orig.tar.gz 30d654f00f527ddea45b4b0ca418a63cfe3cb078 15640 fwupd_0.8.3-1.debian.tar.xz 04c12e1d889f2ca142bd9f9191235d6296a89e2c 13819 fwupd_0.8.3-1_source.buildinfo Checksums-Sha256: 5f03ea5b04f6428ecdf7d39926af0d0f16c24301b0e7851db48790efb6b53c36 3082 fwupd_0.8.3-1.dsc 729536f9b5c531738e05c65bff562bd2f4f434191502952067f3817d4b75511a 1299619 fwupd_0.8.3.orig.tar.gz 3f70188e7de01a285e438d00e6f54d9fc7c1489510ed94dc497076c504909b7e 15640 fwupd_0.8.3-1.debian.tar.xz 8dce068002c4e9dd1e797605692b7f573902192918e78eb69f52b89f33164066 13819 fwupd_0.8.3-1_source.buildinfo Files: 0e898d6d3def340d45ad85770c845abd 3082 admin optional fwupd_0.8.3-1.dsc fc9b209fb6ec6807e21f1a197e95dd82 1299619 admin optional fwupd_0.8.3.orig.tar.gz a10fc1c430e35a9fe7f66b842ecca76d 15640 admin optional fwupd_0.8.3-1.debian.tar.xz 137f6fed7aa9812cb2ceaa04e0e67cfd 13819 admin optional fwupd_0.8.3-1_source.buildinfo -BEGIN PGP SIGNATURE- iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAl8HA04RHDkzc2FtQGRl Ymlhbi5vcmcACgkQWHl5VzRCaE7x+A//WUwHWBDMZ2BPLXegYrsQzfrMJY/IaqEC LRFHVInwIiKoNePR/9ctGwOVbEBCQQpWBrEcwk8LcE5/yEUtPKAfeB4q3KaedsCL 3x03i63bimdc2pUC/izm5sdRUYI7e2Pu+BRtWPvvQuthQik6395TiLf7fo+LYzTv XLvq9VIIujNe0uMVoXjKHE73u0EgH6tJY7lbE0pfYcRwnmQVtCuzDZeUUln+Z08s qwkgIO0TdlJz048Z98ZMj3fgdMO8q6aTfzHa51kcYLV7bJyRu36NgQ3wOzsaevNe bBC74yb5PXnapSz0d8dZbKGS7g1/GKY0ah+TlJMOi68Hn/XGk1drbZhWMC9bxNrL 3T+QRHCH5c9b16CNv2+iXW9qnDv5dIO9EVhMd1SdZqKS0pMo5qN/rJkaDVDrfioF WoTdIc1Jbvdt/jVvDJl/67r0S5VxThOCd9ZFg9V/EIXgkkmFeHX0kLhWHhLloF3z iU9ZEh3sbwYwe4YQL/jrWp/xIG8APtYq/qB2mDH/JnGVwXlEFQLVGlbrpm3TCqxJ