[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c2f75e84-6c8d-f4f0-bcc6-5fb2b662de33@redhat.com>
Date: Wed, 4 Mar 2020 12:45:54 +0100
From: Hans de Goede <hdegoede@...hat.com>
To: Chi-Hsien Lin <chi-hsien.lin@...ress.com>,
Chirjeev Singh <Chirjeev.Singh@...ress.com>,
Chung-Hsien Hsu <cnhu@...ress.com>
Cc: linux-firmware@...nel.org,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: Updating cypress/brcm firmware in linux-firmware for
CVE-2019-15126
Hi,
On 2/26/20 11:16 PM, Hans de Goede wrote:
> Hello Cypress people,
>
> Can we please get updated firmware for
> brcm/brcmfmac4356-pcie.bin and brcm/brcmfmac4356-sdio.bin
> fixing CVE-2019-15126 as well as for any other affected
> models (the 4356 is explicitly named in the CVE description) ?
>
> The current Cypress firmware files in linux-firmware are
> quite old, e.g. for brcm/brcmfmac4356-pcie.bin linux-firmware has:
> version 7.35.180.176 dated 2017-10-23, way before the CVE
>
> Where as https://community.cypress.com/docs/DOC-19000 /
> cypress-fmac-v4.14.77-2020_0115.zip has:
> version 7.35.180.197 which presumably contains a fix (no changelog)
Ping?
The very old age of the firmware files in linux-firmware is really
UNACCEPTABLE and very irresponsible from a security POV. Please
fix this very soon.
If you do not reply to this email I see no choice but to switch
the firmwares in linux-firmware over to the ones from the SDK which
you do regularly update, e.g. those from:
https://community.cypress.com/docs/DOC-19000
Yes those are under an older, slightly different version of the Cypress
license, which is less then ideal, but that license is still acceptable
for linux-firmware (*) and since you are not providing any updates to
the special builds you have been doing for linux-firmware you are
really leaving us no option other then switching to the SDK version
of the firmwares.
Regards,
Hans
*) We have distributed files under the old version of the license before
Powered by blists - more mailing lists