SUSE-RU-2026:21408-1: moderate: Recommended update for fwupd
SLE-UPDATES
null at suse.de
Thu Apr 30 20:30:43 UTC 2026
# Recommended update for fwupd
Announcement ID: SUSE-RU-2026:21408-1
Release Date: 2026-04-27T22:05:47Z
Rating: moderate
References:
* bsc#1253138
* bsc#1256507
Affected Products:
* SUSE Linux Enterprise Server 16.0
* SUSE Linux Enterprise Server for SAP applications 16.0
An update that has two fixes can now be installed.
## Description:
This update for fwupd fixes the following issues:
Changes in fwupd:
* Update to version 2.0.20:
* This release adds the following features:
* Add support for changing AMD UMA carveout size
* Warn the user if they are using the blocked-firmware functionality
* This release fixes the following bugs:
* Disable the UEFI plugins on 32bit x86
* Do not hang when parsing an invalid USB descriptor
* Do not return an error if the fastboot property is not provided
* Fix a CCGX DMC regression when installing on the HP G5 dock
* Fix a harmless heap OOB read in AMD kria SOM EEPROM parser
* Fix a potential fastboot string over-read
* Fix a regression causing MBIM QDU updates to fail
* Honor polkit auth for emulation tag modify device
* Speed up calculating the cab checksum by ~21%
* Verify the uncompressed size when decompressing CAB files
* This release adds support for the following hardware:
* HP Engage One G2 Advanced Hub
* PixArt PJP274 (Framework Laptop)
* Several new Jabra GNP devices
* Allow fwupd.service to interact with cdrom (boo#1256507)
* Actually build and install manpages:
* These were originally removed because including them would have required
pulling a nasty set of ghc/pandocs build dependencies directly into Ring 1
* fwupd upstream quickly reverted this change in 1.8.13, but the conditional
to block building/installing the manpages by default was never removed from
the specfile
* This restores the fwupd manpages, which have been sorely missing in openSUSE
for a couple years
* Update to version 2.0.19:
* This release adds the following features:
* Add two commands to fwupdtool to calculate and find CRCs
* Allow systems to use the udev event source without using systemd
* This release fixes the following bugs:
* Always show the correct new firmware version in 'fwupdmgr get-history'
* Fix an integer underflow when parsing a malicious PE file
* Fix a regression when enumerating the dell-dock status component
* Fix the fuzzer timeout when parsing a synaptics-rmi SBL container
* Fix updating the Intel GPU FWDATA section
* Respect 'fwupdmgr --force' when installing firmware
* This release adds support for the following hardware:
* Lenovo Sapphire Folio Keyboard
* Update to version 2.0.18:
* This release adds the following features:
* Add a MOTD message for devices needing reboot after staged updates
* Create the reboot-required file when a firmware update requires reboot
* Record the system state for each composite emulation
* Update USI docking station firmware without requiring a manual replug
* This release fixes the following bugs:
* Add a MTD device problem if the Intel SPI BIOS lock is set
* Allow changing the child name when using PARENT_NAME_PREFIX
* Allow UpdateCapsule to work on systems that do not support SecureBoot
* Correctly parse the EFI_CAPSULE_RESULT_VARIABLE_HEADER
* Fall back to the SMBIOS version for BIOS MTD devices
* Fix a crash when trying to record an i2c emulation
* Fixed Huddly upgrade problems with major version changes
* Fix man page compatibility with apropos and whatis
* Fix parsing USB BOS descriptors
* Fix up the x86_64-specific capsule flags when deploying UEFI firmware
* Improve firmware stream searching speed by a huge amount
* Only convert the release uint32_t to device version format for UEFI devices
* Only handle SIGINT in fwupdtool when required
* Refactor the hypervisor and container detection to be usable from plugins
* Set PlatformArchitecture as the CPU architecture for RISC-V machines
* Use a sensible timeout when doing qc-s5gen2 HID requests
* This release adds support for the following hardware:
* HP Portable USB-C 4K HDMI Hub
* Lenovo Legion Go 2 (as a HID device)
* Synaptics HapticsPad
* Do not try to load i2c_dev kernel module on s390x. S390x has no native i2c
devices and does not have the module (bsc#1253138).
