Your message dated Thu, 18 Apr 2019 18:30:00 +0000
with message-id <39fe7ace-e148-e9d7-9e6d-2162e2535...@thykier.net>
and subject line Re: Bug#927111: unblock: wpa/2:2.7+git20190128+0c1e29f-4
has caused the Debian Bug report #927111,
regarding unblock: wpa/2:2.7+git20190128+0c1e29f-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
927111: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927111
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock the package wpa.
This upload fixes a security vulnerability in WPA3-Personal and EAP (#926801):
- CVE-2019-9494: SAE cache attack against ECC groups (VU#871675)
- CVE-2019-9495: EAP-pwd cache attack against ECC groups
- CVE-2019-9496: SAE confirm missing state validation
- CVE-2019-9497: EAP-pwd server not checking for reflection attack
- CVE-2019-9498: EAP-pwd server missing commit validation for scalar/element
- CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element
For more details on the vulnerability itself, see:
- https://w1.fi/security/2019-1/
- https://w1.fi/security/2019-2/
- https://w1.fi/security/2019-3/
- https://w1.fi/security/2019-4/
Since the patches are quite big, you can check them here:
-
https://salsa.debian.org/debian/wpa/tree/debian/master/debian/patches/2019-sae-eap
-
https://sources.debian.org/src/wpa/2:2.7+git20190128+0c1e29f-4/debian/patches/2019-sae-eap/
Erroneously not mentioned in the changelog, this upload also declares a correct
build dependency on libnl-3-dev.
unblock wpa/2:2.7+git20190128+0c1e29f-4
--
Cheers,
Andrej
--- End Message ---
--- Begin Message ---
Cyril Brulebois:
> Niels Thykier <ni...@thykier.net> (2019-04-15):
>> Andrej Shadura:
>>> Package: release.debian.org
>>> Severity: normal
>>> User: release.debian....@packages.debian.org
>>> Usertags: unblock
>>>
>>> Please unblock the package wpa.
>>>
>>> This upload fixes a security vulnerability in WPA3-Personal and EAP
>>> (#926801):
>>>
>>> - CVE-2019-9494: SAE cache attack against ECC groups (VU#871675)
>>> - CVE-2019-9495: EAP-pwd cache attack against ECC groups
>>> - CVE-2019-9496: SAE confirm missing state validation
>>> - CVE-2019-9497: EAP-pwd server not checking for reflection attack
>>> - CVE-2019-9498: EAP-pwd server missing commit validation for
>>> scalar/element
>>> - CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element
>>>
>>> For more details on the vulnerability itself, see:
>>> - https://w1.fi/security/2019-1/
>>> - https://w1.fi/security/2019-2/
>>> - https://w1.fi/security/2019-3/
>>> - https://w1.fi/security/2019-4/
>>>
>>> Since the patches are quite big, you can check them here:
>>> -
>>> https://salsa.debian.org/debian/wpa/tree/debian/master/debian/patches/2019-sae-eap
>>> -
>>> https://sources.debian.org/src/wpa/2:2.7+git20190128+0c1e29f-4/debian/patches/2019-sae-eap/
>
> Thanks, links appreciated given the amount of patches…
>
>>> Erroneously not mentioned in the changelog, this upload also declares a
>>> correct
>>> build dependency on libnl-3-dev.
>>>
>>> unblock wpa/2:2.7+git20190128+0c1e29f-4
>>
>> Thanks for filing this unblock. From a RT PoV it looks fine and I
>> have Cc'ed KiBi for a d-i ack before accepting it fully.
>
> I think it'd be nice to have some tests on a real wireless adapter,
> which I'll try to get to in the next days, because of the amount of
> patching involved. That shouldn't stop you from letting the package
> reach testing first though.
>
>
> Cheers,
>
Ok, unblocked, thanks.
~Niels
--- End Message ---
