Your message dated Thu, 16 Oct 2014 20:50:02 +0200
with message-id <20141016185002.gn3...@betterave.cristau.org>
and subject line Re: Bug#765631: unblock/ age to 5 days: wpa/2.3-1
(CVE-2014-3686, DSA-3052-1)
has caused the Debian Bug report #765631,
regarding unblock/ age to 5 days: wpa/2.3-1 (CVE-2014-3686, DSA-3052-1)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
765631: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765631
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: unblock
Severity: normal
X-Debbugs-CC: debian-b...@lists.debian.org
Hi
Please unblock the udeb producing package wpa and reduce its
propagation time to 5 days. wpa 2.3-1 has been successfully built and
uploaded on all release architectures.
wpa <= 2.3-1 is vulnerable against a remotely exploitable security
bug, which might allow attackers to inject an unsanitized string
received from a remote device (potentially any device in radio
range) to a privileged (typically root or netdev) system() call via
wpa_cli/ hostapd_cli action scripts.
CVE-2014-3686 https://security-tracker.debian.org/tracker/CVE-2014-3686
DSA-3052-1 https://www.debian.org/security/2014/dsa-3052
#765352 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765352
For debian-boot/ the upcoming stable point release (wheezy 7.7):
wpasupplicant-udeb, as used by d-i, does not contain the exploitable
binary (wpa_cli), which is only part of the full wpasupplicant/ hostapd
packages (these are already fixed via debian-security). Accordingly
d-i's usage of wpa_supplicant is not suspectible to this security
issue.
This is a new upstream version of wpa containing further changes and
features of wpa's stable integration branch[1], rather than a
targetted fix.
unblock wpa/2.3-1
Regards
Stefan Lippers-Hollmann
[1] wpa 2.x is a continuous integration branch for bugfixes and new
features, rather than a dedicated bugfix branch in the sense of
PostgreSQL or the linux kernel.
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
On Thu, Oct 16, 2014 at 20:33:53 +0200, Stefan Lippers-Hollmann wrote:
> Package: release.debian.org
> User: release.debian....@packages.debian.org
> Usertags: unblock
> Severity: normal
> X-Debbugs-CC: debian-b...@lists.debian.org
>
> Hi
>
> Please unblock the udeb producing package wpa and reduce its
> propagation time to 5 days. wpa 2.3-1 has been successfully built and
> uploaded on all release architectures.
>
Aged, thanks for the notice!
Cheers,
Julien
signature.asc
Description: Digital signature
--- End Message ---
