Hi, * Stefan Lippers-Hollmann <s....@gmx.de> [2012-10-08 23:37]: > On Monday 08 October 2012, Nico Golde wrote: > > Package: wpa > > Severity: grave > > Tags: security patch > > > > Hi, > > the following vulnerability was published for hostapd. > > > > CVE-2012-4445[0]: > > | Timo Warns discovered that the internal authentication server of hostapd, > > | a user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator, > > | is vulnerable to a buffer overflow when processing fragmented EAP-TLS > > | messages. As a result, an internal overflow checking routine terminates > > | the process. An attacker can abuse this flaw to conduct denial of service > > | attacks via crafted EAP-TLS messages prior to any authentication. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > Please also ask for an unblock on -release after fixing this issue so it > > will > > be picked up for wheezy. > > > > The patch I used for the DSA: > > http://people.debian.org/~nion/nmu-diff/hostapd-0.6.10-2_0.6.10-2+squeeze1.patch > > > > For further information see: > > > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4445 > > http://security-tracker.debian.org/tracker/CVE-2012-4445 > > Thanks a lot, I found that one[1] after receiving the ftp-master accept > already, I'll try to contact a potential sponsor for [2] within the > next few hours.
Uploaded :) Thanks! Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
