This bug was fixed in the package wpa - 2:2.6-15ubuntu1
---------------
wpa (2:2.6-15ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/wpa_service_ignore-on-isolate.patch: add
IgnoreOnIsolate=yes so that when switching "runlevels" in oem-config
will not kill off wpa and cause wireless to be unavailable on first
boot.
- debian/patches/session-ticket.patch: disable the TLS Session Ticket
extension to fix auth with 802.1x PEAP on some hardware.
- debian/patches/android_hal_fw_path_change.patch: add a DBus method
for requesting a firmware change when working with the Android HAL;
this is used to set a device in P2P or AP mode; conditional to
CONFIG_ANDROID_HAL being enabled.
- debian/config/wpasupplicant/linux: enable CONFIG_ANDROID_HAL.
- debian/control: Build-Depends on android-headers to get the required
wifi headers for the HAL support.
- debian/patches/dbus-available-sta.patch: Make the list of connected
stations available on DBus for hotspot mode; along with some of the
station properties, such as rx/tx packets, bytes, capabilities, etc.
* Updated debian/patches/dbus-available-sta.patch for new getter API
and refreshed other patches.
wpa (2:2.6-15) unstable; urgency=medium
* Update debian/control:
- Update Maintainer field to point to $pack...@packages.debian.org
- Update Vcs-* fields to point to salsa.d.o
- Drop no longer active uploaders.
wpa (2:2.6-14) unstable; urgency=medium
* Replace the PEM fix patch by Lukasz Siudut with an upstream patch.
Thanks to David Benjamin <david...@google.com>.
* Apply patches from Beniamino Galvani:
- Fix race condition in detecting MAC address change
- Update MAC address when driver detects a change
* Disable WNM to resolve a compatibility issue with wl.
Thanks to YOSHINO Yoshihito <yy.y.ja...@gmail.com>.
Hopefully really closes: #833507.
wpa (2:2.6-13) unstable; urgency=medium
* Fix a typo in functions.sh (Closes: #883659).
wpa (2:2.6-12) unstable; urgency=medium
* Add wl to the blacklist for MAC randomisation. (Closes: #833507)
* Blacklist an out-of-tree driver for Realtek RTL8188EU too.
wpa (2:2.6-11) unstable; urgency=medium
* Unbreak EAP-TLS.
Thanks to Dmitry Borodaenko <angdr...@debian.org>
wpa (2:2.6-10) unstable; urgency=medium
* Mask hostapd every time it has no valid configuration.
wpa (2:2.6-9) unstable; urgency=medium
* Tell NetworkManager to not touch MAC addresses on unsupported drivers.
Hopefully, this will fix #849077.
wpa (2:2.6-8) unstable; urgency=medium
* Revert "Build wpa_supplicant with interface matching support."
(Closes: #882716).
* Drop override_dh_builddeb.
* Use dh 10.
* Prevent hostapd from failing on the package install when there
isn't a valid configuration file yet (Closes: #882740):
- Don't enable hostapd.service by default.
- Mask hostapd.service on the first install.
wpa (2:2.6-7) unstable; urgency=medium
* Upload to unstable.
* Optional AP side workaround for key reinstallation attacks (LP: #1730399).
wpa (2:2.6-6) experimental; urgency=medium
[ Reiner Herrmann ]
* Port wpa_gui to Qt5 (Closes: #875233).
[ Andrew Shadura ]
* Add a service file for hostapd.
* Build wpa_supplicant with interface matching support (Closes: #879208).
[ Benedikt Wildenhain (BO) ]
* Install wpa_supplicant-wired@.service (Closes: #871488).
[ Jan-Benedict Glaw ]
* Consider all ifupdown configuration, not only /etc/network/interfaces
(Closes: #853293).
wpa (2:2.6-5) experimental; urgency=medium
[ Yves-Alexis Perez ]
* Fix multiple issues in WPA protocol (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
- hostapd: Avoid key reinstallation in FT handshake
- Prevent reinstallation of an already in-use group key
- Extend protection of GTK/IGTK reinstallation of
- Fix TK configuration to the driver in EAPOL-Key 3/4
- Prevent installation of an all-zero TK
- Fix PTK rekeying to generate a new ANonce
- TDLS: Reject TPK-TK reconfiguration
- WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode
- WNM: Ignore WNM-Sleep Mode Response without pending
- FT: Do not allow multiple Reassociation Response frames
- TDLS: Ignore incoming TDLS Setup Response retries
wpa (2:2.6-4) experimental; urgency=medium
* Upload to experimental.
* Bump the epoch to 2:, as the upload to unstable had to bump epoch.
-- Julian Andres Klode <juli...@ubuntu.com> Thu, 18 Jan 2018 19:47:17
+0100
** Changed in: wpa (Ubuntu)
Status: Confirmed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13078
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13079
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13080
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13081
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13082
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13086
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13087
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13088
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to wpa in Ubuntu.
https://bugs.launchpad.net/bugs/1730399
Title:
Add krackattacks mitigation
Status in wpa package in Ubuntu:
Fix Released
Bug description:
See for reference:
https://www.krackattacks.com/#ap-mitigations
Yes this is not a bug. However, it has been noted on ubuntu-devel that adding
some features even to stable releases could be justified in *some* cases.
First of paramount importance is that the fix introduces no regression.
In this case this code is *only* used if a new parameter is set:
wpa_disable_eapol_key_retries=1
if this parameter is missing, behaviour will not change.
So any regression introduced will be caused by a deliberate admin decision,
from where all responsability could be denied (use at your own risk, yadda,
yadda...)
Then is this parameter useful: it could be for the hundred of millions
of Android Phone that are not yet patched (6.0 et upper) and will
never be patched (about 50% of existing Android Phones).
Please note that at least one wifi provider has already decided to
provide this feature to help its users:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory
/cisco-sa-20171016-wpa
so this is something that leaders do :-)
I have already patched my AP that runs Ubuntu 16 LTS (see attached
patch against 2.4-0ubuntu6.2, I have used my AP for 3 days now with a
Ubuntu and an Android client without problem) and I could try to
provide a patch for Ubuntu 17. This kind of patch is really trivial
anyway, since it's just a port of the upstream patch in hostapd:
https://w1.fi/cgit/hostap/commit/?id=6f234c1e2ee1ede29f2412b7012b3345ed8e52d3
However I have a big problem. Any security patch (and this is a security
enhancing patch at least) is only worth as much as it is *tested*. And I don't
have the means to verify that mitigation is effective, as the vulnerability
discoverer has not provided (for obvious reasons) public testing code for
clients.
I think that Ubuntu should have this code (or did you just distribute
security patches without testing that they are effective ? that would not be
very serious IMO).
There is no chance that M. Vanhoef sends his code to any old dog on the
internet, so Canonical is my only chance for a real test of this feature on an
Ubuntu AP (short of rewriting the attack code myself, not an attractive
proposition).
If in fact you don't have the testing (well, attack) code feel free to
dismiss my bug report as irrelevant. But if you have please consider the
opportunity to add some goodwill to Ubuntu. Thanks.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1730399/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
