Package: firmware-brcm80211 Version: 20210315-3 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
A whole bunch of wifi (protocol-level) security flaws were published here: https://www.fragattacks.com/ Cypress (AKA Infineon), who maintains some of the broadcom firmware blobs, published this in response: https://community.cypress.com/t5/Security-Bulletin/Potential-Fragmentation-Vulnerabilities-for-Wi-Fi-Devices/ba-p/276441 You can see from that that CVE-2020-24587, CVE-2020-24588, CVE-2020-26145, and CVE-2020-26146 DEFINITELY impact their wifi chipsets, while CVE-2020-26142 and CVE-2020-26144 MAY impact their devices. They have since released updated firmwares to mitigate those security issues. They appear to already be upstream: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/log/cypress https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/cypress?id=f97e316775237ca5d46a4bc0614a3073ebec5a9e Please provided updated packages for sid and bullseye, if possible (I understand that non-free doesn't necessarily get security updates). I don't know if they changed anything else, but I'm happy to test out a security update package on my Pi 4b (which uses the 43455-sdio blob) if it's helpful for a bullseye update.