lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 4 Mar 2020 12:45:54 +0100
From:   Hans de Goede <hdegoede@...hat.com>
To:     Chi-Hsien Lin <chi-hsien.lin@...ress.com>,
        Chirjeev Singh <Chirjeev.Singh@...ress.com>,
        Chung-Hsien Hsu <cnhu@...ress.com>
Cc:     linux-firmware@...nel.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: Updating cypress/brcm firmware in linux-firmware for
 CVE-2019-15126

Hi,

On 2/26/20 11:16 PM, Hans de Goede wrote:
> Hello Cypress people,
> 
> Can we please get updated firmware for
> brcm/brcmfmac4356-pcie.bin and brcm/brcmfmac4356-sdio.bin
> fixing CVE-2019-15126 as well as for any other affected
> models (the 4356 is explicitly named in the CVE description) ?
> 
> The current Cypress firmware files in linux-firmware are
> quite old, e.g. for brcm/brcmfmac4356-pcie.bin linux-firmware has:
> version 7.35.180.176 dated 2017-10-23, way before the CVE
> 
> Where as https://community.cypress.com/docs/DOC-19000 /
> cypress-fmac-v4.14.77-2020_0115.zip has:
> version 7.35.180.197 which presumably contains a fix (no changelog)

Ping?

The very old age of the firmware files in linux-firmware is really
UNACCEPTABLE and very irresponsible from a security POV. Please
fix this very soon.

If you do not reply to this email I see no choice but to switch
the firmwares in linux-firmware over to the ones from the SDK which
you do regularly update, e.g. those from:
https://community.cypress.com/docs/DOC-19000

Yes those are under an older, slightly different version of the Cypress
license, which is less then ideal, but that license is still acceptable
for linux-firmware (*) and since you are not providing any updates to
the special builds you have been doing for linux-firmware you are
really leaving us no option other then switching to the SDK version
of the firmwares.

Regards,

Hans

*) We have distributed files under the old version of the license before

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