Bug#765631: unblock/ age to 5 days: wpa/2.3-1 (CVE-2014-3686, DSA-3052-1)
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal X-Debbugs-CC: debian-b...@lists.debian.org Hi Please unblock the udeb producing package wpa and reduce its propagation time to 5 days. wpa 2.3-1 has been successfully built and uploaded on all release architectures. wpa = 2.3-1 is vulnerable against a remotely exploitable security bug, which might allow attackers to inject an unsanitized string received from a remote device (potentially any device in radio range) to a privileged (typically root or netdev) system() call via wpa_cli/ hostapd_cli action scripts. CVE-2014-3686 https://security-tracker.debian.org/tracker/CVE-2014-3686 DSA-3052-1 https://www.debian.org/security/2014/dsa-3052 #765352 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765352 For debian-boot/ the upcoming stable point release (wheezy 7.7): wpasupplicant-udeb, as used by d-i, does not contain the exploitable binary (wpa_cli), which is only part of the full wpasupplicant/ hostapd packages (these are already fixed via debian-security). Accordingly d-i's usage of wpa_supplicant is not suspectible to this security issue. This is a new upstream version of wpa containing further changes and features of wpa's stable integration branch[1], rather than a targetted fix. unblock wpa/2.3-1 Regards Stefan Lippers-Hollmann [1] wpa 2.x is a continuous integration branch for bugfixes and new features, rather than a dedicated bugfix branch in the sense of PostgreSQL or the linux kernel. signature.asc Description: This is a digitally signed message part.
Bug#765631: unblock/ age to 5 days: wpa/2.3-1 (CVE-2014-3686, DSA-3052-1)
Hallo Stefan! Stefan Lippers-Hollmann s@gmx.de (2014-10-16): Please unblock the udeb producing package wpa and reduce its propagation time to 5 days. wpa 2.3-1 has been successfully built and uploaded on all release architectures. Looking at its changelog and the current d-i schedule (or slight lack thereof), no objection from debian-boot@. For debian-boot/ the upcoming stable point release (wheezy 7.7): wpasupplicant-udeb, as used by d-i, does not contain the exploitable binary (wpa_cli), which is only part of the full wpasupplicant/ hostapd packages (these are already fixed via debian-security). Accordingly d-i's usage of wpa_supplicant is not suspectible to this security issue. Thanks for the heads-up, appreciated. This is a new upstream version of wpa containing further changes and features of wpa's stable integration branch[1], rather than a targetted fix. unblock wpa/2.3-1 FWIW that'd rather be: age-days 5 wpa/2.3-1 Mraw, KiBi. signature.asc Description: Digital signature
