CVEs have been assigned for the latest upstream advisory: http://openwall.com/lists/oss-security/2016/05/03/2 The upstream advisory is here: http://w1.fi/security/2016-1/psk-parameter-config-update.txt Patches to fix the issue are in that same directory, and it will be fixed in 2.6. We are not vulnerable in our default configuration, as update_config=1 is commented out in /etc/wpa_supplicant.conf. Our hostapd package is not vulnerable at all as CONFIG_WPS is not enabled in our build.
Whiteboard: (none) => MGA5TOO
Assigning to maintainer (tmb)
CC: (none) => makowski.mageia, marja11Assignee: bugsquad => tmb
URL: (none) => http://lwn.net/Vulnerabilities/687592/
Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated wpa_suppliant packages fix security vulnerabilities: A vulnerability was found in how wpa_supplicant writes the configuration file update for the WPA/WPA2 passphrase parameter. If this parameter has been updated to include control characters either through a WPS operation (CVE-2016-4476) or through local configuration change over the wpa_supplicant control interface (CVE-2016-4477), the resulting configuration file may prevent the wpa_supplicant from starting when the updated file is used. In addition, it may be possible to load a local library file and execute code from there with the same privileges under which the wpa_supplicant process runs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4477 http://w1.fi/security/2016-1/psk-parameter-config-update.txt ======================== Updated packages in core/updates_testing: ======================== wpa_supplicant-2.3-3.1.mga5 wpa_supplicant-gui-2.3-3.1.mga5 from wpa_supplicant-2.3-3.1.mga5.src.rpm
Version: Cauldron => 5Assignee: tmb => qa-bugsWhiteboard: MGA5TOO => (none)
Linksys WRT54G router, 32-bit system with BCM4318 wifi, already updated to the 4.4.9 kernel. Update installed cleanly, no issues. Rebooted into the 4.4.9 kernel, no issues noted. Secured wifi connection came up cleanly, did some browsing with Firefox 38. Rebooted into the 4.1.15 kernel, no issues noted. Secured wifi connection came up cleanly, did some browsing with Firefox 38.
CC: (none) => andrewsfarm
Whiteboard: (none) => has_procedure MGA5-32-OK
Testing complete mga5 64 with wpa2
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK mga5-64-ok
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK mga5-64-ok => has_procedure advisory MGA5-32-OK mga5-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0199.html
Status: NEW => RESOLVEDResolution: (none) => FIXED