-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: fwupd security and bug fix update Advisory ID: RHSA-2023:2487-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2487 Issue date: 2023-05-09 CVE Names: CVE-2022-3287 CVE-2022-34301 CVE-2022-34302 CVE-2022-34303 ==================================================================== 1. Summary: An update for fwupd is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, x86_64 Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux CRB (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: The fwupd packages provide a service that allows session software to update device firmware. Security Fix(es): * fwupd: world readable password in /etc/fwupd/redfish.conf (CVE-2022-3287) * shim: 3rd party shim allow secure boot bypass (CVE-2022-34301) * shim: 3rd party shim allow secure boot bypass (CVE-2022-34302) * shim: 3rd party shim allow secure boot bypass (CVE-2022-34303) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2119436 - EFI partition configured as FAT16 instead of 32 2120687 - CVE-2022-34302 shim: 3rd party shim allow secure boot bypass 2120699 - CVE-2022-34301 shim: 3rd party shim allow secure boot bypass 2120701 - CVE-2022-34303 shim: 3rd party shim allow secure boot bypass 2128384 - fwupd fails to apply Secure Boot dbx update on systems 2129280 - CVE-2022-3287 fwupd: world readable password in /etc/fwupd/redfish.conf [rhel-9.2.0] 2129904 - CVE-2022-3287 fwupd: world readable password in /etc/fwupd/redfish.conf 2165096 - Rebase fwupd to pick up all the ESP fixes 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): aarch64: fwupd-debuginfo-1.8.10-2.el9.aarch64.rpm fwupd-debugsource-1.8.10-2.el9.aarch64.rpm fwupd-plugin-flashrom-1.8.10-2.el9.aarch64.rpm fwupd-plugin-flashrom-debuginfo-1.8.10-2.el9.aarch64.rpm fwupd-tests-debuginfo-1.8.10-2.el9.aarch64.rpm ppc64le: fwupd-debuginfo-1.8.10-2.el9.ppc64le.rpm fwupd-debugsource-1.8.10-2.el9.ppc64le.rpm fwupd-plugin-flashrom-1.8.10-2.el9.ppc64le.rpm fwupd-plugin-flashrom-debuginfo-1.8.10-2.el9.ppc64le.rpm x86_64: fwupd-debuginfo-1.8.10-2.el9.x86_64.rpm fwupd-debugsource-1.8.10-2.el9.x86_64.rpm fwupd-plugin-flashrom-1.8.10-2.el9.x86_64.rpm fwupd-plugin-flashrom-debuginfo-1.8.10-2.el9.x86_64.rpm fwupd-tests-debuginfo-1.8.10-2.el9.x86_64.rpm Red Hat Enterprise Linux BaseOS (v. 9): Source: fwupd-1.8.10-2.el9.src.rpm aarch64: fwupd-1.8.10-2.el9.aarch64.rpm fwupd-debuginfo-1.8.10-2.el9.aarch64.rpm fwupd-debugsource-1.8.10-2.el9.aarch64.rpm fwupd-plugin-flashrom-debuginfo-1.8.10-2.el9.aarch64.rpm fwupd-tests-debuginfo-1.8.10-2.el9.aarch64.rpm ppc64le: fwupd-1.8.10-2.el9.ppc64le.rpm fwupd-debuginfo-1.8.10-2.el9.ppc64le.rpm fwupd-debugsource-1.8.10-2.el9.ppc64le.rpm fwupd-plugin-flashrom-debuginfo-1.8.10-2.el9.ppc64le.rpm s390x: fwupd-1.8.10-2.el9.s390x.rpm fwupd-debuginfo-1.8.10-2.el9.s390x.rpm fwupd-debugsource-1.8.10-2.el9.s390x.rpm fwupd-tests-debuginfo-1.8.10-2.el9.s390x.rpm x86_64: fwupd-1.8.10-2.el9.x86_64.rpm fwupd-debuginfo-1.8.10-2.el9.x86_64.rpm fwupd-debugsource-1.8.10-2.el9.x86_64.rpm fwupd-plugin-flashrom-debuginfo-1.8.10-2.el9.x86_64.rpm fwupd-tests-debuginfo-1.8.10-2.el9.x86_64.rpm Red Hat Enterprise Linux CRB (v. 9): aarch64: fwupd-debuginfo-1.8.10-2.el9.aarch64.rpm fwupd-debugsource-1.8.10-2.el9.aarch64.rpm fwupd-devel-1.8.10-2.el9.aarch64.rpm fwupd-plugin-flashrom-debuginfo-1.8.10-2.el9.aarch64.rpm fwupd-tests-debuginfo-1.8.10-2.el9.aarch64.rpm ppc64le: fwupd-debuginfo-1.8.10-2.el9.ppc64le.rpm fwupd-debugsource-1.8.10-2.el9.ppc64le.rpm fwupd-devel-1.8.10-2.el9.ppc64le.rpm fwupd-plugin-flashrom-debuginfo-1.8.10-2.el9.ppc64le.rpm s390x: fwupd-debuginfo-1.8.10-2.el9.s390x.rpm fwupd-debugsource-1.8.10-2.el9.s390x.rpm fwupd-devel-1.8.10-2.el9.s390x.rpm fwupd-tests-debuginfo-1.8.10-2.el9.s390x.rpm x86_64: fwupd-debuginfo-1.8.10-2.el9.x86_64.rpm fwupd-debugsource-1.8.10-2.el9.x86_64.rpm fwupd-devel-1.8.10-2.el9.x86_64.rpm fwupd-plugin-flashrom-debuginfo-1.8.10-2.el9.x86_64.rpm fwupd-tests-debuginfo-1.8.10-2.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-3287 https://access.redhat.com/security/cve/CVE-2022-34301 https://access.redhat.com/security/cve/CVE-2022-34302 https://access.redhat.com/security/cve/CVE-2022-34303 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZFo0dNzjgjWX9erEAQh8EQ/+JbcPzDaBebMgTxNRQCsD/7c1RbQDoeXd zA9quSGHHcgjp8W97VVPB1CpQsoR9SntK6vjU8KQPXVh3wNlyZ0DcU5jKOmgjYu6 YaVN8rBQght4NyMnnhO1pT9Fi6uVGeV6w7ctQmRMRnaUI/Y87HTEc7m9OtliLfLA 3FvHqOOMz4j3ZbXzg+8kuxQQgQk1SSniL1iHAKNoQrkwWcLZFEnW3aQv0rVTpM2M GJ+3hoSwp0YsJSQfFT6GdMFc8lgBzIXBAkyzOSAWTnf0Ncu//mAYiAQPqqwqdtWb znx3uk0M/+OSOgv5ehZWqjpuB0Eifp2Yt/MbAfH5t3I4O4vmMf8TcPihSAPt6IHj D/+eSqD5EXK5Z0JTkAQhepaE45bZU6dWkOgFyPYiLQZQg+mua0lr7NL9fVQ1Om1l +9Pq4gh0274ry7hvenAl3HJ5s2VScfXMpSwrEvFAsDD1sWin5NjsbL/Ol1YNVMKs x3MBrOssEBOnb5shFkJCAbrL8sh8jpMF7r11K8VWDPzL2fpdwppgc3roCvy53YX0 3Xnp5s3Y1hx1uyDl8DmDX51pPNMRZr1SMwjOT4z5penvP8mqkX53AvigzJHv8rEx +VX2h9MK/MXknp9Imx4b7/iKtDDpUY+J8RfPfY/+1jwNpSuFR037rOk6Rt1QH2wG zJLSv/Ta7aY±nW -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce