Your message dated Thu, 06 Nov 2014 17:06:08 +0000 with message-id <e1xmqvc-0007ox...@franck.debian.org> and subject line Bug#765352: fixed in wpa 1.0-3+deb7u1 has caused the Debian Bug report #765352, regarding wpa: arbitrary command execution via action scripts to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 765352: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765352 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: wpa Severity: serious Tags: security Hi, the following vulnerability was published for wpa. It affects both wpa-supplicant and hostapd: CVE-2014-3686[0]: action script execution vulnerability >From https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3686: > Jouni Malinen discovered that a string supplied from a remote device could > be supplied to a system() call in wpa_cli or hostapd_cli when running an > action script (with the "-a" option), resulting in arbitrary command > execution. This issue could also be triggered by an attacker within radio > range. > > Patches are available from the following: > http://w1.fi/security/2014-1/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686 https://security-tracker.debian.org/tracker/CVE-2014-3686 Please adjust the affected versions in the BTS as needed. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---Source: wpa Source-Version: 1.0-3+deb7u1 We believe that the bug you reported is fixed in the latest version of wpa, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 765...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Lippers-Hollmann <s....@gmx.de> (supplier of updated wpa package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 15 Oct 2014 23:32:54 +0200 Source: wpa Binary: hostapd wpagui wpasupplicant wpasupplicant-udeb Architecture: source amd64 Version: 1.0-3+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Debian/Ubuntu wpasupplicant Maintainers <pkg-wpa-de...@lists.alioth.debian.org> Changed-By: Stefan Lippers-Hollmann <s....@gmx.de> Description: hostapd - user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authentica wpagui - graphical user interface for wpa_supplicant wpasupplicant - client support for WPA and WPA2 (IEEE 802.11i) wpasupplicant-udeb - Client support for WPA and WPA2 (IEEE 802.11i) (udeb) Closes: 765352 Changes: wpa (1.0-3+deb7u1) wheezy-security; urgency=high . * Apply upstream patches for CVE-2014-3686 (Closes: #765352): - add os_exec() helper to run external programs - wpa_cli: Use os_exec() for action script execution - hostapd_cli: Use os_exec() for action script execution Checksums-Sha1: 280c90ff1ede69932f3d78efb01c1ce185a5f573 3157 wpa_1.0-3+deb7u1.dsc f89b69e4795eec697e4542309430b3003473704c 1973926 wpa_1.0.orig.tar.gz e273fe1731694119a74f08ffb4a60ab241815551 88566 wpa_1.0-3+deb7u1.debian.tar.gz d5e724d8042f681205052e7d749d63362410a9c2 476162 hostapd_1.0-3+deb7u1_amd64.deb 65be775a80baee10623991807a9c3b9788b9f0ff 368680 wpagui_1.0-3+deb7u1_amd64.deb cbe50b4186ff2d254c342e287060dad20edf4d46 608696 