Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3662
wpa security update
30 September 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: wpa
Publisher: Debian
Operating System: Debian GNU/Linux 10
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-16275 CVE-2019-13377
Reference: ESB-2019.3537
ESB-2019.3522
ESB-2019.3123
Original Bulletin:
http://www.debian.org/security/2019/dsa-4538
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4538-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
September 29, 2019 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : wpa
CVE ID : CVE-2019-13377 CVE-2019-16275
Debian Bug : 934180 940080
Two vulnerabilities were found in the WPA protocol implementation found in
wpa_supplication (station) and hostapd (access point).
CVE-2019-13377
A timing-based side-channel attack against WPA3's Dragonfly handshake when
using Brainpool curves could be used by an attacker to retrieve the
password.
CVE-2019-16275
Insufficient source address validation for some received Management frames
in hostapd could lead to a denial of service for stations associated to an
access point. An attacker in radio range of the access point could inject a
specially constructed unauthenticated IEEE 802.11 frame to the access point
to cause associated stations to be disconnected and require a reconnection
to the network.
For the oldstable distribution (stretch), these problems have been fixed
in version $stretch_VERSION.
For the stable distribution (buster), these problems have been fixed in
version 2:2.7+git20190128+0c1e29f-6+deb10u1.
We recommend that you upgrade your wpa packages.
For the detailed security status of wpa please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wpa
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAl2QuGQACgkQ3rYcyPpX
RFtKAAf9Fv7lhUQD2TC7HjEavULALsOuku5mFLQTUygj1IwsTjWkhC4cGFNgrOho
xWqxSE1YP4LdtSLAo9btfSXPYPHhdlNthxHSu4HSkSasoXgFgrF0xQSxhRHABdMZ
MVH3+xpMKrwMk1UEIxtcYXpesN8N9+3wVv7I1tk3L+yL25EBxHHijt1SXpeBF6dw
ps7q5HaAxpwC9S2PtILvwsEs0ocHupbMTsJtkr0bsvOvg+gx40yQDZLQxZyR+xQZ
HZmMbH87ElCG9JuXlCSGdmdLIEH08i7Yy9JKTpPHg20jAo/KsOIygRF2B0rTmn9O
JdR8hkAiqGQ2lZiAcSJZio7ojLD5MQ==
=Agz+
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXZF7QmaOgq3Tt24GAQhhOw/9HjefjQs4VUDxT/3OzOa0tj6fBvAewrnf
233V5y6iNz9u5DA0Buul70dWxzfGx3ne3cs3VXSoCSQ+KWRCWsW90tINjdbZYdAn
G9TvlyuwEPXl+CSCZHhnkWVgjhlko2PJ4XnJfkMlZLD12CnP3kSCrwMbuzDmhio3
0sCXs8JHx6vgE6GBFafp57F736hfD3DKqEL4JhNqiTd9ctqQevxMFXBOxG97i0sT
DyF5Kc9nnrKR1gPqpCwqTGTZCg2TtwWVSybM2lUo2dvt6zLpoyWyhUGG3BBPnd8f
rP1LHcPy/cJVc07mLOceKyChJPqIGu3Z03mTlr+D6LOeCul6HFBaATIJRT3cf38r
/+Z4doCmb7HtNSa/lGinfoH00UABHhivBEK5Y6W6Q21AFszNMdcz5MUE7ivxEf1B
PGqrfMmwsems3Ow1CYJ74nxoDOqMr4qaTvWgHKXLxoDPwYQHGsKlLuUrE1c9FTkg
JvI3z4/8EjT966oJyS/RpmzvOuSlzfU8pYOFA6AoYVeb9kowvETqZregVWUZtnKR
3DVznV4HenbJ8s4BXl5+zNSHIefEe9CMydndm4yGRJOvTdrnVF51iQQxwVnf8dMF
N2zljAVDhmSmgQoOqUT1yCaggnr0i4z/ut0uEbKe2M20loetg0lOsrvT1BW+DQsi
M7SupmGs3ys=
=LrPy
-----END PGP SIGNATURE-----