CVE-2019-11555 (https://nvd.nist.gov/vuln/detail/CVE-2019-11555): The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c.
@maintainer, please drop vulnerable.
(In reply to Aaron Bauman from comment #1) > @maintainer, please drop vulnerable. Nevermind, this still needs to be stabilized.
ACK, let's stabilize wpa_supplicant-2.8-r1
arm64 stable
x86 stable
ppc/ppc64 stable
This issue was resolved and addressed in GLSA 201908-25 at https://security.gentoo.org/glsa/201908-25 by GLSA coordinator Aaron Bauman (b-man).
re-opened for final arches
amd64 stable
arm stable
vulnerables have been long dropped, sorry for forgetting to post that status here. This is security's bug now
Repository is clean, all done!