wpasupplicant_1.0-3+deb7u1_amd64.deb 3b5118d80b211b8a0b9e1c854c890047114d274d 154882 wpasupplicant-udeb_1.0-3+deb7u1_amd64.udeb Checksums-Sha256: 35cb768a6613d1528798f0e7b54aac5f553b3430fe3751fb614cef9772c29ac8 3157 wpa_1.0-3+deb7u1.dsc f2e91686ed250850b4929d8b48a8eae0b7b13c333ebbf4230d173379964240ef 1973926 wpa_1.0.orig.tar.gz ddab9c5bc1f69ae64f4e916f4e2af90bef9f946ea4f9ac69e11c7e460d096069 88566 wpa_1.0-3+deb7u1.debian.tar.gz c46d6012820a589a16063d42590e93fcc0fb7694186808772c61f3e6d4eada38 476162 hostapd_1.0-3+deb7u1_amd64.deb 318df62d73e7752da8f648d17f11b089b63a2ee81cf3dccc13a3fb23b5227282 368680 wpagui_1.0-3+deb7u1_amd64.deb 9e734bed8ac6b92742df5fcdf6d9359b7c9b6a15d784c8c774796dbd2ab07e62 608696 wpasupplicant_1.0-3+deb7u1_amd64.deb ea43411f3d8785020caa8be504c2c82f76c84d215c9848b2e27dcd2052387892 154882 wpasupplicant-udeb_1.0-3+deb7u1_amd64.udeb Files: c450f24b3f15fd82463e3dd74912494d 3157 net optional wpa_1.0-3+deb7u1.dsc e10f984c2ad1b1401292fe842d6169c0 1973926 net optional wpa_1.0.orig.tar.gz 1c10fe0ca0cf37622e2c1775ee002795 88566 net optional wpa_1.0-3+deb7u1.debian.tar.gz acf58b2cdfe625a4977ea6c038c884a4 476162 net optional hostapd_1.0-3+deb7u1_amd64.deb 9e3c2b534f4c99bbfdaa09cbe820840c 368680 net optional wpagui_1.0-3+deb7u1_amd64.deb 553a32d8ce1ae7b5a281cceddd49ea36 608696 net optional wpasupplicant_1.0-3+deb7u1_amd64.deb 3d2f764b7125ba45e588c1e7152ba770 154882 debian-installer standard wpasupplicant-udeb_1.0-3+deb7u1_amd64.udeb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQQcBAEBCgAGBQJUPzDIAAoJELjWss0C1vRzZtQf/1C+L7epMDipz0Ra0y9XYQRe BcF5Fyv25G1m4JGGZQgCyrGQ/cO9RCTrsRAw+Kefl/NlBparcEtQLDJbUMZuEBf1 nbgwOnUBQ6XLrZuekt76vC9pen7gYa3ub9sG0diADlJMsXSDrFCxpcOxrcWL65pf dkSxQ+a31M32KNzaYvc5UjqMvmS3jktKEe1MXICq8u+SEQ48zC6qfWGHbqJ6Pj49 CxmxLnt3zuuk827xt6pGy/s7IRZEqcZ0m6Z3NRePf09RoWTtdLLlGsmyY2DeKDwe iJO6gfPaxH07vQWWkxTxiY82IrKa76hOZhUbKxBRhQlogt0VyVwSkU3c3ZiQ5PEd oox8aQV34uzJ5Ku1QEfJlPBXjzCuhnlSBCcvU1o8Th+X+hKI2WXkhTEQiAE/5yLP BukeAbfD0twiKhbt6R6cZquyvpTPq0IxBvfQOhHYt0PP5/v+vWYX0T9KmU+VYXo7 dXoCdHR8B3lr5om41T5h4XvV/xzAXQMwcA/MNXWJcQrcDzARgyWIJw9CHraKKG8N h8BmkT0PjTbkvwsaoPzANFtS8c/35rt2iWy0dXlhr0c6BpcSw+ZPtph5Ff8RRNvm 0xIYzWYv7en5Fpz3vhT2OcEBb5o7ZJun9i1nfQj454LwoKC+pBQRVPX7LEJb9sjc +RKuLj5DMmKi5T/ITfbIp6Hq0mYdMVGHWHCGugF0VYm08gGytVjD6BTRWQ3W0Www q4fuZ/rBelIH45U+xU+BIFGdkELbDWu+GKijhN7AHguhgIzvxXroKlC5hlj/5aoK QRc0Q2oYUG/yg0dOK4DHhQ3lcTalm1/pF8LmNwuPBE2s1/A/5DUoTnqSs9LdPwad DNejH07t/q/pvQl8ZBhu1IjHFzdvbHDbqpay+BOS4t0VdurLwTbqpt3E5PX1X3sw JoH6+m+4woMYcmyryq/dmZY+7G1kSy1s0aQ8WoaWLF1O++sucI+9hAOJUits5I1d tG2sCIDQP3F9TxeixzrOzGJDo4R+0yh00FeM2hxK9E4owvTKm4SGMme6zDHjWFPJ SbyzTcjdnTOOfMoNhQzSwkpSQWxJhdHdswthvDOSIGqOG4VWKO9TNjX/xAZKm19Y 24dNq5GgBBfCAiLl1g1IxXLVdHIxlzhlpLYIYdi6j1iDoajjvSqvYYm6V5mbJJIA N2a1O062tzERfy8C0jB0vbufbZ1Iyfv+4FoI1jue2M0PdTO7etadAN9GmoxSJRSB u0oX980/bDdEw4b2Ui/Qb3Cx3PizEOme6dNe2bvcXf9GyD96KToua5UKeyQJzfWl 6guVXve6ms4NwskkvOaStvO1MI7ZUjbhH7zuwMmDDJQi8uIRMfYsSSgJadpihsU= =Fy64 -----END PGP SIGNATURE-----
--- End Message ---
