Upstream has issued an advisory today (October 16): https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt Patches are available at: https://w1.fi/security/2017-1/ but it sounds like it might be better to update to 2.7 when available. Mageia 5 and Mageia 6 are also affected.
CC: (none) => tmbWhiteboard: (none) => MGA6TOO, MGA5TOO
Full story here: https://www.krackattacks.com/ From what I can read, this is a pretty major issue.
Severity: normal => majorPriority: Normal => HighURL: (none) => https://www.krackattacks.com/
(In reply to Frédéric Buclin from comment #1) > Full story here: https://www.krackattacks.com/ > > From what I can read, this is a pretty major issue. Assigning to the registered maintainer. CC'ing the last ones who pushed those two packages.
CC: (none) => cjw, guillomovitch, marja11Assignee: bugsquad => tmb
Ubuntu has issued an advisory for this today (October 16): https://usn.ubuntu.com/usn/usn-3455-1/
Yeah, I'll go fix this tonight. This is one of the security issues that will take years (if ever) to get fixed everywhere considering how much wpa2 enabled hw is out there
Cauldron fixed as hostapd/wpa_suppliocant-2.6-3.mga7 Mga6 is fixed as of: hostapd/wpa_supplicant-2.6-1.1.mga6 currently in testing Mga5 in still WIP...
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Built so far: wpa_supplicant-2.6-1.1.mga6 wpa_supplicant-gui-2.6-1.1.mga6 hostapd-2.6-1.1.mga6 from SRPMS: wpa_supplicant-2.6-1.1.mga6.src.rpm hostapd-2.6-1.1.mga6.src.rpm
(In reply to David Walser from comment #6) > Built so far: > wpa_supplicant-2.6-1.1.mga6 > wpa_supplicant-gui-2.6-1.1.mga6 > hostapd-2.6-1.1.mga6 > > from SRPMS: > wpa_supplicant-2.6-1.1.mga6.src.rpm > hostapd-2.6-1.1.mga6.src.rpm CC'ing QA team leaders/representatives, in case they want their team to already start testing. @ QA team leaders/representatives This is about the WPA2 vulnerability everybody talks about https://www.krackattacks.com/ (Btw, https://wiki.mageia.org/en/Org_Council needs to be updated for all teams, sorry if I don't remember who replaces MrsB :-( )
CC: (none) => davidwhodgins, lewyssmith, wilcal.int
I have built the wpa_supplicant-2.6-1.1.mga6.src.rpm and hostapd-2.6-1.1.mga6.src.rpm on MGA5-x86 without problem. Unfortunately the machine has no wireless card so cannot test whether they work. (It starts but then complains about no wireless).
CC: (none) => unruh
{wpa_supplicant,hostapd}-2.6-3.mga7 also built fine on my MGA5 system.
Works fine on one system I have wireless ssh access to. # systemctl status wpa_supplicant.service ● wpa_supplicant.service - WPA Supplicant daemon Loaded: loaded (/usr/lib/systemd/system/wpa_supplicant.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2017-10-18 00:06:41 EDT; 3min 29s ago Main PID: 1912 (wpa_supplicant) CGroup: /system.slice/wpa_supplicant.service └─1912 /usr/sbin/wpa_supplicant -u -P /run/wpa_supplicant.pid -f /var/log/wpa_supplicant.log -c /etc/wpa_supplicant.conf
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
For hostapd, just confirmed that the update installs cleanly over the prior version.
I decided to upgrade Mageia 5 to 2.6 too as other good / possibly security related fixes has happend between 2.3 and 2.6, so for mga5 the rpms now are: wpa_supplicant-2.6-1.mga5 wpa_supplicant-gui-2.6-1.mga5 hostapd-2.6-1.mga5 from SRPMS: wpa_supplicant-2.6-1.mga5.src.rpm hostapd-2.6-1.mga5.src.rpm As for testing, atleast wpa_supplicant needs to be tested with wireless hw connected to wpa2 encrypted networks So simply install, reboot (to ensure no transient issues) and connect to wireless and confirm it still works there is afaik not many users of hostapd, so confirming it installs is ok
Assignee: tmb => qa-bugs
Just installed wpa_supplicant. Wireless connection is OK. /sbin/route Table de routage IP du noyau Destination Passerelle Genmask Indic Metric Ref Use Iface default box 0.0.0.0 UG 35 0 0 wlp2s0 link-local 0.0.0.0 255.255.0.0 U 35 0 0 wlp2s0 192.168.1.0 0.0.0.0 255.255.255.0 U 35 0 0 wlp2s0 uname -a Linux Zenbook.yves 4.9.50-desktop-1.mga6 #1 SMP Wed Sep 13 23:14:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux rpm -qa|grep wpa wpa_supplicant-gui-2.6-1.1.mga6 wpa_supplicant-2.6-1.1.mga6
CC: (none) => yves.brungard_mageia
Testing complete mga5 64 - as comment 12. Suggest moving this one on.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK mga5-64-ok
Still need the advisory. Validating the update.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Installed wpa_supplicant-2.6-1.1mga6 on Dell xps13 running mga6. The installation stalled for about 20 sec after removing the previous version before returning to the bash prompt, with the cpu running at close to 100% during that time. Got the comment about /home existing and not a directory (It is actually a link to /local/home) Killed previously running wpa_supplicant and reconnected to a wpa2 DLink router without problem using NetworkCenter.). Rebooted and again connected without problem to NetworkCenter.
advisory, also added to svn: subject: Updated wpa_supplicant and hostapd packages fix security vulnerabilities CVE: - CVE-2017-13077 - CVE-2017-13078 - CVE-2017-13079 - CVE-2017-13080 - CVE-2017-13081 - CVE-2017-13082 - CVE-2017-13086 - CVE-2017-13087 - CVE-2017-13088 src: 5: core: - hostapd-2.6-1.mga5 - wpa_supplicant-2.6-1.mga5 6: core: - hostapd-2.6-1.1.mga6 - wpa_supplicant-2.6-1.1.mga6 description: | Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly handled WPA2. A remote attacker could use this issue with key reinstallation attacks to obtain sensitive information. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) references: - https://bugs.mageia.org/show_bug.cgi?id=21879 - https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0379.html
Status: NEW => RESOLVEDResolution: (none) => FIXED