Bug 47571 - wpa: Multiple issues (4.2)
wpa: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P3 normal (vote)
: UCS 4.2-4-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-10 17:57 CEST by Quality Assurance
Modified: 2018-08-15 16:20 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 8.3 (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-08-10 17:57:13 CEST
New Debian wpa 2.3-1+deb8u6A~4.2.4.201808101752 fixes:
This update addresses the following issue:
CVE_2017-13084 is open
* An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive information. (CVE-2018-14526)

2.3-1+deb8u6 (Thu, 09 Aug 2018 09:59:11 +0200) * SECURITY UPDATE: - CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data
* CVE-2018-14526 wpa_supplicant: Unauthenticated EAPOL-Key decryption in wpa_supplicant (CVE-2018-14526)
Comment 1 Quality Assurance univentionstaff 2018-08-10 18:53:50 CEST
--- mirror/ftp/4.2/unmaintained/4.2-4/source/wpa_2.3-1+deb8u5A~4.2.3.201801251012.dsc
+++ apt/ucs_4.2-0-errata4.2-4/source/wpa_2.3-1+deb8u6A~4.2.4.201808101752.dsc
@@ -1,8 +1,14 @@
-2.3-1+deb8u5A~4.2.3.201801251012 [Thu, 25 Jan 2018 10:27:14 +0100] Univention builddaemon <buildd@univention.de>:
+2.3-1+deb8u6A~4.2.4.201808101752 [Fri, 10 Aug 2018 17:57:19 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     eapol_test
     eapol_test
+
+2.3-1+deb8u6 [Thu, 09 Aug 2018 09:59:11 +0200] Andrej Shadura <andrewsh@debian.org>:
+
+  * SECURITY UPDATE:
+    - CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data
+      (Closes: #905739)
 
 2.3-1+deb8u5 [Sat, 14 Oct 2017 14:11:26 +0200] Yves-Alexis Perez <corsac@debian.org>:
 

<http://10.200.17.11/4.2-4/#1879963446397312206>
Comment 2 Philipp Hahn univentionstaff 2018-08-10 19:40:10 CEST
OK: yaml
OK: errata-announce
OK: patch
OK: piuparts

[4.2-4] 3ab324ba74 Bug #47571: wpa 2.3-1+deb8u6A~4.2.4.201808101752
 doc/errata/staging/wpa.yaml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

[4.2-4] 6f00b4b11d Bug #47571: wpa 2.3-1+deb8u6A~4.2.4.201808101752
 doc/errata/staging/wpa.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
Comment 3 Arvid Requate univentionstaff 2018-08-15 16:20:56 CEST
<http://errata.software-univention.de/ucs/4.2/486.html>