Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock the package wpa. This upload fixes a security vulnerability in WPA3-Personal and EAP (#926801): - CVE-2019-9494: SAE cache attack against ECC groups (VU#871675) - CVE-2019-9495: EAP-pwd cache attack against ECC groups - CVE-2019-9496: SAE confirm missing state validation - CVE-2019-9497: EAP-pwd server not checking for reflection attack - CVE-2019-9498: EAP-pwd server missing commit validation for scalar/element - CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element For more details on the vulnerability itself, see: - https://w1.fi/security/2019-1/ - https://w1.fi/security/2019-2/ - https://w1.fi/security/2019-3/ - https://w1.fi/security/2019-4/ Since the patches are quite big, you can check them here: - https://salsa.debian.org/debian/wpa/tree/debian/master/debian/patches/2019-sae-eap - https://sources.debian.org/src/wpa/2:2.7+git20190128+0c1e29f-4/debian/patches/2019-sae-eap/ Erroneously not mentioned in the changelog, this upload also declares a correct build dependency on libnl-3-dev. unblock wpa/2:2.7+git20190128+0c1e29f-4 -- Cheers, Andrej
