Control: reassign -1 eapoltest
Control: found -1 2:2.10-8
freeradius with openssl 3.0.13-1~deb12u1 cannot successfully communicate
with eapol_test from bullseye (2:2.10-8~bpo11+2, openssl 1.1.1w-0+deb11u1).
eapol_test is used by our monitoring system to verify the functionality
of our freeradius services.
Server log shows the received Access-Request is handled and Access-Challenge
is sent. However eapol_test simply ignores it and re-sends Access-Request
packets again and again:
This sounds like a bug in eapoltest, not in Freeradius. Reassigning
accordingly.
Note that the version in bullseye-backports is older than the one in
bookworm it should base on. The version in bullseye-backports is missing
these fixes from bookworm (stable). Some of those sound related.
I'm not sure whether bullseye-backports is still updateable, if yes it
might be a good idea to backport the current stable-security version.
wpa (2:2.10-12+deb12u1) bookworm; urgency=high
* Non-maintainer upload on behalf of the Security Team.
* Fix CVE-2023-52160 (Closes: #1064061):
The implementation of PEAP in wpa_supplicant allows
authentication bypass. For a successful attack,
wpa_supplicant must be configured to not verify
the network's TLS certificate during Phase 1
authentication, and an eap_peap_decrypt vulnerability
can then be abused to skip Phase 2 authentication.
The attack vector is sending an EAP-TLV Success packet
instead of starting Phase 2. This allows an adversary
to impersonate Enterprise Wi-Fi networks.
-- Bastien Roucariès <[email protected]> Tue, 30 Apr 2024 22:45:18 +0000
wpa (2:2.10-12) unstable; urgency=medium
* Prevent hostapd units from being started if there’s
no config provided (Closes: #1028088).
* hostapd: Enable 802.11ax support (Closes: #1013732).
-- Andrej Shadura <[email protected]> Fri, 24 Feb 2023 14:01:35 +0100
wpa (2:2.10-11) unstable; urgency=medium
* Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1
(Closes: #1011121, LP: #1958267)
* Drop dependency on lsb-base.
-- Andrej Shadura <[email protected]> Tue, 31 Jan 2023 12:58:02 +0100
wpa (2:2.10-10) unstable; urgency=medium
* Configure wpa_supplicant.service to create control sockets owned by
group netdev
(Closes: #1012844)
-- Andrej Shadura <[email protected]> Wed, 21 Dec 2022 10:03:29 +0100
wpa (2:2.10-9) unstable; urgency=medium
[ Sebastien Bacher ]
* debian/patches/allow-legacy-renegotiation.patch:
Allow legacy renegotiation to fix PEAP issues with some servers
(Closes: #1010603, LP: #1962541)
-- Andrej Shadura <[email protected]> Thu, 05 May 2022 11:23:33 +0100
Tcpdump shows the Access-Challenge packet is indeed delivered to the client.
If the same configuration (both on server and eapol_test sides) is tested
with eapoltest from bookworm (2:2.10-12+deb12u1, openssl 3.0.13-1~deb12u1),
it is successful.
The issue is critical becasue possibly all clients with openssl 1.1.1w-0+deb11u1
might be affected.
We can't rule that out, but we haven't heard of any reports.
Bernhard