* Update to version 2.0.17:
* This release adds the following features:
* Add support for client-side phased update deployment
* Add support for post-quantum signatures
* Allow clearing the cache dirirectory
* Allow fwupdtpmevlog to dump the raw eventlog data
* Build a NVMe GUID derived from the serial number
* Make fwupdtool extract work with deeply nested images
* Parse VSS and FTW variable stores from EFI volumes
* Reintroduce the FreeBSD CI target
* Support very old versions of UDisks
* This release fixes the following bugs:
* Add 'fwupdmgr hwids' by exposing another daemon property
* Add offline hashes for the Microsoft 20250902 dbx
* Add the Framework-specific KEK and db hashes
* Allow updating IFD BIOS region via parent MTD
* Avoid showing reinstall prompts for composite devices
* Clean up the fwupdtool lock file in all cases
* Correctly match the correct historical composite component
* Do not allow PK or KEK updates when system has a test key installed
* Do not allow reinstalling when using ONLY_VERSION_UPGRADE
* Do not require AC power to run the installed tests
* Do not scan EFI volumes when constructing MTD BIOS devices
* Ensure REGION is always set for MTD IFD children
* Ensure SCSI instance IDs are valid ASCII values
* Fix a critical warning when parsing invalid Jabra firmware
* Fix an Ilitek parsing crash found when fuzzing
* Fix an inotify race when refreshing metadata
* Fix a pending-activation problem with Dell docking stations
* Fix a potential hang when creating a chunk array with aligned sizes
* Fix MTD emulation recording for PCI-backed devices
* Fix the device order when the parent specifies install-parent-first
* Fix the FLMSTR layout when reading IFD partitions
* Fix the thunderbolt controller rushing to finalize before onlining retimers
* Fix writing Intel GPU OptionROM data and OptionROM code
* Flush stale events to make the Logitech Rallybar more reliable
* Ignore all the Intel GPU MTD devices
* Ignore errors when writing the last page of Dell dock firmware
* Make an error message more specific
* Modify the Dell dock needs-activation flag after updates are installed
* Only add one devlink device for each PCI card
* Parse the FMAP SBOM area as uSWID when required
* Relax the USI dock DMC child device checks for new firmware
* Revert back to the flashrom deprecated API as the new API is unusable
* Rewrite the fwupdmgr manpage to be more useful
* Use higher delay when update status for Logitech peripheral devices
* This release adds support for the following hardware:
* ASUS CX9406 (touch controller)
* Framework Copilot keyboard
* Genesys GL352530 and GL352360
* Huddly C1
* Lexar and Maxio NVMe SSDs
* Primax Ryder mouse 2
* Add pkgconfig(libmnl) BuildRequires: new dependency.
* Fix file list
* Update to version 2.0.16:
* This release adds the following features:
* Add a 'search' feature to fwupdtool and fwupdmgr
* This release fixes the following bugs:
* Fix missing release locations when loading from artifact
* Fix remaining issues to make updates on FreeBSD work
* Update to version 2.0.15:
* This release adds the following features:
* Allow child devices to use the parent name as a prefix
* This release fixes the following bugs:
* Add newer commands and options for Fish completion
* Allow installing archives named as .CAB rather than .cab
* Erase Firehose modem devices correctly
* Fix Goodix enumeration issues
* Fix sending firmware reports without --force
* Fix the FreeBSD build
* Fix version number of BnR MTD devices
* Require additional requirements for the default PS5512 devboard
* Require a full system shutdown for all Micron NVMe updates
* Use a better name for Elan touchpad and Intel PCH SPI devices
* This release adds support for the following hardware:
* Foxconn SDX61 Modem
* Jabra Evolve2 child devices
* NVIDIA ConnectX-6, ConnectX-7 and ConnectX-8 NICs
* Update to version 2.0.14:
* This release adds the following features:
* Add support for ignoring the network connectivity requirement
* Allow building on RHEL-9 and RHEL-10
* Allow plugins to know the firmware version during update
* Allow UEFI capsule devices to opt-out of Capsule-on-Disk
* Allow unsetting HwID plugin context flags
* Allow upgrading from a zero "empty" UEFI dbx
* This release fixes the following bugs:
