appstream-data-8-20200724.el8, fwupd-1.4.2-4.0.2.el8, gnome-software-3.36.1-4.el8, libxmlb-0.1.15-1.el8

エラータID: AXSA:2021-1476:01

Release date: 
Tuesday, February 16, 2021 - 05:53
Subject: 
appstream-data-8-20200724.el8, fwupd-1.4.2-4.0.2.el8, gnome-software-3.36.1-4.el8, libxmlb-0.1.15-1.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Low
Description: 

The gnome-software packages contain an application that makes it easy to add, remove, and update software in the GNOME desktop.

The appstream-data package provides the distribution specific AppStream metadata required for the GNOME and KDE software centers.

The fwupd packages provide a service that allows session software to update device firmware.

The following packages have been upgraded to a later upstream version: gnome-software (3.36.1), fwupd (1.4.2).

Security Fix(es):

* fwupd: Possible bypass in signature verification (CVE-2020-10759)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 8.3 Release Notes linked from the References section.

CVE-2020-10759
A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity.

Solution: 

Update packages.

CVEs: 
CVE-2020-10759
A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity.
Additional Info: 

N/A

Download: 

SRPMS
  1. appstream-data-8-20200724.el8.src.rpm
    MD5: 29954b56fc028d22afdd4376c1411cc3
    SHA-256: b73803f42d4f2f80a030c7c55df0777e1be4493742f55318323fb2afef21c777
    Size: 4.09 MB
  2. fwupd-1.4.2-4.0.2.el8.src.rpm
    MD5: 888af517136325dc2c2d94dc89b08b75
    SHA-256: 00176b115677f8b71a4d9f7ba6d19cc4e5b260b264b5abb73adfcfdee258164b
    Size: 1.72 MB
  3. gnome-software-3.36.1-4.el8.src.rpm
    MD5: 18eabcd7d03d8559f3f6e2bd59f29ccc
    SHA-256: e90a1386a6cd736d31d0ee1306a388c2c88ea42d10a8781d5d1ef7de15e24126
    Size: 7.94 MB
  4. libxmlb-0.1.15-1.el8.src.rpm
    MD5: 2c4b142433caaaf168a87f8d78d0fe4d
    SHA-256: 6509c9fc6b4e2a38089f37f5485ee533d343d7dac5e95dc6ed8e1ef3e8ece690
    Size: 81.17 kB

Asianux Server 8 for x86_64
  1. appstream-data-8-20200724.el8.noarch.rpm
    MD5: c105b1a519bb9fcccf963a38e3b50f18
    SHA-256: a8f18c5506ce49880338e7251658ebe72d1cd55dca8cff89ac7b56fa13e8ba2f
    Size: 4.11 MB
  2. fwupd-1.4.2-4.0.2.el8.x86_64.rpm
    MD5: da89c143a35c7f676cd41075f66a1a57
    SHA-256: 1305d26289ebe67f91a92e65b045bf04aee7120d85134c85db2c0f8eb2db9125
    Size: 2.87 MB
  3. gnome-software-3.36.1-4.el8.x86_64.rpm
    MD5: 62ad3d2fb073d40613f00d62d061fd28
    SHA-256: 7ebcbfa9524941473ef86526617eee160f588ec46d43eef9e8a9936782976656
    Size: 7.47 MB
  4. libxmlb-0.1.15-1.el8.x86_64.rpm
    MD5: 80be4f9b2ff137de690228afac2b546d
    SHA-256: e333995c1b11c10acd70fba916a82b792bcc4fe41a0b4e3ede32edc91737b9c6
    Size: 89.70 kB
  5. libxmlb-0.1.15-1.el8.i686.rpm
    MD5: e83b140275d58b6ac9e1072cc6766c91
    SHA-256: 1966bd2c77a4879d318407e7e43f31ac791400b64cbd4689dff13c76f2dceec9
    Size: 93.86 kB