688588 – <net-wireless/hostapd-2.8 version bump

Bug 688588 - <net-wireless/hostapd-2.8 version bump

Summary: <net-wireless/hostapd-2.8 version bump

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	http://w1.fi/
Whiteboard:	A3 [glsa+ cleanup]
Keywords:

Depends on:	688726
Blocks:
	Show dependency tree

Reported:	2019-06-24 07:49 UTC by Manfred Knick
Modified:	2019-08-18 02:32 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Manfred Knick 2019-06-24 07:49:30 UTC

2019-04-21
New release for hostapd and wpa_supplicant

Comment 1 Manfred Knick 2019-06-24 07:52:07 UTC

Version 2.8 "fixes various security vulnerabilities and other bugs"

Comment 2 Jonas Stein gentoo-dev

2019-06-24 08:11:36 UTC

http://w1.fi/security/

Comment 3 Andriy Utkin (RETIRED) gentoo-dev

2019-06-24 13:33:14 UTC

Pushed commit 8d054f705eea755094454959dcbe730a7f18ae34.
Sorry for not ref'ing the bug in commit message.

A nice bonus is that libressl support is not broken :)

Not marking the bug as "resolved" because I don't know what is the workflow for security bugs.

Comment 4 Andriy Utkin (RETIRED) gentoo-dev

2019-06-25 22:20:34 UTC

Raised stablereq https://bugs.gentoo.org/688726

Dear Gentoo Security staff, I couldn't find any particular document describing stablereq-ing for security issue, so please amend the ticket as you see fit, maybe add SECURITY tag, or whatever.

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2019-08-11 01:04:40 UTC

@maintainer(s), please drop vulnerable

Comment 6 Andriy Utkin (RETIRED) gentoo-dev

2019-08-12 11:22:27 UTC

> @maintainer(s), please drop vulnerable

Got it now. However it was a coincidence that I paid attention to this message.

I actually came here interested in the title change:

"net-wireless/hostapd-2.8 version bump" -> "<net-wireless/hostapd-2.8 version bump"

bman, why change title? Isn't it confusing? Or is it a standard procedure for security bugs?

Comment 7 Larry the Git Cow gentoo-dev

2019-08-12 17:35:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a121e13f9fc8b4e1ac5df754a4279a03d0b4e84

commit 8a121e13f9fc8b4e1ac5df754a4279a03d0b4e84
Author:     Andrey Utkin <andrey_utkin@gentoo.org>
AuthorDate: 2019-08-12 17:33:26 +0000
Commit:     Andrey Utkin <andrey_utkin@gentoo.org>
CommitDate: 2019-08-12 17:34:21 +0000

    net-wireless/hostapd: drop vulnerable old version 2.7
    
    Bug: https://bugs.gentoo.org/688588
    Package-Manager: Portage-2.3.66, Repoman-2.3.16
    Signed-off-by: Andrey Utkin <andrey_utkin@gentoo.org>

 net-wireless/hostapd/Manifest              |   1 -
 net-wireless/hostapd/hostapd-2.7-r2.ebuild | 266 -----------------------------
 2 files changed, 267 deletions(-)

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2019-08-12 22:41:18 UTC

(In reply to Andrey Utkin from comment #6)
> > @maintainer(s), please drop vulnerable
> 
> Got it now. However it was a coincidence that I paid attention to this
> message.
> 
> I actually came here interested in the title change:
> 
> "net-wireless/hostapd-2.8 version bump" -> "<net-wireless/hostapd-2.8
> version bump"
> 
> bman, why change title? Isn't it confusing? Or is it a standard procedure
> for security bugs?

Andrey, we always track by the bug summary what versions are vulnerable. < simply let's us know that.

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2019-08-18 02:32:07 UTC

This issue was resolved and addressed in
 GLSA 201908-25 at https://security.gentoo.org/glsa/201908-25
by GLSA coordinator Aaron Bauman (b-man).