[Bug 2028548] Re: fwupd too old to get and install releases for UEFI dbx

[Mario Limonciello]

** Changed in: fwupd (Ubuntu Mantic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd in Ubuntu.
https://bugs.launchpad.net/bugs/2028548

Title:
  fwupd too old to get and install releases for UEFI dbx

Status in fwupd package in Ubuntu:
  Fix Released
Status in fwupd source package in Focal:
  Triaged
Status in fwupd source package in Jammy:
  Triaged
Status in fwupd source package in Lunar:
  Triaged
Status in fwupd source package in Mantic:
  Fix Released

Bug description:
  This issue was found on Ubuntu 22.04 LTS jammy but affects all Ubuntu
  releases where fwupd < 1.9.1.

  When the package fwupd is installed, there is fwupd.service. According
  to journalctl -u fwupd.service, it can't handle releases for the UEFI
  dbx "device":

  FuEngine             failed to get releases for UEFI dbx: No releases
  found: Not compatible with org.freedesktop.fwupd version 1.7.9,
  requires >= 1.9.1

  UEFI dbx is the UEFI Secure Boot Forbidden Signature Database.

  Downloading the CAB from
  https://fwupd.org/lvfs/devices/org.linuxfoundation.dbx.x64.firmware
  and trying to install it with the following command doesn't work
  either.

  $ fwupdmgr install Downloads/fc3feb015df2710fcfa07583d31b5975ee398357016699cfff067f422ab91e13-DBXUpdate-20230509-x64.cab
  Decompressing…           [***************************************]
  Not compatible with org.freedesktop.fwupd version 1.7.9, requires >= 1.9.1

  So the machine is potentially stuck on an outdated version of UEFI dbx
  and vulnerable to CVE-2022-21894.

  See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033936

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2028548/+subscriptions