A vulnerability was found in how hostapd and wpa_supplicant writes the
configuration file update for the WPA/WPA2 passphrase parameter. If
this parameter has been updated to include control characters either
through a WPS operation (CVE-2016-4476)
or through local configuration
change over the wpa_supplicant control interface (CVE-2016-4477), the
resulting configuration file may prevent the hostapd and
wpa_supplicant from starting when the updated file is used. In
addition for wpa_supplicant, it may be possible to load a local
library file and execute code from there with the same privileges
under which the wpa_supplicant process runs.
For Debian 7 Wheezy, these problems have been fixed in version
1.0-3+deb7u4.
We recommend that you upgrade your wpa packages.