Control: tags -1 d-i confirmed Andrej Shadura: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock the package wpa. > > This upload fixes a security vulnerability in WPA3-Personal and EAP (#926801): > > - CVE-2019-9494: SAE cache attack against ECC groups (VU#871675) > - CVE-2019-9495: EAP-pwd cache attack against ECC groups > - CVE-2019-9496: SAE confirm missing state validation > - CVE-2019-9497: EAP-pwd server not checking for reflection attack > - CVE-2019-9498: EAP-pwd server missing commit validation for scalar/element > - CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element > > For more details on the vulnerability itself, see: > - https://w1.fi/security/2019-1/ > - https://w1.fi/security/2019-2/ > - https://w1.fi/security/2019-3/ > - https://w1.fi/security/2019-4/ > > Since the patches are quite big, you can check them here: > - > https://salsa.debian.org/debian/wpa/tree/debian/master/debian/patches/2019-sae-eap > - > https://sources.debian.org/src/wpa/2:2.7+git20190128+0c1e29f-4/debian/patches/2019-sae-eap/ > > Erroneously not mentioned in the changelog, this upload also declares a > correct > build dependency on libnl-3-dev. > > unblock wpa/2:2.7+git20190128+0c1e29f-4 >
Hi, Thanks for filing this unblock. From a RT PoV it looks fine and I have Cc'ed KiBi for a d-i ack before accepting it fully. Thanks, ~Niels
