Summary: | <net-wireless/wpa_supplicant-2.4: action script execution vulnerability (CVE-2014-3686) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gurligebis, jj, zerochaos |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/10/09/28 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-10-10 08:49:42 UTC
This is fixed in 2.3 - I have bumped wpa_supplicant to this version. It needs to be stabilized on these archs before we can remove the old versions: amd64, arm, ppc, ppc64, x86 (In reply to Bjarke Istrup Pedersen from comment #1) > This is fixed in 2.3 - I have bumped wpa_supplicant to this version. > > It needs to be stabilized on these archs before we can remove the old > versions: amd64, arm, ppc, ppc64, x86 are you ready for stabilization or need more testing? Lets go for stable - being able to remove the older versions would clean up a few things for both hostapd and wpa_supplicant. CVE-2014-3686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3686): wpa_supplicant and hostapd 0.7.2 through 2.2, when running with certain configurations and using wpa_cli or hostapd_cli with action scripts, allows remote attackers to execute arbitrary commands via a crafted frame. (In reply to Bjarke Istrup Pedersen from comment #3) > Lets go for stable - being able to remove the older versions would clean up > a few things for both hostapd and wpa_supplicant. What's hampering stabilization? wpa_supplicant-2.3-r1 is in the tree since ages.
> What's hampering stabilization? wpa_supplicant-2.3-r1 is in the tree since
> ages.
FWIW, I just updated to 2.3-r2 and systemd will no longer actually start wpa_supplicant (though it tries and fails for unknown reasons).
I'm downgrading to 2.3, which seemed to work properly for me. (2.3-r1 is no longer in portage AFAICT.)
(In reply to walt from comment #6) > I'm downgrading to 2.3, which seemed to work properly for me. (2.3-r1 is no > longer in portage AFAICT.) That didn't fix it, and neither did downgrading systemd to 218-r2, which also was updated yesterday. I'll keep looking. Being stabilized bug Bug #543790 (In reply to Yury German from comment #8) > Being stabilized bug Bug #543790 it seems we have to stabilize 2.4 The version: 2.4 is in the tree. Please advise when ready to go stable or call for stabilization yourself. *** Bug 547162 has been marked as a duplicate of this bug. *** Lets go with 2.4 now, so we can get this fixed. Arches, please test and mark stable: =net-wireless/wpa_supplicant-2.4 Target Keywords : "amd64 arm ppc ppc64 x86" Thank you! Stable for PPC64. amd64 stable x86 stable ppc stable target stable version has been changed to 2.4-r1 due to bug #547492 arm stable Security, please remove all older versions of wpa_supplicant when you are ready. Arches, Thank you for your work. GLSA Vote: yes + 28 Apr 2015; Mikle Kolyada <zlogene@gentoo.org> -wpa_supplicant-2.0-r2.ebuild, + -wpa_supplicant-2.2-r1.ebuild: + Drop unsecure versions + GLSA Vote: Yes New request filed This issue was resolved and addressed in GLSA 201606-17 at https://security.gentoo.org/glsa/201606-17 by GLSA coordinator Aaron Bauman (b-man). |