An advisory has been issued today (February 25): https://w1.fi/security/2021-1/wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt The patch is here and will be included in 2.10: https://w1.fi/security/2021-1/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch Like our last update, the issue affects P2P mode. Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Patch available from upstreamWhiteboard: (none) => MGA8TOO, MGA7TOO
This has been assigned CVE-2021-27803: https://www.openwall.com/lists/oss-security/2021/02/27/1
Summary: wpa_supplicant new security issue (upstream 2021-1) => wpa_supplicant new security issue CVE-2021-27803
fix pushed in mga7/8: src: - wpa_supplicant-2.9-1.4.mga7 - wpa_supplicant-2.9-8.1.mga8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOAssignee: bugsquad => qa-bugsVersion: Cauldron => 8Status comment: Patch available from upstream => (none)CC: (none) => mageia
RPMS list: wpa_supplicant-2.9-1.4.mga7 wpa_supplicant-gui-2.9-1.4.mga7 wpa_supplicant-2.9-8.1.mga8 wpa_supplicant-gui-2.9-8.1.mga8
AMD Phenom II X4, 8GB, Atheros wifi, 32-bit M7 Plasma system. Also, same hardware, 64-bit M8 Plasma system. Updated wpa_supplicant. No installation issues. Rebooted, just to make sure the updated package was the one being used. No issues noted on either install. Looks OK here. Validating for both.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: MGA7TOO => MGA7TOO MGA7-32-OK MGA8-64-OK
CC: (none) => ouaurelienWhiteboard: MGA7TOO MGA7-32-OK MGA8-64-OK => MGA7-32-OK MGA8-64-OKCVE: (none) => CVE-2021-27803
Whiteboard: MGA7-32-OK MGA8-64-OK => MGA7TOO MGA7-32-OK MGA8-64-OK
MGA8 x86_64 with Plasma and Intel AX200 for WiFi 6 chip Installing it over wpa_supplicant-2.9-8.mga8 using QA Repo. Success. WiFi runs well, connects correctly to a WPA2 protected Wireless Network Link is stable. and MGA7 x86_64 with Plasma and Intel 8260 WiFi 5 chip Installing it over wpa_supplicant-2.9-1.3.mga7 using QA Repo. Success. WiFi runs well, connects correctly to a WPA2 protected Wireless Network Link is stable.
Advisory: ======================== Updated wpa_ssupplicant packages fix security vulnerability: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range (CVE-2021-27803). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27803 https://bugs.mageia.org/show_bug.cgi?id=28438 https://www.openwall.com/lists/oss-security/2021/02/27/1 https://w1.fi/security/2021-1/wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt ======================== Updated packages in core/updates_testing: ======================== wpa_supplicant-2.9-1.4.mga7 wpa_supplicant-gui-2.9-1.4.mga7 wpa_supplicant-2.9-8.1.mga8 wpa_supplicant-gui-2.9-8.1.mga8 from SRPMS: wpa_supplicant-2.9-1.4.mga7 wpa_supplicant-2.9-8.1.mga8 Advisory commited to SVN.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0095.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Ubuntu has issued an advisory for this on March 3: https://ubuntu.com/security/notices/USN-4757-1