Package: fwupd / 0.8.3-1
Metadata
Package | Version | Patches format |
---|---|---|
fwupd | 0.8.3-1 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
0001 Use a CNAME to redirect to the correct CDN for metad.patch | (download) |
data/fwupd.conf |
4 2 + 2 - 0 ! |
[patch 1/5] use a cname to redirect to the correct cdn for metadata |
0002 Do not abort startup if the XML metadata file is inv.patch | (download) |
src/fu-main.c |
2 1 + 1 - 0 ! |
[patch 2/5] do not abort startup if the xml metadata file is invalid |
0003 Add the Linux Foundation public GPG keys for firmwar.patch | (download) |
data/pki/GPG-KEY-Linux-Foundation-Firmware |
37 37 + 0 - 0 ! |
[patch 3/5] add the linux foundation public gpg keys for firmware and metadata In the future the Linux Foundation will be running the LVFS server. To make this possible, include the Linux Foundation public keys by default as we already trust them. Obviously the keys need to be available long before vendors move, so nobody should get too worried at this point. |
0004 Raise the metadata limit to 10Mb.patch | (download) |
src/fu-main.c |
4 2 + 2 - 0 ! |
[patch 4/5] raise the metadata limit to 10mb It's taken 3 years to get from 20kB to 1Mb, and so it'll take longer than Ubuntu 16.04 is supported to grow an order of magnitude bigger. Plus, if we have 10Mb of XML we probably need to rethink the metadata format a bit... |
0005 Validate that gpgme_op_verify_result returned at lea.patch | (download) |
src/fu-keyring.c |
7 7 + 0 - 0 ! |
[patch 5/5] validate that gpgme_op_verify_result() returned at least one signature If a detached signature is actually a PGP message, gpgme_op_verify() returns the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result() builds an empty list. Explicitly check for no signatures present to avoid returning success in this case. Many thanks to Justin Steven <justin@justinsteven.com> for the discovery and coordinated disclosure of this issue. Fixes CVE-2020-10759 |