This is still not fixed. fwupd 0.7.4-2 ships with a DownloadURI value (s3.amazonaws.com) that points to an unmaintained and unsupported metadata repository. CVE-2020-10759 (#962517) was made readily exploitable against Debian Stretch users due to this stale value.
Now that the S3 bucket is back in the safe hands of the LVFS/fwupd project, CVE-2020-10759 is less exploitable against Debian Stretch. But the functionality breakage remains, and users are needlessly running up the costs of a deprecated S3 bucket. Maintainer, can you please consider: 1. Backporting the fixes necessary to no longer use s3.amazonaws.com AND the fixes necessary to fix the functionality breakage (i.e. to have 0.7.4 accept the new metadata format); OR 2. Proposing an update so that Stretch uses the fwupd in Testing If option 1 is taken, consider backporting the fix for CVE-2020-10759 at the same time The discussion on #961490 (A similar issue as it relates to Buster) might be relevant. -- Justin
