Security update for fwupd SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0522-1 Final 1 1 2021-04-08T22:41:57Z current 2021-04-08T22:41:57Z 2021-04-08T22:41:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for fwupd This update for fwupd fixes the following issues: - Update to version 1.2.14: (bsc#1182057) - Add SBAT section to EFI images (bsc#1182057) - CVE-2020-10759: Validate that gpgme_op_verify_result() returned at least one signature (bsc#1172643) This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-522 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PR4WC2OGLKRFBB7HJ3YCZ6PTJUJK67B4/ E-Mail link for openSUSE-SU-2021:0522-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1172643 SUSE Bug 1172643 https://bugzilla.suse.com/1182057 SUSE Bug 1182057 https://www.suse.com/security/cve/CVE-2020-10759/ SUSE CVE CVE-2020-10759 page openSUSE Leap 15.2 dfu-tool-1.2.14-lp152.3.9.1 fwupd-1.2.14-lp152.3.9.1 fwupd-devel-1.2.14-lp152.3.9.1 fwupd-lang-1.2.14-lp152.3.9.1 libfwupd2-1.2.14-lp152.3.9.1 typelib-1_0-Fwupd-2_0-1.2.14-lp152.3.9.1 dfu-tool-1.2.14-lp152.3.9.1 as a component of openSUSE Leap 15.2 fwupd-1.2.14-lp152.3.9.1 as a component of openSUSE Leap 15.2 fwupd-devel-1.2.14-lp152.3.9.1 as a component of openSUSE Leap 15.2 fwupd-lang-1.2.14-lp152.3.9.1 as a component of openSUSE Leap 15.2 libfwupd2-1.2.14-lp152.3.9.1 as a component of openSUSE Leap 15.2 typelib-1_0-Fwupd-2_0-1.2.14-lp152.3.9.1 as a component of openSUSE Leap 15.2 A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity. CVE-2020-10759 openSUSE Leap 15.2:dfu-tool-1.2.14-lp152.3.9.1 openSUSE Leap 15.2:fwupd-1.2.14-lp152.3.9.1 openSUSE Leap 15.2:fwupd-devel-1.2.14-lp152.3.9.1 openSUSE Leap 15.2:fwupd-lang-1.2.14-lp152.3.9.1 openSUSE Leap 15.2:libfwupd2-1.2.14-lp152.3.9.1 openSUSE Leap 15.2:typelib-1_0-Fwupd-2_0-1.2.14-lp152.3.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PR4WC2OGLKRFBB7HJ3YCZ6PTJUJK67B4/ https://www.suse.com/security/cve/CVE-2020-10759.html CVE-2020-10759 https://bugzilla.suse.com/1172643 SUSE Bug 1172643