Security update for fwupd SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:1681-1 Final 1 1 2020-06-19T07:44:07Z current 2020-06-19T07:44:07Z 2020-06-19T07:44:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for fwupd This update for fwupd fixes the following issues: - CVE-2020-10759: Fixed a potential PGP signature bypass, which could have led to installation of unsigned firmware (bsc#1172643) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-1681,SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1681 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20201681-1/ Link for SUSE-SU-2020:1681-1 https://lists.suse.com/pipermail/sle-security-updates/2020-June/006982.html E-Mail link for SUSE-SU-2020:1681-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1172643 SUSE Bug 1172643 https://www.suse.com/security/cve/CVE-2020-10759/ SUSE CVE CVE-2020-10759 page SUSE Linux Enterprise Module for Desktop Applications 15 SP1 dfu-tool-1.0.9-6.3.1 fwupd-1.0.9-6.3.1 fwupd-devel-1.0.9-6.3.1 fwupd-lang-1.0.9-6.3.1 libfwupd2-1.0.9-6.3.1 typelib-1_0-Fwupd-2_0-1.0.9-6.3.1 fwupd-1.0.9-6.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 fwupd-devel-1.0.9-6.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 fwupd-lang-1.0.9-6.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 libfwupd2-1.0.9-6.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 typelib-1_0-Fwupd-2_0-1.0.9-6.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity. CVE-2020-10759 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:fwupd-1.0.9-6.3.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:fwupd-devel-1.0.9-6.3.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:fwupd-lang-1.0.9-6.3.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libfwupd2-1.0.9-6.3.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:typelib-1_0-Fwupd-2_0-1.0.9-6.3.1 important 3.3 AV:L/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201681-1/ https://www.suse.com/security/cve/CVE-2020-10759.html CVE-2020-10759 https://bugzilla.suse.com/1172643 SUSE Bug 1172643