CVE 2020-10759
A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity.
Related bugs and status
CVE-2020-10759 (Candidate) is related to these bugs:
Bug #1858590: fwupdaa64.efi crashes on startup
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1858590 | fwupdaa64.efi crashes on startup | fwupd (Ubuntu) | Undecided | Fix Released | ||
1858590 | fwupdaa64.efi crashes on startup | fwupd (Ubuntu Focal) | Undecided | Fix Released | ||
1858590 | fwupdaa64.efi crashes on startup | fwupd (Ubuntu Bionic) | Undecided | Fix Released | ||
1858590 | fwupdaa64.efi crashes on startup | fwupd (Ubuntu Eoan) | Undecided | Fix Released | ||
1858590 | fwupdaa64.efi crashes on startup | fwupd-signed (Ubuntu) | Undecided | Fix Released | ||
1858590 | fwupdaa64.efi crashes on startup | fwupd-signed (Ubuntu Bionic) | Undecided | Fix Released | ||
1858590 | fwupdaa64.efi crashes on startup | fwupd-signed (Ubuntu Eoan) | Undecided | Fix Released | ||
1858590 | fwupdaa64.efi crashes on startup | fwupd-signed (Ubuntu Focal) | Undecided | Fix Released |
Bug #1883568: Update focal fwupd to 1.3.11 point release
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1883568 | Update focal fwupd to 1.3.11 point release | fwupd (Ubuntu) | Undecided | Fix Released | ||
1883568 | Update focal fwupd to 1.3.11 point release | fwupd-signed (Ubuntu) | Undecided | Fix Released | ||
1883568 | Update focal fwupd to 1.3.11 point release | OEM Priority Project | High | Fix Released | ||
1883568 | Update focal fwupd to 1.3.11 point release | fwupd (Ubuntu Focal) | Undecided | Fix Released | ||
1883568 | Update focal fwupd to 1.3.11 point release | fwupd-signed (Ubuntu Focal) | Undecided | Fix Released |
Bug #1884003: [MIR] libjcat
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1884003 | [MIR] libjcat | libjcat (Ubuntu) | Undecided | Fix Released |
Bug #1884788: Update bionic to the fwupd 1.2.14 release
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1884788 | Update bionic to the fwupd 1.2.14 release | fwupd (Ubuntu) | Medium | Fix Released | ||
1884788 | Update bionic to the fwupd 1.2.14 release | fwupd (Ubuntu Bionic) | Medium | Fix Released | ||
1884788 | Update bionic to the fwupd 1.2.14 release | fwupd-signed (Ubuntu) | Medium | Fix Released | ||
1884788 | Update bionic to the fwupd 1.2.14 release | fwupd-signed (Ubuntu Bionic) | Medium | Fix Released | ||
1884788 | Update bionic to the fwupd 1.2.14 release | fwupd (Ubuntu Eoan) | Medium | Won't Fix | ||
1884788 | Update bionic to the fwupd 1.2.14 release | fwupd-signed (Ubuntu Eoan) | Medium | Won't Fix | ||
1884788 | Update bionic to the fwupd 1.2.14 release | OEM Priority Project | Medium | Fix Released |
Bug #1920724: Upgrade focal/libjcat to version 0.1.3-2 and MIR it
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1920724 | Upgrade focal/libjcat to version 0.1.3-2 and MIR it | OEM Priority Project | Critical | Fix Released | ||
1920724 | Upgrade focal/libjcat to version 0.1.3-2 and MIR it | libjcat (Ubuntu) | Undecided | Fix Released | ||
1920724 | Upgrade focal/libjcat to version 0.1.3-2 and MIR it | libjcat (Ubuntu Focal) | Undecided | Fix Released |
Bug #1921539: Add support for SBAT
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1921539 | Add support for SBAT | fwupd (Ubuntu) | Undecided | Fix Released | ||
1921539 | Add support for SBAT | fwupd (Ubuntu Groovy) | Undecided | Fix Released | ||
1921539 | Add support for SBAT | fwupd (Ubuntu Focal) | Undecided | Fix Released | ||
1921539 | Add support for SBAT | fwupd (Ubuntu Bionic) | Undecided | Fix Released | ||
1921539 | Add support for SBAT | fwupd (Ubuntu Hirsute) | Undecided | Fix Released | ||
1921539 | Add support for SBAT | fwupd-signed (Ubuntu) | Undecided | Fix Released | ||
1921539 | Add support for SBAT | fwupd-signed (Ubuntu Bionic) | Undecided | Fix Released | ||
1921539 | Add support for SBAT | fwupd-signed (Ubuntu Focal) | Undecided | Fix Released | ||
1921539 | Add support for SBAT | fwupd-signed (Ubuntu Groovy) | Undecided | Fix Released | ||
1921539 | Add support for SBAT | fwupd-signed (Ubuntu Hirsute) | Undecided | Fix Released | ||
1921539 | Add support for SBAT | OEM Priority Project | High | Fix Released |
Bug #1921544: [bionic] fwupd 1.2.x, 1.3.x, 1.4.x: vendor-id requirement on LVFS causes failures
See the
CVE page on Mitre.org
for more details.