Bug 2129280

Summary: CVE-2022-3287 fwupd: world readable password in /etc/fwupd/redfish.conf [rhel-9.2.0]
Product: Red Hat Enterprise Linux 9 Reporter: Richard Hughes <rhughes>
Component: fwupdAssignee: Richard Hughes <rhughes>
Status: CLOSED ERRATA QA Contact: Oliver GutiƩrrez <ogutierr>
Severity: medium Docs Contact:
Priority: medium    
Version: CentOS StreamCC: bstinson, jwboyer, ogutierr, pjanda, sbarcomb
Target Milestone: rcKeywords: Security, SecurityTracking, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: fwupd-1.7.10-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 08:18:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version: 1.7.10
Embargoed:
Bug Depends On:    
Bug Blocks: 2129904    

Description Richard Hughes 2022-09-23 08:04:59 UTC 
Description of problem:

fwupd is not at the latest version.

Version-Release number of selected component (if applicable):

fwupd-1.4.9 needs to be 1.4.10

Additional info:

This fixes one customer issue and also fixes the recent security issue with the redfish config file. Rebasing would be much easier than cherry picking the patches and also it fixes some other important-to-fix issues:

 * Always check the BDP partitions when getting all the possible ESPs
 * Correctly detect CET IBT
 * Do not show HSI events where we changed the spec result value
 * Fix aligning up addresses greater than 4GB
 * Fix applying the latest DBX update on machines with 20200729.x64 installed
 * Fix checking for invalid depth requirements
 * Fix getting the new version number of the USI docking hardware
 * Fix HSI prefix for invalid chassis
 * Never save the Redfish auto-generated password to a user-readable file
 * Only create users using IPMI when we've tested the hardware
 * Only fail the kernel tainted HSI test for specific taint reasons
 * Only show changed events in the fwupdmgr security output
 * Recognize CSME version 16 and update vulnerable versions from CSMEVDT data
 * Write all the CCGX metadata block as intended
Comment 1 Mauro Matteo Cascella 2022-09-28 12:48:53 UTC 
*** Bug 2128810 has been marked as a duplicate of this bug. ***
Comment 9 errata-xmlrpc 2023-05-09 08:18:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: fwupd security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2487