Your message dated Fri, 24 Aug 2018 13:52:21 +0000
with message-id <[email protected]>
and subject line Bug#905739: fixed in wpa 2:2.4-1+deb9u2
has caused the Debian Bug report #905739,
regarding wpa: CVE-2018-14526: Unauthenticated EAPOL-Key decryption in
wpa_supplicant
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
905739: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905739
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: wpa
Version: 2:2.4-1
Severity: important
Tags: patch security upstream
Hi,
The following vulnerability was published for wpa.
CVE-2018-14526[0]:
| An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0
| through 2.6. Under certain conditions, the integrity of EAPOL-Key
| messages is not checked, leading to a decryption oracle. An attacker
| within range of the Access Point and client can abuse the
| vulnerability to recover sensitive information.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-14526
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14526
[1] https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: wpa
Source-Version: 2:2.4-1+deb9u2
We believe that the bug you reported is fixed in the latest version of
wpa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrej Shadura <[email protected]> (supplier of updated wpa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 09 Aug 2018 09:23:49 +0200
Source: wpa
Binary: hostapd wpagui wpasupplicant wpasupplicant-udeb
Architecture: source
Version: 2:2.4-1+deb9u2
Distribution: stretch
Urgency: high
Maintainer: Debian wpasupplicant Maintainers
<[email protected]>
Changed-By: Andrej Shadura <[email protected]>
Description:
hostapd - IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator
wpagui - graphical user interface for wpa_supplicant
wpasupplicant - client support for WPA and WPA2 (IEEE 802.11i)
wpasupplicant-udeb - Client support for WPA and WPA2 (IEEE 802.11i) (udeb)
Closes: 905739
Changes:
wpa (2:2.4-1+deb9u2) stretch; urgency=high
.
* SECURITY UPDATE:
- CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data
(Closes: #905739)
Checksums-Sha1:
90ef7a27f07b5a1175f68c34114d36ad3ad50cf9 2301 wpa_2.4-1+deb9u2.dsc
8036d8b0bf0f3ed938d9b5309489d5f63dfd2b62 96572 wpa_2.4-1+deb9u2.debian.tar.xz
Checksums-Sha256:
1590d8a659ed4f4e5e1e693b45c57dc8a7ce4c831a0b8aced3a1b2458184622b 2301
wpa_2.4-1+deb9u2.dsc
983cd21ad7bf4ffa6e5a7f054d977c2331d4b2642198c4c825ee52ad6e86e088 96572
wpa_2.4-1+deb9u2.debian.tar.xz
Files:
01d359e2fc0ac558dd7a77366c688956 2301 net optional wpa_2.4-1+deb9u2.dsc
003f2faff5c9203bd35ef7d6f542caaf 96572 net optional
wpa_2.4-1+deb9u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAlt2bgoACgkQXkCM2RzY
OdLc9QgAmhAeyK9Bxmv82t56ujrLx5r2dKvrc5EAv9YV8uMavV2IUu0VOhPN/Y8k
dAiprG9ot2bfstcDX4SynB29E4ZqKt77Uwm1ObjUIZ4O7jRg6f8fNt5UgvhEXIYH
sCiH6uj0xDqp/1S4rrIS/42PHBpA4AZjCbKCLwLinYinKz1Jmo4CpzBR1dv3MV2V
hT9dQ8eicwEKiISPdMYCWgz3tMdkGj2SD/pl8gAurEYo/ogJffmCTAKgJUQ1nvCC
+hIHGken8b3ZAS610TCGKRED2wHpknbJN840erigWVeKZZbu0iD+9+E2rjaEPvkz
BODDeXww+ecsM1yQdChzk4Hay3e6QQ==
=APSJ
-----END PGP SIGNATURE-----
--- End Message ---
