An update for fwupd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1801 Final 1.0 1.0 2022-08-05 Initial 2022-08-05 2022-08-05 openEuler SA Tool V1.0 2022-08-05 fwupd security update An update for fwupd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. aims to make updating firmware on Linux automatic, safe and reliable. Security Fix(es): A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity.(CVE-2020-10759) An update for fwupd is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium fwupd https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1801 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2020-10759 https://nvd.nist.gov/vuln/detail/CVE-2020-10759 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS fwupd-debuginfo-1.2.9-5.oe1.aarch64.rpm fwupd-debugsource-1.2.9-5.oe1.aarch64.rpm fwupd-devel-1.2.9-5.oe1.aarch64.rpm fwupd-1.2.9-5.oe1.aarch64.rpm fwupd-1.2.9-5.oe1.aarch64.rpm fwupd-debugsource-1.2.9-5.oe1.aarch64.rpm fwupd-debuginfo-1.2.9-5.oe1.aarch64.rpm fwupd-devel-1.2.9-5.oe1.aarch64.rpm fwupd-devel-1.2.9-5.oe2203.aarch64.rpm fwupd-1.2.9-5.oe2203.aarch64.rpm fwupd-debugsource-1.2.9-5.oe2203.aarch64.rpm fwupd-debuginfo-1.2.9-5.oe2203.aarch64.rpm fwupd-help-1.2.9-5.oe1.noarch.rpm fwupd-help-1.2.9-5.oe1.noarch.rpm fwupd-help-1.2.9-5.oe2203.noarch.rpm fwupd-1.2.9-5.oe1.src.rpm fwupd-1.2.9-5.oe1.src.rpm fwupd-1.2.9-5.oe2203.src.rpm fwupd-debugsource-1.2.9-5.oe1.x86_64.rpm fwupd-debuginfo-1.2.9-5.oe1.x86_64.rpm fwupd-1.2.9-5.oe1.x86_64.rpm fwupd-devel-1.2.9-5.oe1.x86_64.rpm fwupd-1.2.9-5.oe1.x86_64.rpm fwupd-debuginfo-1.2.9-5.oe1.x86_64.rpm fwupd-debugsource-1.2.9-5.oe1.x86_64.rpm fwupd-devel-1.2.9-5.oe1.x86_64.rpm fwupd-debugsource-1.2.9-5.oe2203.x86_64.rpm fwupd-devel-1.2.9-5.oe2203.x86_64.rpm fwupd-1.2.9-5.oe2203.x86_64.rpm fwupd-debuginfo-1.2.9-5.oe2203.x86_64.rpm A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity. 2022-08-05 CVE-2020-10759 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 6.0 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N fwupd security update 2022-08-05 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1801