#18145: hostapd wpa-cli package needs to be patched for a remote root exploit
(CVE-2014-3686)
-------------------------------------------------+-------------------------
Reporter: molo | Owner: developers
Type: defect | Status: new
Priority: high | Milestone:
Component: packages | Version: Trunk
Keywords: CVE-2014-3686, hostapd, wpa_cli, |
wpa-cli |
-------------------------------------------------+-------------------------
Hello.
Recently, CVE-2014-3686 was announced:
* http://w1.fi/security/2014-1/wpacli-action-scripts.txt
There are upstream patches available:
* http://w1.fi/security/2014-1/
Major distributions such as RH and Debian are patching. See:
* https://www.debian.org/security/2014/dsa-3052
* https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3686
I reviewed the code a bit. I believe that if you have the "wpa-cli"
package installed and you use wpa_cli with the -a option to run as a
daemon, you would be vulnerable.
Please apply the patches and backport to 12.09.x as well.
--
Ticket URL: <https://dev.openwrt.org/ticket/18145>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