* Add an automatic firehose counterpart to the QCDM modem device
* Disable signature time checks when verifying firmware
* Do not add a vendor ID of UNKNOWN when the signature has no vendor
* Do not discover ThunderBolt retimer devices when run in single-shot mode
* Do not use deprecated libflashrom API
* Enhance firmware metadata generation in firmware_packager
* Ensure Lexar NVMe drives use a proper version number
* Fix parsing and writing UF2 extension sections
* Fix Synaptics RMI initialization for new devices
* Fix updating DFOTA and MBIM modem devices
* Move some vendor name fixups to the quirk file
* Remove CapsuleOnDisk HwID match for Dell
* Return a sensible error when using build-cabinet wrong
* Set the firehose loader filename in a more permissive way
* Update the mapping for TPM vendor names
* Verify the checksum of the serialized data in tests
* Work around a libmbim bug when detaching
* This release adds support for the following hardware:
* Egis MoC devices
* Framework QMK devices
* ILITEK touch controllers
* SteelSeries Arctis Nova 3P
* drop unneeded gpgme build dependency. GPG support is provided with libjcat
* Update to version 2.0.13:
* This release adds the following features:
* Add a daemon config option to ignore efivars free space
* Add support for glob-aware version comparison requirements
* Allow targeting specific regions in FMAP when using flashrom
* Detect static variables and magic numbers during code review
* Remove the unused hailuck and rts54hid plugins
* This release fixes the following bugs:
* Align MTD erase up to the erasesize as necessary
* Allow parsing IGSC OptionROM when using fwupdtool
* Allow removing private flags from UEFI capsule devices in quirks
* Do not copy the vendor for Intel reference ME firmware
* Do not use an interactive console if stdout is redirected
* Fix the UEFI self-test when the capsule splash is disabled
* Get better device information when using PCI-backed MTD devices
* Get the Intel GPU SKU and SVN when using BMG hardware
* Make MBIM modem devices emulatable
* Make sure fwupdtool.exe is available in the Windows PATH
* Only show the 'Full Disk Encryption Detected' warning when required
* Set all QCDM modem devices to raw mode when updating
* Show all devices for fwupdtool get-devices --show-all --force
* Show correct dbx version if non-Microsoft entries are present
* Show KEK device attributes in fwupdmgr
* Use an alternate GUID when the Intel GPU is in recovery mode
* Use the kernel netlink hotplug socket when there is no Udev
* Various small changes to speed up startup by 60% and lower RSS by 40%
* This release adds support for the following hardware:
* HP USB-C 100W G6 Dock
* Logitech Bulk Controller pheripherals
* More MediaTek scaler devices
* Fix %{_modulesloaddir}/fwupd-i2c.conf packaging
* Update to version 2.0.12:
* This release adds the following features:
* Add a config option for enforcing immutable device enumeration
* Add device emulation support for Thunderbolt host controllers
* Do the efivarfs free space checks for dbx, db, KEK and PK devices
* Ensure the i2c_dev kernel driver is always loaded if a module
* Parse the SBOM data from fwupdx64.efi if provided
* Support loading multiple coSWID blobs from PE files
* This release fixes the following bugs:
* Added HP Elitedesk G6 mini to not get dbx-updates
* Add two more uefi dbx checksum->version entries
* Be more useful when building modem device Instance IDs
* Convert asus-hid and legion-hid2 to hidraw to avoid possible input blips
* Do not create radio for Logitech RDFU-capable devices
* Fix a modem-manager regression where a PCI device had no vendor ID
* Fix a regression when updating DFOTA modem devices
* Fix self tests when building with -Defi_os_dir
* Fix self tests when the builder does not support DistroVersion
* Fix updating Thunderbolt host controllers with some version formats
* Handle HECI unsupported status (0x0b) for Dell hardware
* Make tar a dependency of the uefi-capsule tests
* Mark the KEK and db updates as affecting FDE like BitLocker
* Properly detect the Redfish reboot request for Dell servers
* Send the proper artifact firmware filename to the Redfish BMC
* Set the correct RMM device version for some Dell dock devices
* Use inhibits so that the rts54hub device is marked as non-updatable
