Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 696030 - <net-wireless/wpa_supplicant-2.9-r1: multiple vulnerabilities (CVE-2019-{13377,16275})
Summary: <net-wireless/wpa_supplicant-2.9-r1: multiple vulnerabilities (CVE-2019-{1337...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2019-13377, CVE-2019-16275
  Show dependency tree
 
Reported: 2019-10-01 23:43 UTC by GLSAMaker/CVETool Bot
Modified: 2019-12-02 15:46 UTC (History)
1 user (show)

See Also:
Package list:
=net-wireless/wpa_supplicant-2.9-r1
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-10-01 23:43:48 UTC
CVE-2019-13377 (https://nvd.nist.gov/vuln/detail/CVE-2019-13377):
  The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x
  through 2.8 are vulnerable to side-channel attacks as a result of observable
  timing differences and cache access patterns when Brainpool curves are used.
  An attacker may be able to gain leaked information from a side-channel
  attack that can be used for full password recovery.

CVE-2019-16275 (https://nvd.nist.gov/vuln/detail/CVE-2019-16275):
  hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect
  indication of disconnection in certain situations because source address
  validation is mishandled. This is a denial of service that should have been
  prevented by PMF (aka management frame protection). The attacker must send a
  crafted 802.11 frame from a location that is within the 802.11
  communications range.
Comment 1 Rick Farina (Zero_Chaos) gentoo-dev 2019-11-04 16:34:21 UTC
2.9 has been in the tree a while.  I added the patch and stabled wpa_supplicant-2.9-r1 on amd64 and x86.  Please proceed.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2019-11-04 23:20:55 UTC
@arches, please stabilize.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-11-07 00:26:07 UTC
arm64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-11-12 10:39:01 UTC
ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-11-12 18:09:15 UTC
ppc stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-22 09:39:30 UTC
arm stable
Comment 7 Rick Farina (Zero_Chaos) gentoo-dev 2019-11-25 20:09:22 UTC
old and vulnerable removed, thanks all. Security, this bug is yours.