[SECURITY] [DLA 3743-1] wpa security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3743-1] wpa security update
From: "Chris Lamb" <lamby@debian.org>
Date: Tue, 27 Feb 2024 14:44:01 +0000
Message-id: <[🔎] 170904252958.72265.374228946819665691@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3743-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
February 27, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : wpa
Version        : 2:2.7+git20190128+0c1e29f-6+deb10u4
CVE ID         : CVE-2023-52160
Debian Bug     : 1064061

It was discovered that there was a potential authentication bypass
vulnerability in wpa, a set of tools including the widely-used
wpasupplicant client for authenticating with WPA and WPA2 wireless
networks.

For an attack to have been successful, wpasupplicant must have been
configured to not verify the network's TLS certificate during Phase 1
of the authentication cycle; a eap_peap_decrypt vulnerability could
have been used to skip Phase 2 authentication by sending an EAP-TLV
"Success" packet instead of starting Phase 2.

For Debian 10 buster, this problem has been fixed in version
2:2.7+git20190128+0c1e29f-6+deb10u4.

We recommend that you upgrade your wpa packages.

For the detailed security status of wpa please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wpa

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmXd62AACgkQHpU+J9Qx
Hlhd4xAAtrUm2WhASv3Yv6UhOdBLeQ7lkzVUYlH5KcKWVtRK+VyCogU3qQWmF9CO
orcF8bgrlAiij8YB4fnI/9eG1/W2pg4C7eViw95ShydtbDg5qmw+fz5gGFKoytW3
JWC2D3Y77tmUHc/HOS2aAEsE8lRDZECNKnFFU9GHRWdeTklXBGFRiyJvnj7O1bnh
YS7tufOfhOK49CX1N069x/cXgRfAJDobEpwrrVJfKnlyDeKZ8mfLYtBXNu/iKV1z
ZUJmg4aSZvCo5Fskaui0QLsj7EHYKs1KXFryKXgGcz4GVbrx3glAO/iYM6YZ1M0B
H+CAkhBhb05GZ7yHxiRBvJqdRGZ1W54YLGRbN7rJfyIhxHh9uID31yh9M9wTDn0D
B1/yQ30VqcJVAjRWTVwsU4TNEn0AndtL068+zpYX7sz0Uz1guXB43zQ9rCs7kFa7
UjtJ3/gOJ/9mQn7sgjL8RxH1laYW7wxa+GSzccmn+INZxRcNWToYAYJCS2/OSGHO
BtVmyo7qHyKxA+72uV7bpp3znRru/EneCWRRhhvyPwsc5yjXV8tvBlI91rEdarkk
fOqbcknz8Y7vPAKxPg8NBdHa6Ut+8Iizony9XEosWIWf/+PTvg539GjTXp1MmThK
+wtd2DlmXuXHpyhB0DSME9wNaoviShQ1yUww0lQeYcSBWse7soc=
=6/3V
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3742-1] libgit2 security update
Next by Date: [SECURITY] [DLA 3744-1] python-django security update
Previous by thread: [SECURITY] [DLA 3742-1] libgit2 security update
Next by thread: [SECURITY] [DLA 3744-1] python-django security update
Index(es):
- Date
- Thread