Your message dated Sun, 28 Apr 2024 21:50:25 +0000
with message-id <e1s1cph-001gg1...@fasolo.debian.org>
and subject line Bug#1064061: fixed in wpa 2:2.10-21.1
has caused the Debian Bug report #1064061,
regarding wpa: CVE-2023-52160
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1064061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064061
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: wpa
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for wpa.
CVE-2023-52160[0]:
https://www.top10vpn.com/research/wifi-vulnerabilities/
https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baff
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-52160
https://www.cve.org/CVERecord?id=CVE-2023-52160
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: wpa
Source-Version: 2:2.10-21.1
Done: Bastien Roucariès <ro...@debian.org>
We believe that the bug you reported is fixed in the latest version of
wpa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1064...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <ro...@debian.org> (supplier of updated wpa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 28 Apr 2024 21:07:32 +0000
Source: wpa
Architecture: source
Version: 2:2.10-21.1
Distribution: unstable
Urgency: medium
Maintainer: Debian wpasupplicant Maintainers <w...@packages.debian.org>
Changed-By: Bastien Roucariès <ro...@debian.org>
Closes: 1064061
Changes:
wpa (2:2.10-21.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix CVE-2023-52160 (Closes: #1064061):
The implementation of PEAP in wpa_supplicant allows
authentication bypass. For a successful attack,
wpa_supplicant must be configured to not verify
the network's TLS certificate during Phase 1
authentication, and an eap_peap_decrypt vulnerability
can then be abused to skip Phase 2 authentication.
The attack vector is sending an EAP-TLV Success packet
instead of starting Phase 2. This allows an adversary
to impersonate Enterprise Wi-Fi networks.
Checksums-Sha1:
512440e6e9bd144e4f2175a5271f2f57f3071259 2712 wpa_2.10-21.1.dsc
4c9ba5c6755ab3e6c5997c63ba1640ba646ad2d0 92584 wpa_2.10-21.1.debian.tar.xz
55130fb164e6d0e411fbcc2e9f31b63a2666352f 15498 wpa_2.10-21.1_amd64.buildinfo
Checksums-Sha256:
ae335ab5709062018634780d48aaf1a93f41ecc261e856bc259853c20337a112 2712
wpa_2.10-21.1.dsc
db646d5c29cdc818d1054b496a57e700315876ecc0c1d837ad3abb882ddeef12 92584
wpa_2.10-21.1.debian.tar.xz
81612d83c25f84071500295332ecc4a25c154d3148feccf5ba067d78d701c492 15498
wpa_2.10-21.1_amd64.buildinfo
Files:
6bb2dc3cfc6d7361aba9002cddc93ba5 2712 net optional wpa_2.10-21.1.dsc
3f145f748a3f2a4b603d50e9dc39653c 92584 net optional wpa_2.10-21.1.debian.tar.xz
c3679ab4c1172c74408f21481e9e2eaa 15498 net optional
wpa_2.10-21.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmYuwDIRHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF8TYQ//Sngw6zlxyf2yO0yD2eSIVxgAh+SCDx25
9Zh2CguIw6EiEUr8rJVxfFfBctdQmhiDCdN/HaBgJEDcFhGaKBNLSxnWexrW02RR
uoI30GQCUoStWqhVPGVQ5dLpwkZZTubHL2EcbTY4n9UXVx7E3PJ/2F4A2f3zay1s
gxtXr3b46fhnzj+7PRrNg9czikLi4EWbIDzBq8bkMD5+71E5r6mShG//uHWBQfxd
tBF6RGtDYcBdA70MKex+FIlvMd7zKo5k4E3fsW67wXz5xesk973aazFOcO/d+BQD
EBNe/VfOVyR7D8qGCofYxeKYPI5A/lHcvhS6FPTOUgYCkWGZxqcHhFjg+tUkDOn5
OcrsV5Isu0VkR3LNb/VQ3XhWssqJW9iUzMxkY6QL3qLK2kPiInUmvkDf3KtaOgM1
hQRrrg2LOaisU8j1PUXKzz+q21TTZyBFeGvIEJAPmSdKkFBW3W/W9LVzy+mmxqhz
r1yfi5ZNqJCbgVMGC+W8X1pia7MXtyYp1bsGHaGo+XLY5VCDC9171bxfpB276xME
ese+Mw2zk8OnRrCoR4vHW3gs3vYa7TFCo8iQZS/i2UZl7YeuF1dAUa0zyp7teYVw
lpR0A5tcUa1ikg0B03gHkO2tyG0+sM0eDpFOwDNMUjopWo39s831FPAUpxe9Iupx
7jz2L9WZV3w=
=EgyM
-----END PGP SIGNATURE-----
pgpPE_1N64UUD.pgp
Description: PGP signature
--- End Message ---
