Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: unblock Severity: normal X-Debbugs-CC: debian-boot@lists.debian.org Hi Please unblock the udeb producing package wpa and reduce its propagation time to 5 days. wpa 2.3-1 has been successfully built and uploaded on all release architectures. wpa <= 2.3-1 is vulnerable against a remotely exploitable security bug, which might allow attackers to inject an unsanitized string received from a remote device (potentially any device in radio range) to a privileged (typically root or netdev) system() call via wpa_cli/ hostapd_cli action scripts. CVE-2014-3686 https://security-tracker.debian.org/tracker/CVE-2014-3686 DSA-3052-1 https://www.debian.org/security/2014/dsa-3052 #765352 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765352 For debian-boot/ the upcoming stable point release (wheezy 7.7): wpasupplicant-udeb, as used by d-i, does not contain the exploitable binary (wpa_cli), which is only part of the full wpasupplicant/ hostapd packages (these are already fixed via debian-security). Accordingly d-i's usage of wpa_supplicant is not suspectible to this security issue. This is a new upstream version of wpa containing further changes and features of wpa's stable integration branch[1], rather than a targetted fix. unblock wpa/2.3-1 Regards Stefan Lippers-Hollmann [1] wpa 2.x is a continuous integration branch for bugfixes and new features, rather than a dedicated bugfix branch in the sense of PostgreSQL or the linux kernel.
Attachment:
signature.asc
Description: This is a digitally signed message part.