Your message dated Thu, 20 Jun 2024 18:47:45 +0000
with message-id <e1skmoz-00bu3i...@fasolo.debian.org>
and subject line Bug#1064061: fixed in wpa 2:2.9.0-21+deb11u1
has caused the Debian Bug report #1064061,
regarding wpa: CVE-2023-52160
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1064061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064061
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: wpa
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for wpa.
CVE-2023-52160[0]:
https://www.top10vpn.com/research/wifi-vulnerabilities/
https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baff
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-52160
https://www.cve.org/CVERecord?id=CVE-2023-52160
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: wpa
Source-Version: 2:2.9.0-21+deb11u1
Done: Bastien Roucariès <ro...@debian.org>
We believe that the bug you reported is fixed in the latest version of
wpa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1064...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <ro...@debian.org> (supplier of updated wpa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 30 Apr 2024 22:45:18 +0000
Source: wpa
Architecture: source
Version: 2:2.9.0-21+deb11u1
Distribution: bullseye
Urgency: high
Maintainer: Debian wpasupplicant Maintainers <w...@packages.debian.org>
Changed-By: Bastien Roucariès <ro...@debian.org>
Closes: 1064061
Changes:
wpa (2:2.9.0-21+deb11u1) bullseye; urgency=high
.
* Non-maintainer upload on behalf of the Security Team.
* Fix CVE-2023-52160 (Closes: #1064061):
The implementation of PEAP in wpa_supplicant allows
authentication bypass. For a successful attack,
wpa_supplicant must be configured to not verify
the network's TLS certificate during Phase 1
authentication, and an eap_peap_decrypt vulnerability
can then be abused to skip Phase 2 authentication.
The attack vector is sending an EAP-TLV Success packet
instead of starting Phase 2. This allows an adversary
to impersonate Enterprise Wi-Fi networks.
Checksums-Sha1:
98c686fc6d64966138bfba62f86c3a28b46d44d3 2750 wpa_2.9.0-21+deb11u1.dsc
7ab0feab3e76ec97f76f6f9729b0f6d160025332 100008
wpa_2.9.0-21+deb11u1.debian.tar.xz
13db589af495147884d3075b45894f0b9c5849ee 15334
wpa_2.9.0-21+deb11u1_amd64.buildinfo
Checksums-Sha256:
eeb694560127225218bc923e5ac0d5065522311e45d4d2e9de730541cb32577b 2750
wpa_2.9.0-21+deb11u1.dsc
44cd4f6983689ace4eba0ae142bd3fc6a72865b22a720aa421446715e14f1650 100008
wpa_2.9.0-21+deb11u1.debian.tar.xz
b133be59a02a2af58175e8a460fa2a80b51e9a0d0bb86742f22e9a11538a6218 15334
wpa_2.9.0-21+deb11u1_amd64.buildinfo
Files:
6a13e4995739b3282fbd30fb21318a48 2750 net optional wpa_2.9.0-21+deb11u1.dsc
e774e4612d40c0e593f6ca059d3e0322 100008 net optional
wpa_2.9.0-21+deb11u1.debian.tar.xz
7e1418080dee422f42debb9f1386c325 15334 net optional
wpa_2.9.0-21+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmZzUP0RHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF/IuQ//SEFIwpLfvPDnPnHk5WjerUdM/NNfboVg
6G0TdB0XVlUs9ZxvE/mtkHODeRhsaYmGW8/tIPTSZMtDoAa1jd51K8tKo9xozrD3
O8mMWZ2SbimW/HgwSvSjbDuGyhMeVozHDnLIJZJubC94kQxvaDv9QA0foZTK5HeN
awNBTV/k+0d3oXsWAJIH1NSHRKbzaWjIHQ0PykRF18WwrmsjCI4AlNRfchG/VxDc
D7QyJoEzhTSgTf9UcDVexxKsO55oBCAdEsYHkZIRm+fzQR6zv7dRYW6OfHPl2ZUY
g0C1EBf6F2xV5yrgoUi2huCWaJ+Dr54729Mu1zGh7emnp9HqrpBYPsOmjPsIHBhA
yQyv4vHrkirmaWOohmviuKquCcWuNWOrpQELRiBFG0ay3nB7+GyN5MBzcqY2trMK
mJ5zhDhdx3LKRG8g07J9iKBLWDpO6tFv0tO8psaxxfeL8o8QhyqzLVP94E5lsU/Y
0HZj6Mru4OuoeuuOPPRCV8MDx3XEFB6wTEN5+fWWuvXJkgXJqO002ft9SYdmZ7qH
ComFOR4bR05AFg0y/B8llwukhh1oiT9el3CxygIK6tcsHX9gqpa4MMHT6OiOG8kG
lCgcD6h1mLH+KY8caU8cT5xVUtbcMm3zfcqWgShfQadTuueQ6vTeZUErzMKAwusQ
1AfgavvsnmI=
=Mj7f
-----END PGP SIGNATURE-----
pgpeX1NaRmu6W.pgp
Description: PGP signature
--- End Message ---
