-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 11 Apr 2025 16:57:53 +0200
Source: wpa
Architecture: source
Version: 2:2.9.0-21+deb11u3
Distribution: bullseye-security
Urgency: high
Maintainer: Debian wpasupplicant Maintainers <wpa@packages.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Changes:
wpa (2:2.9.0-21+deb11u3) bullseye-security; urgency=high
.
* SECURITY UPDATE: Side-channel attack due to cache access patterns.
- debian/patches/CVE-2022-2330x-x.patch: Add crypto function operators in
./src/crypto/crypto.h, .../crypto_openssl.c, and .../crypto_wolfssl.c.
Add dragonfly_sqrt() helper function in ./src/common/dragonfly.c. Change
coordinate calculations in ./src/eap_common/eap_pwd_common.c.
- Fix CVE-2022-23303: The implementations of SAE in hostapd
are vulnerable to side channel attacks as a result of
cache access patterns.
- Fix CVE-2022-23304: The implementations of EAP-pwd are vulnerable
to side-channel attacks as a result of cache access patterns
* SECURITY UPDATE: Encrypted element reusage.
- debian/patches/CVE-2022-37660.patch: Add hostapd_dpp_pkex_clear_code()
and wpas_dpp_pkex_clear_code(), and clear code reusage in
./src/ap/dpp_hostapd.c and ./wpa_supplicant/dpp_supplicant.c
- Fix CVE-2022-37660: the PKEX code remains active even after
a successful PKEX association. An attacker that successfully
bootstrapped public keys with another entity using PKEX in
the past, will be able to subvert a future bootstrapping
by passively observing public keys, re-using the encrypting
element Qi and subtracting it from the captured message
M (X = M - Qi). This will result in the public ephemeral
key X; the only element required to subvert the PKEX association.
Checksums-Sha1:
b8c1fc41f5706b093830ec6f3557332c6a14e0fa 2725 wpa_2.9.0-21+deb11u3.dsc
8c4bafede40b32890ab65ac120e1c24757878248 2347080 wpa_2.9.0.orig.tar.xz
cb17c948a9cf8b9dc8f110ea0c20c1e78e73600a 105236 wpa_2.9.0-21+deb11u3.debian.tar.xz
a71240c5c814546f0f9e560af18831129ca94ab5 15483 wpa_2.9.0-21+deb11u3_amd64.buildinfo
Checksums-Sha256:
44d9413dc8866d9c14502e9ddd920eb448d7a82e1bfcd18b89dc6369f6c4f8aa 2725 wpa_2.9.0-21+deb11u3.dsc
4032da92d97cb555053d94d514d590d0ce066ca13ba5ef144063450bc56161a7 2347080 wpa_2.9.0.orig.tar.xz
508f654a6394c9b5be17ded56a5838202054c68c369a44a0f47d6376d0195c37 105236 wpa_2.9.0-21+deb11u3.debian.tar.xz
2f6b816f4f78dfbdc05fe11515c9918a498e946224bd8ee1347bd95678525aa1 15483 wpa_2.9.0-21+deb11u3_amd64.buildinfo
Files:
06234fe8ee078ecf9b91572c807fe0c2 2725 net optional wpa_2.9.0-21+deb11u3.dsc
132953a85df36d0fca4df129b036ca06 2347080 net optional wpa_2.9.0.orig.tar.xz
a14a2af892417c8dc7636ae4d0aa3047 105236 net optional wpa_2.9.0-21+deb11u3.debian.tar.xz
370b1b05158578601ad87538e93e8811 15483 net optional wpa_2.9.0-21+deb11u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmf6ugoACgkQADoaLapB
CF/Jkw/+NVGrvovJ+1ZmKbjWbft6XcoYyxJzsSiQxp/mm37K7W5GrbdHDMIe8qON
KFd412Q6dqjciDqyyf8dANyW24wtE7MQqtNfj9BQAT/HQAlbHPoe/ddG5VuthdH9
2Da8FuPLfmnJ9Jyl/Cp+BBlWph2ywCFhpxegM6kI1I0bZt6YhqzA6VkfkWZo4C+w
ngV8LOnsDMEeay+R72+wVpRQL1w0pykWXLSqNyFuGKmFWNksncKzpZhsfxKqvNVw
PdekpM3OGBak8zxRCCSO3PaH0OYBoQRUYzmQpfoAjhzSjdye411sDF6IvveTtJ3a
yhXgcSyBOHRVSYodzr8ee1GQ66/PwEMtkLN3JNR5RYjiwWM5ZeOz8I7dhfbskJdz
/X9enXYBlXKz5gikbI0KwtRk/dJuli9Rg0FszhBYP8jowYjh57uvWJ++RWuvBbnF
NVLpCg7XtgTgX+iNYM9HDQ9pO1CpEAAuh2XeZNy+x7siB8MRSnCMSOQwwz8+0RBK
AA03BgDeOQao+2HOcrrAEP31FJcX++bm5+B2WLvD9734/7WZGDpmxvcV/wLTFIFu
w6zJql6jaDdx/3E9g35vcQJZuIQzu8DhlhoOBA1AM+ebDVXUHvOGecSoQFQiovPA
h1MBqqTnbzdPbLmaK36bmWg63ldOP2tq3xBjOm//DxYHw0QQW14=
=bbsc
-----END PGP SIGNATURE-----
Attachment:
pgpUho0us_CnS.pgp
Description: PGP signature