Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3662 wpa security update 30 September 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: wpa Publisher: Debian Operating System: Debian GNU/Linux 10 Impact/Access: Access Confidential Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-16275 CVE-2019-13377 Reference: ESB-2019.3537 ESB-2019.3522 ESB-2019.3123 Original Bulletin: http://www.debian.org/security/2019/dsa-4538 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4538-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez September 29, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : wpa CVE ID : CVE-2019-13377 CVE-2019-16275 Debian Bug : 934180 940080 Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point). CVE-2019-13377 A timing-based side-channel attack against WPA3's Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password. CVE-2019-16275 Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network. For the oldstable distribution (stretch), these problems have been fixed in version $stretch_VERSION. For the stable distribution (buster), these problems have been fixed in version 2:2.7+git20190128+0c1e29f-6+deb10u1. We recommend that you upgrade your wpa packages. For the detailed security status of wpa please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wpa Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAl2QuGQACgkQ3rYcyPpX RFtKAAf9Fv7lhUQD2TC7HjEavULALsOuku5mFLQTUygj1IwsTjWkhC4cGFNgrOho xWqxSE1YP4LdtSLAo9btfSXPYPHhdlNthxHSu4HSkSasoXgFgrF0xQSxhRHABdMZ MVH3+xpMKrwMk1UEIxtcYXpesN8N9+3wVv7I1tk3L+yL25EBxHHijt1SXpeBF6dw ps7q5HaAxpwC9S2PtILvwsEs0ocHupbMTsJtkr0bsvOvg+gx40yQDZLQxZyR+xQZ HZmMbH87ElCG9JuXlCSGdmdLIEH08i7Yy9JKTpPHg20jAo/KsOIygRF2B0rTmn9O JdR8hkAiqGQ2lZiAcSJZio7ojLD5MQ== =Agz+ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXZF7QmaOgq3Tt24GAQhhOw/9HjefjQs4VUDxT/3OzOa0tj6fBvAewrnf 233V5y6iNz9u5DA0Buul70dWxzfGx3ne3cs3VXSoCSQ+KWRCWsW90tINjdbZYdAn G9TvlyuwEPXl+CSCZHhnkWVgjhlko2PJ4XnJfkMlZLD12CnP3kSCrwMbuzDmhio3 0sCXs8JHx6vgE6GBFafp57F736hfD3DKqEL4JhNqiTd9ctqQevxMFXBOxG97i0sT DyF5Kc9nnrKR1gPqpCwqTGTZCg2TtwWVSybM2lUo2dvt6zLpoyWyhUGG3BBPnd8f rP1LHcPy/cJVc07mLOceKyChJPqIGu3Z03mTlr+D6LOeCul6HFBaATIJRT3cf38r /+Z4doCmb7HtNSa/lGinfoH00UABHhivBEK5Y6W6Q21AFszNMdcz5MUE7ivxEf1B PGqrfMmwsems3Ow1CYJ74nxoDOqMr4qaTvWgHKXLxoDPwYQHGsKlLuUrE1c9FTkg JvI3z4/8EjT966oJyS/RpmzvOuSlzfU8pYOFA6AoYVeb9kowvETqZregVWUZtnKR 3DVznV4HenbJ8s4BXl5+zNSHIefEe9CMydndm4yGRJOvTdrnVF51iQQxwVnf8dMF N2zljAVDhmSmgQoOqUT1yCaggnr0i4z/ut0uEbKe2M20loetg0lOsrvT1BW+DQsi M7SupmGs3ys= =LrPy -----END PGP SIGNATURE-----