On 2017-10-24 08:14:47, Guido Günther wrote: > Hi Antoine, > (trimming the cc: list a bit) > > On Mon, Oct 23, 2017 at 07:43:49PM -0400, Antoine Beaupré wrote: >> Hi, >> >> I have looked at backporting the "KRACK" patches down into wheezy. I'm a >> little concerned about the results: I don't have a good grasp of WPA2 >> and particularly of the wpa_supplicant codebase. I don't even know if >> wheezy is actually vulnerable, I went under the assumption that it was >> vulnerable and carried on. >> >> Obviously, I don't have a full WPA stack to test this with here either: >> my laptop is not running wheezy and I couldn't find a quick way to test >> this directly, let alone mount a full attack to try and reproduce the >> issue or confirm it is fixed. >> >> So I uploaded a test package to my usual repository: >> >> https://people.debian.org/~anarcat/debian/wheezy-lts/ >> >> WARNING: I didn't test this in any way. I tried to make the patch >> meaningful and the code compiled, but that's about it. >> >> A patch is attached for your perusal, but I am concerned about some bits >> of the patchset, and I wonder if the version in wheezy might not be >> vulnerable to even *more* issues. It's kind of scary to think that >> wpa_supplicant is running, as root, on so many machines out there... > > Did you try reaching out to upstream to confirm if Wheezy is vulnerable? > I'm pretty sure they have a good idea now about the affected versions > given all the fuzz around KRACK. > Cheers,
Good idea, I just did that. A. -- That's the kind of society I want to build. I want a guarantee - with physics and mathematics, not with laws - that we can give ourselves real privacy of personal communications. - John Gilmore