Bug#926801: marked as done (src:wpa: multiples vulnerabilities in SAE and EAP-pwd code in wpa)

Wed, 10 Apr 2019 14:24:43 -0700 

Your message dated Wed, 10 Apr 2019 21:20:31 +0000
with message-id <e1hekdz-000h3m...@fasolo.debian.org>
and subject line Bug#926801: fixed in wpa 2:2.7+git20190128+0c1e29f-4
has caused the Debian Bug report #926801,
regarding src:wpa: multiples vulnerabilities in SAE and EAP-pwd code in wpa
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
926801: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926801
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: src:wpa
Severity: grave
Tags: security
Justification: user security hole

Hi,

multiple vulnerabilities were discovered in wpa:

CVE-2019-9494 [cache attack against SAE]
CVE-2019-9495 [cache attack against EAP-pwd]
CVE-2019-9496 [SAE confirm missing state validation in hostapd/AP]
CVE-2019-9497 [EAP-pwd server not checking for reflection attack]
CVE-2019-9498 [EAP-pwd server missing commit validation for scalar/element]
CVE-2019-9499 [EAP-pwd peer missing commit validation for scalar/element]

When you fix them, please include references to those CVE in the
changelog.

Regards,
-- 
Yves-Alexis


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), 
LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Source: wpa
Source-Version: 2:2.7+git20190128+0c1e29f-4

We believe that the bug you reported is fixed in the latest version of
wpa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 926...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrej Shadura <andre...@debian.org> (supplier of updated wpa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 10 Apr 2019 19:00:22 +0200
Source: wpa
Architecture: source
Version: 2:2.7+git20190128+0c1e29f-4
Distribution: unstable
Urgency: high
Maintainer: Debian wpasupplicant Maintainers <w...@packages.debian.org>
Changed-By: Andrej Shadura <andre...@debian.org>
Closes: 926801
Changes:
 wpa (2:2.7+git20190128+0c1e29f-4) unstable; urgency=high
 .
   * Apply security fixes (Closes: #926801):
     - CVE-2019-9494: SAE cache attack against ECC groups (VU#871675)
     - CVE-2019-9495: EAP-pwd cache attack against ECC groups
     - CVE-2019-9496: SAE confirm missing state validation
     - CVE-2019-9497: EAP-pwd server not checking for reflection attack
     - CVE-2019-9498: EAP-pwd server missing commit validation for 
scalar/element
     - CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element
 .
     For more details, see:
     - https://w1.fi/security/2019-1/
     - https://w1.fi/security/2019-2/
     - https://w1.fi/security/2019-3/
     - https://w1.fi/security/2019-4/
Checksums-Sha1:
 5456c87d021d278ecb99e0b88affc7447e7a8ed1 2312 wpa_2.7+git20190128+0c1e29f-4.dsc
 9cea2cc5f76eb412b524f4d06a6756c46793a4a6 100748 
wpa_2.7+git20190128+0c1e29f-4.debian.tar.xz
Checksums-Sha256:
 8c7cc1abf2945f85dd2935fff8b6cfdb7d3058f2e116e18af2a24d22215a921e 2312 
wpa_2.7+git20190128+0c1e29f-4.dsc
 d431bd4f6ed9cb68a63699af3686720e3adb64bb3d3ba0a1ada1fd5cb2853ad5 100748 
wpa_2.7+git20190128+0c1e29f-4.debian.tar.xz
Files:
 0d0dd16b3e1311464fa95d3e688b5585 2312 net optional 
wpa_2.7+git20190128+0c1e29f-4.dsc
 63cbebc195dab44adc6ee03a8e362085 100748 net optional 
wpa_2.7+git20190128+0c1e29f-4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAlyuW+cACgkQXkCM2RzY
OdLicQf/cxl4bbBWwCxrrxFazCLkGUird3nfnrOr7wrUHtaVtjkueGtoKWFSPwgQ
pmJG/ZTUjR87s6p0aouKZZydSPZLUvygRDM76XsxhZYxr8y9/db4WVjcutlP9yOz
uz0iwsfQsMIxhOy6l8mTsVfK/kV6HOf6gBi6iGbk2eT8Jo2ckvEIboLhLlCrdQ7Y
Zz+XeW628Ekmj79ZnGnOaK1Ua4GZEktZHUXQhlUhw5divwWglgiShgxvY9Mos51K
Ul+vk4IBpUCV349uJ8tiN0xJRJy0bCnUIOi5qRQAwODOGPdCiBtRs4fVlom6f/QB
CUJfi+Ry/JrZORMcN1T6DCTX5YpXyg==
=kIaN
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to