[SECURITY] [DLA 1462-1] wpa security update

2018-08-0911:09:13

lists.debian.org

6.5 Medium

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

3.3 Low

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:A/AC:L/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

44.9%

JSON

Package : wpa
Version : 2.3-1+deb8u6
CVE ID : CVE-2018-14526
Debian Bug : 905739

The following vulnerability was discovered in wpa_supplicant.

CVE-2018-14526:
| An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0
| through 2.6. Under certain conditions, the integrity of EAPOL-Key
| messages is not checked, leading to a decryption oracle. An attacker
| within range of the Access Point and client can abuse the
| vulnerability to recover sensitive information.

For Debian 8 "Jessie", this problem has been fixed in version
2.3-1+deb8u6.

We recommend that you upgrade your wpa packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS.

Andrej Shadura

OSVersionArchitecturePackageVersionFilename
Debian9amd64wpasupplicant-udeb< 2:2.4-1+deb9u2wpasupplicant-udeb_2:2.4-1+deb9u2_amd64.deb
Debian8armhfhostapd< 1:2.3-1+deb8u6hostapd_1:2.3-1+deb8u6_armhf.deb
Debian9amd64wpagui< 2:2.4-1+deb9u2wpagui_2:2.4-1+deb9u2_amd64.deb
Debian9allwpa< 2:2.4-1+deb9u2wpa_2:2.4-1+deb9u2_all.deb
Debian9arm64wpasupplicant-dbgsym< 2:2.4-1+deb9u2wpasupplicant-dbgsym_2:2.4-1+deb9u2_arm64.deb
Debian9mips64elhostapd-dbgsym< 2:2.4-1+deb9u2hostapd-dbgsym_2:2.4-1+deb9u2_mips64el.deb
Debian8armelhostapd< 1:2.3-1+deb8u6hostapd_1:2.3-1+deb8u6_armel.deb
Debian9arm64wpasupplicant-udeb< 2:2.4-1+deb9u2wpasupplicant-udeb_2:2.4-1+deb9u2_arm64.deb
Debian9mips64elwpagui-dbgsym< 2:2.4-1+deb9u2wpagui-dbgsym_2:2.4-1+deb9u2_mips64el.deb
Debian9mipselwpasupplicant-dbgsym< 2:2.4-1+deb9u2wpasupplicant-dbgsym_2:2.4-1+deb9u2_mipsel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	amd64	wpasupplicant-udeb	< 2:2.4-1+deb9u2	wpasupplicant-udeb_2:2.4-1+deb9u2_amd64.deb
Debian	8	armhf	hostapd	< 1:2.3-1+deb8u6	hostapd_1:2.3-1+deb8u6_armhf.deb
Debian	9	amd64	wpagui	< 2:2.4-1+deb9u2	wpagui_2:2.4-1+deb9u2_amd64.deb
Debian	9	all	wpa	< 2:2.4-1+deb9u2	wpa_2:2.4-1+deb9u2_all.deb
Debian	9	arm64	wpasupplicant-dbgsym	< 2:2.4-1+deb9u2	wpasupplicant-dbgsym_2:2.4-1+deb9u2_arm64.deb
Debian	9	mips64el	hostapd-dbgsym	< 2:2.4-1+deb9u2	hostapd-dbgsym_2:2.4-1+deb9u2_mips64el.deb
Debian	8	armel	hostapd	< 1:2.3-1+deb8u6	hostapd_1:2.3-1+deb8u6_armel.deb
Debian	9	arm64	wpasupplicant-udeb	< 2:2.4-1+deb9u2	wpasupplicant-udeb_2:2.4-1+deb9u2_arm64.deb
Debian	9	mips64el	wpagui-dbgsym	< 2:2.4-1+deb9u2	wpagui-dbgsym_2:2.4-1+deb9u2_mips64el.deb
Debian	9	mipsel	wpasupplicant-dbgsym	< 2:2.4-1+deb9u2	wpasupplicant-dbgsym_2:2.4-1+deb9u2_mipsel.deb