Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 696022 (CVE-2019-13377, CVE-2019-16275) - [TRACKER] hostapd/wpa_supplicant: multiple vulnerabilities (CVE-2019-{13377,16275})
Summary: [TRACKER] hostapd/wpa_supplicant: multiple vulnerabilities (CVE-2019-{13377,1...
Status: RESOLVED FIXED
Alias: CVE-2019-13377, CVE-2019-16275
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords: Tracker
: 696024 696026 696028 (view as bug list)
Depends on: 696030 696032
Blocks:
  Show dependency tree
 
Reported: 2019-10-01 23:01 UTC by GLSAMaker/CVETool Bot
Modified: 2019-12-02 15:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-10-01 23:01:44 UTC 
CVE-2019-13377 (https://nvd.nist.gov/vuln/detail/CVE-2019-13377):
  The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x
  through 2.8 are vulnerable to side-channel attacks as a result of observable
  timing differences and cache access patterns when Brainpool curves are used.
  An attacker may be able to gain leaked information from a side-channel
  attack that can be used for full password recovery.

CVE-2019-16275 (https://nvd.nist.gov/vuln/detail/CVE-2019-16275):
  hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect
  indication of disconnection in certain situations because source address
  validation is mishandled. This is a denial of service that should have been
  prevented by PMF (aka management frame protection). The attacker must send a
  crafted 802.11 frame from a location that is within the 802.11
  communications range.
Comment 1 Brian Evans (RETIRED) gentoo-dev 2019-10-01 23:05:34 UTC 
*** Bug 696024 has been marked as a duplicate of this bug. ***
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-01 23:14:25 UTC 
*** Bug 696028 has been marked as a duplicate of this bug. ***
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-01 23:15:04 UTC 
*** Bug 696026 has been marked as a duplicate of this bug. ***
Comment 4 Rick Farina (Zero_Chaos) gentoo-dev 2019-12-02 15:41:25 UTC 
Both dependent bugs are patched, stabilized, and cleaned up.  Everything that remains is for security.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-12-02 15:47:11 UTC 
buh-bye