Your message dated Wed, 15 Oct 2014 19:53:22 +0000 with message-id <e1xeudo-0000p2...@franck.debian.org> and subject line Bug#765352: fixed in wpa 2.3-1 has caused the Debian Bug report #765352, regarding wpa: arbitrary command execution via action scripts to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 765352: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765352 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: wpa Severity: serious Tags: security Hi, the following vulnerability was published for wpa. It affects both wpa-supplicant and hostapd: CVE-2014-3686[0]: action script execution vulnerability >From https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3686: > Jouni Malinen discovered that a string supplied from a remote device could > be supplied to a system() call in wpa_cli or hostapd_cli when running an > action script (with the "-a" option), resulting in arbitrary command > execution. This issue could also be triggered by an attacker within radio > range. > > Patches are available from the following: > http://w1.fi/security/2014-1/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686 https://security-tracker.debian.org/tracker/CVE-2014-3686 Please adjust the affected versions in the BTS as needed. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---Source: wpa Source-Version: 2.3-1 We believe that the bug you reported is fixed in the latest version of wpa, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 765...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Lippers-Hollmann <s....@gmx.de> (supplier of updated wpa package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 14 Oct 2014 21:29:37 +0200 Source: wpa Binary: hostapd wpagui wpasupplicant wpasupplicant-udeb Architecture: source amd64 Version: 2.3-1 Distribution: unstable Urgency: medium Maintainer: Debian wpasupplicant Maintainers <pkg-wpa-de...@lists.alioth.debian.org> Changed-By: Stefan Lippers-Hollmann <s....@gmx.de> Description: hostapd - IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator wpagui - graphical user interface for wpa_supplicant wpasupplicant - client support for WPA and WPA2 (IEEE 802.11i) wpasupplicant-udeb - Client support for WPA and WPA2 (IEEE 802.11i) (udeb) Closes: 763775 765352 Changes: wpa (2.3-1) unstable; urgency=medium . * New upstream release: - fixed by the new upstream version: + wpa: arbitrary command execution via action scripts (Closes: #765352). wpasupplicant: fixed wpa_cli action script execution to use more robust mechanism (CVE-2014-3686). hostapd: fixed hostapd_cli action script execution to use more robust mechanism (CVE-2014-3686). + wpasupplicant: MAC addressing changing broken after updating to 2.2-1 (Closes: #763775). + drop ap_config_c_fix-typo-for-capabilities, applied upstream. - backport "Include ieee802_11_common.c in wpa_supplicant build unconditionally" from HEAD, to fix a newly introduced FTBS on, at least, kfreebsd. * bump standards version to 3.9.6, no changes necessary. Checksums-Sha1: f84a1b26453e639ea01c6a966ccc40428d235e46 2468 wpa_2.3-1.dsc 7737a4306195ffaba8bb6777e2ede5a4a25e3ca0 1735544 wpa_2.3.orig.tar.xz 5b59f88d07e341415f289b9ca7b15bdc12fe5e10 74784 wpa_2.3-1.debian.tar.xz 2c235bf77693c257e664ac0512e2e2a0bb898437 538478 hostapd_2.3-1_amd64.deb cceabab4b5a548db07a0cce2447fa08a458dceba 344460 wpagui_2.3-1_amd64.deb 7a37dd4727c8e9ad319822b40f2e980055112794 915312 wpasupplicant_2.3-1_amd64.deb 181c2790d71dc1d5c78008cc0b54918243af524f 222410 wpasupplicant-udeb_2.3-1_amd64.udeb Checksums-Sha256: 818717ed777b906e9807098511b7415d2c2c5b68dbc96d224064713acd326d1b 2468 wpa_2.3-1.dsc 3d96034fa9e042c8aacb0812d8b2ab3d4c9aa6fc410802b4ee0da311e51c3eb3 1735544 wpa_2.3.orig.tar.xz b05e2f75fbf9891df9681be156416fb93a1761af886c1a257a6837f0b0cd6427 74784 wpa_2.3-1.debian.tar.xz ea0637cf98782098578378c2ccbd098565fab3e9ccc1b08c635e386c3341275b 538478 hostapd_2.3-1_amd64.deb efc701d5bfb1c4f5fde3860c2b142eddabfcf7253d0652c3a9729ed8101d7787 344460 wpagui_2.3-1_amd64.deb 8a01da090fd9c2539d433429fbcfd6f6007f2db31af75dd36f827c540e3b8b96 915312 wpasupplicant_2.3-1_amd64.deb 05fe794567c648edc214ca05dc0ff6d4e5338839a9171b96f1627fe2e597a1fe 222410 wpasupplicant-udeb_2.3-1_amd64.udeb Files: 6f331529f416fdb83e6de545e268b6fa 2468 net optional wpa_2.3-1.dsc d6dc9fa32a406506717ee6a4d076cd6d 1735544 net optional wpa_2.3.orig.tar.xz 83ae3ee4a5498deb0f5d347143a6b7b8 74784 net optional wpa_2.3-1.debian.tar.xz cf82c2860fd28449be36cd38f26ead2e 538478 net optional hostapd_2.3-1_amd64.deb 227a0fd94e971b2c1082464643d1feac 344460 net optional wpagui_2.3-1_amd64.deb 93657c56581f5561401d35ec59bc6469 915312 net optional wpasupplicant_2.3-1_amd64.deb fd31f686e4419cb4f6ed2e39154d7a58 222410 debian-installer standard wpasupplicant-udeb_2.3-1_amd64.udeb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUPs1yAAoJEGrh3w1gjyLcoIUQAIG8NJ6h8nBp8zYFNTvp2uAI lLMUEhpDOXQrHvi3osL671ySOYTfSmq04ioTLAaNGHg681fi0PlVtsZxRyYyCwtN 6Rz+dBiYgoM4gt1Tn1r9g0g5l6cMD+Nz0w3nq8Pc9CyNt9NR5crOglsfrL2d2c92 K+4NYHvYIFpptldXWOnJFQwidIf29KLNFvMK4WP5H5UuXf8oDwtP+BqCGA/Dry1h pTLCf9HuEmiznFyMzPDLte+RF6E58WAN1TiHc46c/4BcTiz596/H80Ud1xMNYVJ4 47iVt96+mZ1oEtR0UxorMPrx/xgexInVO9s6KEpt1sa2eqltVmNISF2hLUA+Mgb3 DjWG2MAwsBOh2Z4B3d8sPk3XZG2bOFdSNh+qe79yIED+HdAumMIgaUHEIvaoFmum dgwsPfi34gTkQ5MsoBrkqJfBPhnSeTK7ooAVVgUghc16f7E1/Nf/eov0gyHGgxfz 6At+Ud2uM0O2ECTKbzt8WVjAfP6ojHAIJ5hiAKxF3NEhiz4w8fL7HbsiXw/4wxeZ 9b3rUrjosT+E4JUiJvqf3uGyZroUHuoX9A9W2iLG/yLkmyDSa87OewOxstMNJvIO sGrDhog4lStVJu/boh6g7z6ttai7WRGpfyqitChbgDx+P0ILbbnGBPAme3npGwUt yRauHrdIZ5ay+TASoOqt =75+2 -----END PGP SIGNATURE-----
--- End Message ---
