RPi update to patch BIAS (CVE-2020-10135)

Hello,

the Pi-Foundation released an update for bluez-firmware to defeat the BIAS (CVE-2020-10135) vulnerability.

Could you please include this in manjaro?

About the Vulnerability:


Summary:

Bluez firmware repo (43438 and 43455 are patched):

We don't use that package.

We use the firmware provided by the upstream linux-firmware package.

Do you expect that the patch will be applied in the near future?
I thought this is maybe only vendor specific / proprietary.

I know a new linux-firmware package has just been released, so maybe they are already working on it.

@Strit is correct in that we do not use that package, we use firmware-raspberrypi as so does arch-arm. I looked into this and discovered that arch-arm and our PKGBUILD's has not been updated in over a year. There has been 2 bluetooth firmware related updates done 12 days ago (BCM43430A1.hcd and BCM4345C0.hcd) in the RPi git. I have modified our PKGBUILD so it would pull in those files from the RPi git and pushed a new package to unstable so it will be there when the mirrors sync. Other than those 2 files the others should be up to date.

New package has a .2 extension on the end:

firmware-raspberrypi-6-1.2

This has me confused. Your OP is all about a bluetooth issue but these 2 (43438 and 43455 are patched) files are for wifi chips and the link you posted above is for the bluetooth git and these files do not seem to be there. Is there another separate issue with wifi?

Many thanks for your help and work.

Sorry, maybe I misunderstood a posting from a Raspberry Pi Engineer. But it's only a bluetooth issue:

Wait for the mirrors to sync and I posted a more current firmware-raspberrypi package with a .3 extension. One of the files in the package is now in linux-firmware.

firmware-raspberrypi-6-1.3

Thanks again... I've activated unstable and started an upgrade. All right!

This topic was automatically closed after 90 days. New replies are no longer allowed.

Forum kindly sponsored by