[Bug 1920724] Re: Upgrade focal/libjcat to version 0.1.3-2 and MIR it

[Yuan-Chen Cheng]

background:
- the CVE involved seems to be an low impact one [1]
- we never use fwupd + jcat 0.1.0-2 in any ubuntu release. given there
  are some other changes between 0.1.0 and 0.1.3, it's harder for us
  to tell if testing coverage is good enough or not given we didn't involve
  those signing designs and processes in lvfs.

[1] https://www.cvedetails.com/cve-details.php?cve_id=CVE-2020-10759

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10759

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libjcat in Ubuntu.
https://bugs.launchpad.net/bugs/1920724

Title:
  Upgrade focal/libjcat to version 0.1.3-2 and MIR it

Status in OEM Priority Project:
  In Progress
Status in libjcat package in Ubuntu:
  Fix Released
Status in libjcat source package in Focal:
  New

Bug description:
  [Impact]
  Needed for fwupd 1.5.11

  [Test plan]
  It has a test suite and fwupd uses it, so testing fwupd tests it to some extend

  [Where problems could occur]
  fwupd could break on regressions. Then again, this is a straight backport and it's fairly small.

  [Original report]

  per lp:1920723, we need to upgrade focal/lib cat to version 0.1.3-2
  (as in groovy/hirsute/impish) from version 0.1.0-2.

  libjcat in focal is in universe, we need to MIR it.

  ppa for upgrade libjcat in focal: https://launchpad.net/~ycheng-
  twn/+archive/ubuntu/fwupd1511

  [Availability]
  yes, it's in ubuntu universe.

  [Rationale]
  Given lp:1920723, we need to MIR it in focal.

  [Quality assurance]
  [Security]
  [Standards compliance]
  [Maintenance]

  Given it's in main in hirsute / groovy already, it's fine.

  [Dependencies]

  Per check, the dependency in groovy is exactly the same as in focal.

  [Background information]

  See details in lp:1934209

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1920724/+subscriptions