—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: gnome-software and fwupd security, bug fix, and enhancement update
Advisory ID: RHSA-2020:4436-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4436
Issue date: 2020-11-03
CVE Names: CVE-2020-10759
=====================================================================
1. Summary:
An update for appstream-data, fwupd, gnome-software, and libxmlb is now
available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) – aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS (v. 8) – aarch64, ppc64le, s390x, x86_64
3. Description:
The gnome-software packages contain an application that makes it easy to
add, remove, and update software in the GNOME desktop.
The appstream-data package provides the distribution specific AppStream
metadata required for the GNOME and KDE software centers.
The fwupd packages provide a service that allows session software to update
device firmware.
The following packages have been upgraded to a later upstream version:
gnome-software (3.36.1), fwupd (1.4.2).
Security Fix(es):
* fwupd: Possible bypass in signature verification (CVE-2020-10759)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.3 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1797932 – Rebase gnome-software to 3.36
1815502 – gnome-software support for auth webflow in flatpak remotes
1839774 – missing section for gnome-shell extensions
1844316 – CVE-2020-10759 fwupd: Possible bypass in signature verification
1844488 – request for appstream-data refresh in 8.3
1845714 – Show Details not working for e.g. Firefox installed from rpm
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
appstream-data-8-20200724.el8.src.rpm
gnome-software-3.36.1-4.el8.src.rpm
aarch64:
gnome-software-3.36.1-4.el8.aarch64.rpm
gnome-software-debuginfo-3.36.1-4.el8.aarch64.rpm
gnome-software-debugsource-3.36.1-4.el8.aarch64.rpm
noarch:
appstream-data-8-20200724.el8.noarch.rpm
ppc64le:
gnome-software-3.36.1-4.el8.ppc64le.rpm
gnome-software-debuginfo-3.36.1-4.el8.ppc64le.rpm
gnome-software-debugsource-3.36.1-4.el8.ppc64le.rpm
s390x:
gnome-software-3.36.1-4.el8.s390x.rpm
gnome-software-debuginfo-3.36.1-4.el8.s390x.rpm
gnome-software-debugsource-3.36.1-4.el8.s390x.rpm
x86_64:
gnome-software-3.36.1-4.el8.x86_64.rpm
gnome-software-debuginfo-3.36.1-4.el8.x86_64.rpm
gnome-software-debugsource-3.36.1-4.el8.x86_64.rpm
Red Hat Enterprise Linux BaseOS (v. 8):
Source:
fwupd-1.4.2-4.el8.src.rpm
libxmlb-0.1.15-1.el8.src.rpm
aarch64:
fwupd-1.4.2-4.el8.aarch64.rpm
fwupd-debuginfo-1.4.2-4.el8.aarch64.rpm
fwupd-debugsource-1.4.2-4.el8.aarch64.rpm
libxmlb-0.1.15-1.el8.aarch64.rpm
libxmlb-debuginfo-0.1.15-1.el8.aarch64.rpm
libxmlb-debugsource-0.1.15-1.el8.aarch64.rpm
libxmlb-tests-debuginfo-0.1.15-1.el8.aarch64.rpm
ppc64le:
fwupd-1.4.2-4.el8.ppc64le.rpm
fwupd-debuginfo-1.4.2-4.el8.ppc64le.rpm
fwupd-debugsource-1.4.2-4.el8.ppc64le.rpm
libxmlb-0.1.15-1.el8.ppc64le.rpm
libxmlb-debuginfo-0.1.15-1.el8.ppc64le.rpm
libxmlb-debugsource-0.1.15-1.el8.ppc64le.rpm
libxmlb-tests-debuginfo-0.1.15-1.el8.ppc64le.rpm
s390x:
fwupd-1.4.2-4.el8.s390x.rpm
fwupd-debuginfo-1.4.2-4.el8.s390x.rpm
fwupd-debugsource-1.4.2-4.el8.s390x.rpm
libxmlb-0.1.15-1.el8.s390x.rpm
libxmlb-debuginfo-0.1.15-1.el8.s390x.rpm
libxmlb-debugsource-0.1.15-1.el8.s390x.rpm
libxmlb-tests-debuginfo-0.1.15-1.el8.s390x.rpm
x86_64:
fwupd-1.4.2-4.el8.x86_64.rpm
fwupd-debuginfo-1.4.2-4.el8.x86_64.rpm
fwupd-debugsource-1.4.2-4.el8.x86_64.rpm
libxmlb-0.1.15-1.el8.i686.rpm
libxmlb-0.1.15-1.el8.x86_64.rpm
libxmlb-debuginfo-0.1.15-1.el8.i686.rpm
libxmlb-debuginfo-0.1.15-1.el8.x86_64.rpm
libxmlb-debugsource-0.1.15-1.el8.i686.rpm
libxmlb-debugsource-0.1.15-1.el8.x86_64.rpm
libxmlb-tests-debuginfo-0.1.15-1.el8.i686.rpm
libxmlb-tests-debuginfo-0.1.15-1.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-10759
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIVAwUBX6IwzdzjgjWX9erEAQiEkw/9EHxBFnwx6//BhQJrkHPtgRWkqyEjuvQM
YFk8fcmGTuEMMEYPKYUE/xs6jQtXf7WZIjPgLlP3qJuTwAKlICINxSWVORvv57d/
TGNH4pGMAZoluAwnh0NINam386q3208n7ThT88SeAqg2P8FWNeqzVcQpYOo9vTk0
0tnHrN5cI1vYOOMiMxRHMoFz8tMSGArNjsvtfnG/lpJE2IGsqz+jVJscGk8/Nh40
nH377NLdZ4c4vLKWyVNO6IiSwVEng1VBWU2vHV4v7oF+2tpB8dQymdE/YixSe5Bm
RAZRgNN86OSO8JXHbGHU4irZFoMWJ3TPtWPueVxxorq1zAxLiKmea9MJMnwhk/gx
P9azqKkDaWlJb3ThIajTyjYMntsMUzkFmeh0VPMj25+2+jyPumc9a2MTfI3xGIwl
ccUNtbOtsu+hNb+BbCptnUm28jOtn9chX9e4sEr+Ybu/27JL19xdlo9k1yu+08AL
f9J4t24MyoqsqgqkGgzsgop2cIiySFErdkKlWSdBr3Imhg11odZZktKFAiO7gyzm
RdsOMzWd2meVPZ7OWsHJqYRxsRCqQiY4TURSAI4S77y9eAGCO4DEM2OMWFwiEJ8i
6Xv2mFbsy8ir/gLri0hOLolKQB+qmccqRsqlTuaHAkzBJL2wBEnoQpwHpWhNeCrf
Gg+qW27WkWk=
=FWNx
—–END PGP SIGNATURE—–
—
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
