Public bug reported: Having asked "When is this going to be merged into the Ubuntu package set?" question #659543 I was advised to raise this as a bug by "actionparsnip":
Given this, please would you investigate the following security vulnerability as a bug: wpasupplicant nonce vulnerability (DSA-3999-1): In Mitre's CVE dictionary the following vulnerabilities for wpa clients have been identified: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 Details from the Debian Security Advisory is here https://www.debian.org/security/2017/dsa-3999 As the Debian wpasupplicant Maintainers have already provided a patch: For the oldstable distribution (jessie), these problems have been fixed in version 2.3-1+deb8u5. For the stable distribution (stretch), these problems have been fixed in version 2:2.4-1+deb9u1. For the testing distribution (buster), these problems have been fixed in version 2:2.4-1.1. For the unstable distribution (sid), these problems have been fixed in version 2:2.4-1.1. I believe this covers LTS 14.04, 16.04 and all versions of Ubuntu after 16.04 (16.10, 17.04, 17.10) ** Affects: wpa (Ubuntu) Importance: Undecided Status: New ** Tags: krack wifi wpasupplicant ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to wpa in Ubuntu. https://bugs.launchpad.net/bugs/1724094 Title: wpasupplicant nonce vulnerability (DSA-3999-1) Status in wpa package in Ubuntu: New Bug description: Having asked "When is this going to be merged into the Ubuntu package set?" question #659543 I was advised to raise this as a bug by "actionparsnip": Given this, please would you investigate the following security vulnerability as a bug: wpasupplicant nonce vulnerability (DSA-3999-1): In Mitre's CVE dictionary the following vulnerabilities for wpa clients have been identified: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 Details from the Debian Security Advisory is here https://www.debian.org/security/2017/dsa-3999 As the Debian wpasupplicant Maintainers have already provided a patch: For the oldstable distribution (jessie), these problems have been fixed in version 2.3-1+deb8u5. For the stable distribution (stretch), these problems have been fixed in version 2:2.4-1+deb9u1. For the testing distribution (buster), these problems have been fixed in version 2:2.4-1.1. For the unstable distribution (sid), these problems have been fixed in version 2:2.4-1.1. I believe this covers LTS 14.04, 16.04 and all versions of Ubuntu after 16.04 (16.10, 17.04, 17.10) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1724094/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
