Bug#927111: unblock: wpa/2:2.7+git20190128+0c1e29f-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock the package wpa.
This upload fixes a security vulnerability in WPA3-Personal and EAP (#926801):
- CVE-2019-9494: SAE cache attack against ECC groups (VU#871675)
- CVE-2019-9495: EAP-pwd cache attack against ECC groups
- CVE-2019-9496: SAE confirm missing state validation
- CVE-2019-9497: EAP-pwd server not checking for reflection attack
- CVE-2019-9498: EAP-pwd server missing commit validation for scalar/element
- CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element
For more details on the vulnerability itself, see:
- https://w1.fi/security/2019-1/
- https://w1.fi/security/2019-2/
- https://w1.fi/security/2019-3/
- https://w1.fi/security/2019-4/
Since the patches are quite big, you can check them here:
- https://salsa.debian.org/debian/wpa/tree/debian/master/debian/patches/2019-sae-eap
- https://sources.debian.org/src/wpa/2:2.7+git20190128+0c1e29f-4/debian/patches/2019-sae-eap/
Erroneously not mentioned in the changelog, this upload also declares a correct
build dependency on libnl-3-dev.
unblock wpa/2:2.7+git20190128+0c1e29f-4
--
Cheers,
Andrej
Reply to: