|Summary:||<net-wireless/hostapd-2.8 version bump|
|Product:||Gentoo Security||Reporter:||Manfred Knick <Manfred.Knick>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||andrey_utkin, jstein, polynomial-c, zerochaos|
|Whiteboard:||A3 [glsa+ cleanup]|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||688726|
Description Manfred Knick 2019-06-24 07:49:30 UTC
2019-04-21 New release for hostapd and wpa_supplicant
Comment 1 Manfred Knick 2019-06-24 07:52:07 UTC
Version 2.8 "fixes various security vulnerabilities and other bugs"
Comment 3 Andriy Utkin 2019-06-24 13:33:14 UTC
Pushed commit 8d054f705eea755094454959dcbe730a7f18ae34. Sorry for not ref'ing the bug in commit message. A nice bonus is that libressl support is not broken :) Not marking the bug as "resolved" because I don't know what is the workflow for security bugs.
Comment 4 Andriy Utkin 2019-06-25 22:20:34 UTC
Raised stablereq https://bugs.gentoo.org/688726 Dear Gentoo Security staff, I couldn't find any particular document describing stablereq-ing for security issue, so please amend the ticket as you see fit, maybe add SECURITY tag, or whatever.
Comment 5 Aaron Bauman 2019-08-11 01:04:40 UTC
@maintainer(s), please drop vulnerable
Comment 6 Andriy Utkin 2019-08-12 11:22:27 UTC
> @maintainer(s), please drop vulnerable Got it now. However it was a coincidence that I paid attention to this message. I actually came here interested in the title change: "net-wireless/hostapd-2.8 version bump" -> "<net-wireless/hostapd-2.8 version bump" bman, why change title? Isn't it confusing? Or is it a standard procedure for security bugs?
Comment 7 Larry the Git Cow 2019-08-12 17:35:04 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a121e13f9fc8b4e1ac5df754a4279a03d0b4e84 commit 8a121e13f9fc8b4e1ac5df754a4279a03d0b4e84 Author: Andrey Utkin <email@example.com> AuthorDate: 2019-08-12 17:33:26 +0000 Commit: Andrey Utkin <firstname.lastname@example.org> CommitDate: 2019-08-12 17:34:21 +0000 net-wireless/hostapd: drop vulnerable old version 2.7 Bug: https://bugs.gentoo.org/688588 Package-Manager: Portage-2.3.66, Repoman-2.3.16 Signed-off-by: Andrey Utkin <email@example.com> net-wireless/hostapd/Manifest | 1 - net-wireless/hostapd/hostapd-2.7-r2.ebuild | 266 ----------------------------- 2 files changed, 267 deletions(-)
Comment 8 Aaron Bauman 2019-08-12 22:41:18 UTC
(In reply to Andrey Utkin from comment #6) > > @maintainer(s), please drop vulnerable > > Got it now. However it was a coincidence that I paid attention to this > message. > > I actually came here interested in the title change: > > "net-wireless/hostapd-2.8 version bump" -> "<net-wireless/hostapd-2.8 > version bump" > > bman, why change title? Isn't it confusing? Or is it a standard procedure > for security bugs? Andrey, we always track by the bug summary what versions are vulnerable. < simply let's us know that.