Bug#923675: Bug#927111: unblock: wpa/2:2.7+git20190128+0c1e29f-4

2019-04-18 Thread Cyril Brulebois 
Niels Thykier  (2019-04-18):
> Cyril Brulebois:
> > I think it'd be nice to have some tests on a real wireless adapter,
> > which I'll try to get to in the next days, because of the amount of
> > patching involved. That shouldn't stop you from letting the package
> > reach testing first though.

As noted on #debian-devel when discussing this a bit with Andrej: I've
had issues passing an USB adapter through kvm but tests on bare metal
look good with this new wpa package. I didn't perform a full install
though as I wanted to retain my main system. ;)

Getting slightly off-topic but still relevant to other areas that want
to see work done before the buster release: Both tests in VM and on bare
metal made me confirm what I thought could be possible → we're also
affected by entropy starvation (#923675) in the wireless stack.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#927111: unblock: wpa/2:2.7+git20190128+0c1e29f-4

2019-04-18 Thread Cyril Brulebois 
Niels Thykier  (2019-04-15):
> Andrej Shadura:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > 
> > Please unblock the package wpa.
> > 
> > This upload fixes a security vulnerability in WPA3-Personal and EAP 
> > (#926801):
> > 
> >  - CVE-2019-9494: SAE cache attack against ECC groups (VU#871675)
> >  - CVE-2019-9495: EAP-pwd cache attack against ECC groups
> >  - CVE-2019-9496: SAE confirm missing state validation
> >  - CVE-2019-9497: EAP-pwd server not checking for reflection attack
> >  - CVE-2019-9498: EAP-pwd server missing commit validation for 
> > scalar/element
> >  - CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element
> > 
> > For more details on the vulnerability itself, see:
> >  - https://w1.fi/security/2019-1/
> >  - https://w1.fi/security/2019-2/
> >  - https://w1.fi/security/2019-3/
> >  - https://w1.fi/security/2019-4/
> > 
> > Since the patches are quite big, you can check them here:
> >  - 
> > https://salsa.debian.org/debian/wpa/tree/debian/master/debian/patches/2019-sae-eap
> >  - 
> > https://sources.debian.org/src/wpa/2:2.7+git20190128+0c1e29f-4/debian/patches/2019-sae-eap/

Thanks, links appreciated given the amount of patches…

> > Erroneously not mentioned in the changelog, this upload also declares a 
> > correct
> > build dependency on libnl-3-dev.
> > 
> > unblock wpa/2:2.7+git20190128+0c1e29f-4
> 
> Thanks for filing this unblock.  From a RT PoV it looks fine and I
> have Cc'ed KiBi for a d-i ack before accepting it fully.

I think it'd be nice to have some tests on a real wireless adapter,
which I'll try to get to in the next days, because of the amount of
patching involved. That shouldn't stop you from letting the package
reach testing first though.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#927111: unblock: wpa/2:2.7+git20190128+0c1e29f-4

2019-04-15 Thread Niels Thykier 
Control: tags -1 d-i confirmed

Andrej Shadura:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock the package wpa.
> 
> This upload fixes a security vulnerability in WPA3-Personal and EAP (#926801):
> 
>  - CVE-2019-9494: SAE cache attack against ECC groups (VU#871675)
>  - CVE-2019-9495: EAP-pwd cache attack against ECC groups
>  - CVE-2019-9496: SAE confirm missing state validation
>  - CVE-2019-9497: EAP-pwd server not checking for reflection attack
>  - CVE-2019-9498: EAP-pwd server missing commit validation for scalar/element
>  - CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element
> 
> For more details on the vulnerability itself, see:
>  - https://w1.fi/security/2019-1/
>  - https://w1.fi/security/2019-2/
>  - https://w1.fi/security/2019-3/
>  - https://w1.fi/security/2019-4/
> 
> Since the patches are quite big, you can check them here:
>  - 
> https://salsa.debian.org/debian/wpa/tree/debian/master/debian/patches/2019-sae-eap
>  - 
> https://sources.debian.org/src/wpa/2:2.7+git20190128+0c1e29f-4/debian/patches/2019-sae-eap/
> 
> Erroneously not mentioned in the changelog, this upload also declares a 
> correct
> build dependency on libnl-3-dev.
> 
> unblock wpa/2:2.7+git20190128+0c1e29f-4
> 

Hi,

Thanks for filing this unblock.  From a RT PoV it looks fine and I have
Cc'ed KiBi for a d-i ack before accepting it fully.

Thanks,
~Niels

Bug#927111: unblock: wpa/2:2.7+git20190128+0c1e29f-4

2019-04-15 Thread Andrej Shadura 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock the package wpa.

This upload fixes a security vulnerability in WPA3-Personal and EAP (#926801):

 - CVE-2019-9494: SAE cache attack against ECC groups (VU#871675)
 - CVE-2019-9495: EAP-pwd cache attack against ECC groups
 - CVE-2019-9496: SAE confirm missing state validation
 - CVE-2019-9497: EAP-pwd server not checking for reflection attack
 - CVE-2019-9498: EAP-pwd server missing commit validation for scalar/element
 - CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element

For more details on the vulnerability itself, see:
 - https://w1.fi/security/2019-1/
 - https://w1.fi/security/2019-2/
 - https://w1.fi/security/2019-3/
 - https://w1.fi/security/2019-4/

Since the patches are quite big, you can check them here:
 - 
https://salsa.debian.org/debian/wpa/tree/debian/master/debian/patches/2019-sae-eap
 - 
https://sources.debian.org/src/wpa/2:2.7+git20190128+0c1e29f-4/debian/patches/2019-sae-eap/

Erroneously not mentioned in the changelog, this upload also declares a correct
build dependency on libnl-3-dev.

unblock wpa/2:2.7+git20190128+0c1e29f-4

-- 
Cheers,
  Andrej