[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#765631: unblock/ age to 5 days: wpa/2.3-1 (CVE-2014-3686, DSA-3052-1)

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal
X-Debbugs-CC: debian-boot@lists.debian.org


Please unblock the udeb producing package wpa and reduce its 
propagation time to 5 days. wpa 2.3-1 has been successfully built and
uploaded on all release architectures.

wpa <= 2.3-1 is vulnerable against a remotely exploitable security 
bug, which might allow attackers to inject an unsanitized string 
received from a remote device (potentially any device in radio 
range) to a privileged (typically root or netdev) system() call via 
wpa_cli/ hostapd_cli action scripts.

CVE-2014-3686	https://security-tracker.debian.org/tracker/CVE-2014-3686
DSA-3052-1	https://www.debian.org/security/2014/dsa-3052
#765352		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765352

For debian-boot/ the upcoming stable point release (wheezy 7.7):
wpasupplicant-udeb, as used by d-i, does not contain the exploitable
binary (wpa_cli), which is only part of the full wpasupplicant/ hostapd
packages (these are already fixed via debian-security). Accordingly 
d-i's usage of wpa_supplicant is not suspectible to this security 

This is a new upstream version of wpa containing further changes and
features of wpa's stable integration branch[1], rather than a 
targetted fix.

unblock wpa/2.3-1

	Stefan Lippers-Hollmann

[1]	wpa 2.x is a continuous integration branch for bugfixes and new 
	features, rather than a dedicated	bugfix branch in the sense of 
	PostgreSQL or the linux kernel.

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: