Package: wpa Severity: grave Tags: security patch Hi, the following vulnerability was published for hostapd.
CVE-2012-4445[0]: | Timo Warns discovered that the internal authentication server of hostapd, | a user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator, | is vulnerable to a buffer overflow when processing fragmented EAP-TLS | messages. As a result, an internal overflow checking routine terminates | the process. An attacker can abuse this flaw to conduct denial of service | attacks via crafted EAP-TLS messages prior to any authentication. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. Please also ask for an unblock on -release after fixing this issue so it will be picked up for wheezy. The patch I used for the DSA: http://people.debian.org/~nion/nmu-diff/hostapd-0.6.10-2_0.6.10-2+squeeze1.patch For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4445 http://security-tracker.debian.org/tracker/CVE-2012-4445 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA
pgpIXtg4srhH2.pgp
Description: PGP signature
