per check history of fwupd 1.3.x in focal, we do have a change history that includes CVE-2020-10759 The logic in the CVE has been moved to jcat after fwupd 1.4.x. Given so it seems reasonable either to SRU jcat 0.1.3 with the patch for the CVE, or we include the patch to jcat 0.1.0 in focal.
Ref: https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md Ref: https://github.com/hughsie/libjcat/commit/839b89f Changelog in focal/fwupd 1.3.x fwupd (1.3.9-4ubuntu0.1) focal-security; urgency=medium * SECURITY UPDATE: Signature verification bypass - debian/patches/CVE-2020-10759.patch: validate that gpgme_op_verify_result() returned at least one signature in src/fu-keyring-gpg.c. - CVE-2020-10759 -- Leonidas S. Barbosa <leo.barb...@canonical.com> Tue, 09 Jun 2020 10:53:33 -0300 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1920724 Title: Upgrade focal/libjcat to version 0.1.3-2 and MIR it To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1920724/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
