[SECURITY] [DLA 4123-1] wpa security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4123-1] wpa security update
From: rouca@debian.org
Date: Sat, 12 Apr 2025 21:58:19 +0200
Message-id: <[🔎] 9f7b740046f1ee31606079e342f91c84@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4123-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
April 12, 2025                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : wpa
Version        : 2:2.9.0-21+deb11u3
CVE ID         : CVE-2022-23303 CVE-2022-23304 CVE-2022-37660

Multiple vulnerabilities were found in wpa, a set of tools including
the widely-used wpasupplicant client for authenticating with WPA
and WPA2 wireless networks.

CVE-2022-23303

    The implementations of SAE in hostapd
    are vulnerable to side channel attacks as a result of
    cache access patterns.

CVE-2022-23304

    The implementations of EAP-pwd are vulnerable
    to side-channel attacks as a result of cache access patterns.

CVE-2022-37660

    The PKEX code remains active even after
    a successful PKEX association. An attacker that successfully
    bootstrapped public keys with another entity using PKEX in
    the past, will be able to subvert a future bootstrapping
    by passively observing public keys.

For Debian 11 bullseye, these problems have been fixed in version
2:2.9.0-21+deb11u3.

We recommend that you upgrade your wpa packages.

For the detailed security status of wpa please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wpa

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmf6xdsACgkQADoaLapB
CF/EkA//UgDp/ublHjJQC8wrj35zL4EoYmMdK826p2xsdCBIZOg7PL20SAMVdA6q
yYZYLNYb+dFu19+xdLfy6sCw+pvkTtOS9ru7FVGzTDHS1skkB96F9CpAsWJ5McyP
DtHB8Db30zGEUXSeQHo8T1PpiqD3eqJlP3lT/YxoWy8PpF/v7oLLV4nssF6sCVAU
0VsTkGw2/t4+iJt5QAwzsRUJKyn0HKIiq7Vp5bP1nVwnzVo5uytA/fWBasvKFlG+
OHj1NrBVN9tAY0V+DVZAiGKZspeGTmvaEwc8ZB06uYXEzIeIIiKl6qbiOBYNjfif
12ETeW3Px0yEkJpnU2sg/3j3rlcBLGOTlsrccvO4o77oujCJWFWLJoO4iQK3ya77
0uDwohmFUPVP/GAZGhZnLsP+cOxYE7ux2671XxaFmnmcg88OR+vu9YjfSpcMjlCQ
uU5XF8keCJYPGHdR8fjtfs+83Z7pL2huRwX8w5u8DxbJ6p63LyXuovv1gw7gUviF
Bvn3Ds0+RORkGQKoaPCZBi25Rmqd5OwSrJ6QfpoNsblx4Nm0M96I0nt5aMDHCZcA
Bj3Da7gatFLyucXAqWusCN5rBsJpSCl4jLnd30LJZ4kSXG8rhpGGB2RMNrybi9d0
HyNanil2JRpWsmWr+BZr5+38SuZBe94H8jsa0IYxbuHGB2Cn+O8=
=i9LI
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4122-1] libbssolv-perl security update
Next by Date: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update
Previous by thread: [SECURITY] [DLA 4122-1] libbssolv-perl security update
Next by thread: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update
Index(es):
- Date
- Thread