fwupd too old to get and install releases for UEFI dbx
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fwupd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Triaged
|
Undecided
|
Unassigned | ||
Jammy |
Triaged
|
Undecided
|
Unassigned | ||
Lunar |
Won't Fix
|
Undecided
|
Unassigned | ||
Mantic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This issue was found on Ubuntu 22.04 LTS jammy but affects all Ubuntu releases where fwupd < 1.9.1.
When the package fwupd is installed, there is fwupd.service. According to journalctl -u fwupd.service, it can't handle releases for the UEFI dbx "device":
FuEngine failed to get releases for UEFI dbx: No releases found: Not compatible with org.freedesktop
UEFI dbx is the UEFI Secure Boot Forbidden Signature Database.
Downloading the CAB from https:/
$ fwupdmgr install Downloads/
Decompressing… [******
Not compatible with org.freedesktop
So the machine is potentially stuck on an outdated version of UEFI dbx and vulnerable to CVE-2022-21894.
See also https:/
CVE References
Changed in fwupd (Ubuntu Mantic): | |
status: | New → Fix Committed |
Changed in fwupd (Ubuntu Lunar): | |
status: | New → Triaged |
Changed in fwupd (Ubuntu Jammy): | |
status: | New → Triaged |
Changed in fwupd (Ubuntu Focal): | |
status: | New → Triaged |
Changed in fwupd (Ubuntu Mantic): | |
status: | Fix Committed → Fix Released |
Is it possible to back-port this fix to Focal / Jammy? I understand we can manually carry a USB stick to the machine and get the updated BIOS firmware installed that way, but fwupdmgr is way more efficient :-D