Niels Thykier <ni...@thykier.net> (2019-04-15): > Andrej Shadura: > > Package: release.debian.org > > Severity: normal > > User: release.debian....@packages.debian.org > > Usertags: unblock > > > > Please unblock the package wpa. > > > > This upload fixes a security vulnerability in WPA3-Personal and EAP > > (#926801): > > > > - CVE-2019-9494: SAE cache attack against ECC groups (VU#871675) > > - CVE-2019-9495: EAP-pwd cache attack against ECC groups > > - CVE-2019-9496: SAE confirm missing state validation > > - CVE-2019-9497: EAP-pwd server not checking for reflection attack > > - CVE-2019-9498: EAP-pwd server missing commit validation for > > scalar/element > > - CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element > > > > For more details on the vulnerability itself, see: > > - https://w1.fi/security/2019-1/ > > - https://w1.fi/security/2019-2/ > > - https://w1.fi/security/2019-3/ > > - https://w1.fi/security/2019-4/ > > > > Since the patches are quite big, you can check them here: > > - > > https://salsa.debian.org/debian/wpa/tree/debian/master/debian/patches/2019-sae-eap > > - > > https://sources.debian.org/src/wpa/2:2.7+git20190128+0c1e29f-4/debian/patches/2019-sae-eap/
Thanks, links appreciated given the amount of patches… > > Erroneously not mentioned in the changelog, this upload also declares a > > correct > > build dependency on libnl-3-dev. > > > > unblock wpa/2:2.7+git20190128+0c1e29f-4 > > Thanks for filing this unblock. From a RT PoV it looks fine and I > have Cc'ed KiBi for a d-i ack before accepting it fully. I think it'd be nice to have some tests on a real wireless adapter, which I'll try to get to in the next days, because of the amount of patching involved. That shouldn't stop you from letting the package reach testing first though. Cheers, -- Cyril Brulebois (k...@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
signature.asc
Description: PGP signature
