View Issue Details

IDProjectCategoryView StatusLast Update
0000353AlmaLinux-9fwupdpublic2023-01-05 11:30
Reportermnlipp Assigned To 
PriorityhighSeveritymajorReproducibilityhave not tried
Status newResolutionopen 
Platformx86_64OSAlmaLinuxOS Version9.1
Summary0000353: fwupd outdated, may cause BMC inaccessibilty and security issue
DescriptionThere is/was a known problem with older fwupd versions on Supermicro creating an IPMI user (, In addition, the generated password is not protected (

AlmaLinux 9.1 ships with the old version 1.7.9 of fwupd. On one of my machines, both issues struck.

(1) I suddenly couldn't access the BMC any more because fwupd changed the ADMIN password. As my physical access to the machine is very restricted, this could have been a major problem as I was just configuring the network and had only "shaky" access to the machine (and thus IPMI from the root account).

(2) The generated credentials for fwupd were created in a file with 666 access
Steps To ReproduceI'm currently experimenting with three identical machines. Only one machine was affected. I don't know why, because I don't know what triggers fwupd's IPMI user creation. I assume that explicitly starting fwupd on the other machines results in the same behavior, but I'm definitely not going to try.
Additional InformationBoth issues have been addressed in the current version of fwupd. I'm well aware that AlmaLinux effectively depends on upstream fixes from RedHat. But there must be some way to handle such critical issues.
TagsNo tags attached.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2023-01-05 11:29 mnlipp New Issue