* Use the virtual size to avoid padding when cutting PE sections
* Wait for the Logitech Scribe device to replug after updating
* This release adds support for the following hardware:
* HP Portable USB-C Hub
* More Foxconn 5G modem products
* More Intel Arc Battlemage products
* Update to version 2.0.11:
* This release adds the following features:
* Add a new check-reboot-needed command for scripts to use
* Read the SELinux state in the report failure metadata
* This release fixes the following bugs:
* Add some notes in the README about security-relevant build flags
* Add support for the Dell dock ownership command
* Add the subsystem VIDPID when provided by ModemManager
* Allow changing the rts54hub block size from a quirk entry
* Allow Legion HID2 downgrades without --force, and clear config on upgrades
* Allow specifying multiple DEVICE-IDs for the get-updates command
* Cache the stream when parsing the processed cabinet to fix the report upload
* Do not allow DBX updates on the AiStone X5KK4NAG
* Do not use translated low-level error messages in the failure report
* Fall back to the activation date if the X.509 cert has no suitable subject
* Fix newer Synaptics VMM9 devices by adding a delay after disabling RC
* Ignore some sanity checks when parsing PK, KEK and db certificates
* Increase timeout requested by logitech RDFU devices
* Never include systemd.machine_id in the failure report
* Parse the correct VendorID from the ModemManager device ID
* Process all pending event sources when waiting for replug
* Use the UEFI PK report attributes for the other UEFI plugins
* This release adds support for the following hardware:
* Lenovo Thunderbolt 5 Smart Dock
* Update to version 2.0.10:
* This release adds the following features:
* Include the AGESA version as the summary of the AMD secure processor device
* Include the UEFI PK certificate key ID in the uploaded problem report
* Provide a way for the client to restrict the GUID list to an emulated device
* This release fixes the following bugs:
* Do not allow dbx updates on the HP Elitebook 845 Gen10
* Do not warn about BIOS bugs we can easily work around
* Fix a regression in fwupdmgr emulation-save when recording some devices
* Fix a regression preventing installation of KEKs
* Fix a small memory leak when getting security attributes
* Never write a UX capsule when using Capsule-On-Disk
* Use the 'OnBattery' property from upower to tell if plugged in
* This release adds support for the following hardware:
* Lenovo Legion Touchpad
* Logitech MX Mechanical
* Poly Studio V72 and V12
* Update to version 2.0.9:
* This release adds the following features:
* Add some documentation about updating the KEK and db
* Allow installing multiple db certificate updates at the same time
* Show what certificate signed the EFI authenticated variable
* Use readline to look up inputs from user, and make it optional
* This release fixes the following bugs:
* Add several devices with broken firmware to the UEFI dbx blocklist
* Constructing the authenticated URI properly when using FirmwareBaseURI
* Do not enumerate non-updatable OptionROM devices
* Do not export Redfish backup partitions as devices
* Fix a crash when installing some Wacom firmware types
* Fix a crash when parsing uevents that are not KEY=VALUE
* Fix parsing the DFU descriptor when not using libusb
* Fix PK and KEK enumeration failure on some systems
* Fix SMBIOS parsing for ROM size >= 16MiB
* Include a resolution for more of the HSI failures
* Include more output when using fwupdtool get-devices --json
* Never allow updating updatable-hidden devices with fwupdtool
* Properly handle redfish location redirect when installing firmware
* Recognize a very old dbx hash to allow upgrades
* Require a reboot after updating Intel CVS devices
* Rework the MEI code so that a device can use more than one interface
* Rewrite the ModemManger plugin to be simpler and more supportable
* Simplify parsing USB descriptors
* This release adds support for the following hardware:
* Intel Arc Battlemage GPUs
* Add explicit pkgconfig(libusb-1.0) B?uildREquires: pulled in by gusb
already, but having it explicit allows to add specific version constrains.
* Add pkgconfig(readline) BuildRequires: new dependency.
