Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 688588 - <net-wireless/hostapd-2.8 version bump
Summary: <net-wireless/hostapd-2.8 version bump
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://w1.fi/
Whiteboard: A3 [glsa+ cleanup]
Keywords:
Depends on: 688726
Blocks:
  Show dependency tree
 
Reported: 2019-06-24 07:49 UTC by Manfred Knick
Modified: 2019-08-18 02:32 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Manfred Knick 2019-06-24 07:49:30 UTC
2019-04-21
New release for hostapd and wpa_supplicant
Comment 1 Manfred Knick 2019-06-24 07:52:07 UTC
Version 2.8 "fixes various security vulnerabilities and other bugs"
Comment 2 Jonas Stein gentoo-dev 2019-06-24 08:11:36 UTC
http://w1.fi/security/
Comment 3 Andriy Utkin (RETIRED) gentoo-dev 2019-06-24 13:33:14 UTC
Pushed commit 8d054f705eea755094454959dcbe730a7f18ae34.
Sorry for not ref'ing the bug in commit message.

A nice bonus is that libressl support is not broken :)

Not marking the bug as "resolved" because I don't know what is the workflow for security bugs.
Comment 4 Andriy Utkin (RETIRED) gentoo-dev 2019-06-25 22:20:34 UTC
Raised stablereq https://bugs.gentoo.org/688726

Dear Gentoo Security staff, I couldn't find any particular document describing stablereq-ing for security issue, so please amend the ticket as you see fit, maybe add SECURITY tag, or whatever.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-08-11 01:04:40 UTC
@maintainer(s), please drop vulnerable
Comment 6 Andriy Utkin (RETIRED) gentoo-dev 2019-08-12 11:22:27 UTC
> @maintainer(s), please drop vulnerable

Got it now. However it was a coincidence that I paid attention to this message.

I actually came here interested in the title change:

"net-wireless/hostapd-2.8 version bump" -> "<net-wireless/hostapd-2.8 version bump"

bman, why change title? Isn't it confusing? Or is it a standard procedure for security bugs?
Comment 7 Larry the Git Cow gentoo-dev 2019-08-12 17:35:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a121e13f9fc8b4e1ac5df754a4279a03d0b4e84

commit 8a121e13f9fc8b4e1ac5df754a4279a03d0b4e84
Author:     Andrey Utkin <andrey_utkin@gentoo.org>
AuthorDate: 2019-08-12 17:33:26 +0000
Commit:     Andrey Utkin <andrey_utkin@gentoo.org>
CommitDate: 2019-08-12 17:34:21 +0000

    net-wireless/hostapd: drop vulnerable old version 2.7
    
    Bug: https://bugs.gentoo.org/688588
    Package-Manager: Portage-2.3.66, Repoman-2.3.16
    Signed-off-by: Andrey Utkin <andrey_utkin@gentoo.org>

 net-wireless/hostapd/Manifest              |   1 -
 net-wireless/hostapd/hostapd-2.7-r2.ebuild | 266 -----------------------------
 2 files changed, 267 deletions(-)
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2019-08-12 22:41:18 UTC
(In reply to Andrey Utkin from comment #6)
> > @maintainer(s), please drop vulnerable
> 
> Got it now. However it was a coincidence that I paid attention to this
> message.
> 
> I actually came here interested in the title change:
> 
> "net-wireless/hostapd-2.8 version bump" -> "<net-wireless/hostapd-2.8
> version bump"
> 
> bman, why change title? Isn't it confusing? Or is it a standard procedure
> for security bugs?

Andrey, we always track by the bug summary what versions are vulnerable. < simply let's us know that.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2019-08-18 02:32:07 UTC
This issue was resolved and addressed in
 GLSA 201908-25 at https://security.gentoo.org/glsa/201908-25
by GLSA coordinator Aaron Bauman (b-man).