* Update to version 2.0.8:
* This release adds the following features:
* Add the updated UEFI db as a new HSI attribute
* Add two new plugins that can update the UEFI Signature Database and KEK
* This release fixes the following bugs:
* Add /sys/firmware/efi/efivars to ReadWritePaths
* Avoid any DPAUX IO if the BnR DPCD does not match
* Be more careful falling back to older emulation versions
* Detect the Firehose protocol features if not automatically sent
* Do not match SMC Redfish method on non-Supermicro hardware
* Do not show prompts or messages in --json mode
* Fix a critical warning when enumerating DTH135K0C
* Make the EFI LOADOPT either a path or ShimHive when setting metadata
* Match lowercase directory names when checking for ESP
* Only allow UEFI capsule updates on UEFI-capable architectures
* Set the version format when using fwupdtool install offline
* Support segment value 0 in the ccgx-dmc image parser
* Update to version 2.0.7:
* This release adds the following features:
* Allow calling 'fwupdtool security' with a fwupd version parameter
* A new plugin to update B&R DisplayPort receivers
* A new plugin to update Intel CVS cameras
* A new plugin to verify UEFI memory protection attributes
* A new quirk to signify that no additional ESP space is required
* Build additional Redfish instance IDs for Dell server hardware
* Implement the HPE proprietary Redfish firmware push method
* Support cabinet archives greater in size than 2GB
* Support for showing the SBOM release URL
* Support for UEFI capsule installation in the bootloader
* This release fixes the following bugs:
* Always close USB file descriptors after starting the daemon
* Do not add a Redfish release date if set to 00:00:00Z
* Fix a critical warning when rescanning a device with no GUIDs
* Fix a small memory leak when emumerating Logitech Rallysystem devices
* Fix a tiny Redfish memory leak when writing firmware
* Fix building against pygobject 3.52
* Fix Logitech BulkController setup for new device firmware versions
* Fix scaler-only Wacom USB update deployment
* Fix updating the RMM component in the dell-kestrel dock
* Fix writing new EFI variables to workaround a kernel regression
* Make PCI NAME and SSVID_SSPID based modem-manager IDs visible
* Parse firmware before putting the device into bootloader mode
* Prepend the capsule header when using Capsule-on-Disk
* Put a memory limit on decoding LZMA streams when parsing firmware
* Retry claiming the fastboot interface for up to 2500ms
* Trigger dpaux rescan on drm changes correctly
* Use the metadata version format to set the version_lowest when required
* This release adds support for the following hardware:
* Another HP wireless dongle
* Lenovo ThinkPad Thunderbolt 4 Smart Dock Gen2
* Lenovo USB-C Dual Display Travel Dock
* More EDL 5G modem devices
* Align meson call with current upstream supported parameters.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server for SAP applications 16.0
zypper in -t patch SUSE-SLES-16.0-647=1
* SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-647=1
## Package List:
* SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
* fwupd-debugsource-2.0.20-160000.1.1
* fwupd-devel-2.0.20-160000.1.1
* fwupd-2.0.20-160000.1.1
* libfwupd3-debuginfo-2.0.20-160000.1.1
* fwupd-debuginfo-2.0.20-160000.1.1
* typelib-1_0-Fwupd-2_0-2.0.20-160000.1.1
* libfwupd3-2.0.20-160000.1.1
* SUSE Linux Enterprise Server for SAP applications 16.0 (noarch)
* fwupd-lang-2.0.20-160000.1.1
* fwupd-bash-completion-2.0.20-160000.1.1
* fwupd-doc-2.0.20-160000.1.1
* SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
* fwupd-debugsource-2.0.20-160000.1.1
* fwupd-devel-2.0.20-160000.1.1
* fwupd-2.0.20-160000.1.1
* libfwupd3-debuginfo-2.0.20-160000.1.1
* fwupd-debuginfo-2.0.20-160000.1.1
* typelib-1_0-Fwupd-2_0-2.0.20-160000.1.1
* libfwupd3-2.0.20-160000.1.1
* SUSE Linux Enterprise Server 16.0 (noarch)
* fwupd-lang-2.0.20-160000.1.1
* fwupd-bash-completion-2.0.20-160000.1.1
* fwupd-doc-2.0.20-160000.1.1
## References:
* https://bugzilla.suse.com/show_bug.cgi?id=1253138
* https://bugzilla.suse.com/show_bug.cgi?id=1256507
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260430/116d442e/attachment.htm>
More information about the sle-updates
mailing list