[ubuntu/eoan-proposed] wpa 2:2.8-2ubuntu2 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Tue Aug 13 18:08:14 UTC 2019 

wpa (2:2.8-2ubuntu2) eoan; urgency=medium

  * SECURITY UPDATE: SAE/EAP-pwd side-channel attack w/Brainpool curves
    - debian/patches/CVE-2019-13377-1.patch: use const_time_memcmp() for
      pwd_value >= prime comparison in src/common/sae.c.
    - debian/patches/CVE-2019-13377-2.patch: use const_time_memcmp() for
      pwd_value >= prime comparison in src/eap_common/eap_pwd_common.c.
    - debian/patches/CVE-2019-13377-3.patch: use BN_bn2binpad() or
      BN_bn2bin_padded() if available in src/crypto/crypto_openssl.c.
    - debian/patches/CVE-2019-13377-4.patch: run through prf result
      processing even if it >= prime in src/common/sae.c.
    - debian/patches/CVE-2019-13377-5.patch: run through prf result
      processing even if it >= prime in src/eap_common/eap_pwd_common.c.
    - debian/patches/CVE-2019-13377-6.patch: disable use of groups using
      Brainpool curves in src/common/sae.c,
      src/eap_common/eap_pwd_common.c.
    - CVE-2019-13377

Date: Tue, 13 Aug 2019 13:32:28 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/wpa/2:2.8-2ubuntu2
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 Aug 2019 13:32:28 -0400
Source: wpa
Architecture: source
Version: 2:2.8-2ubuntu2
Distribution: eoan
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 wpa (2:2.8-2ubuntu2) eoan; urgency=medium
 .
   * SECURITY UPDATE: SAE/EAP-pwd side-channel attack w/Brainpool curves
     - debian/patches/CVE-2019-13377-1.patch: use const_time_memcmp() for
       pwd_value >= prime comparison in src/common/sae.c.
     - debian/patches/CVE-2019-13377-2.patch: use const_time_memcmp() for
       pwd_value >= prime comparison in src/eap_common/eap_pwd_common.c.
     - debian/patches/CVE-2019-13377-3.patch: use BN_bn2binpad() or
       BN_bn2bin_padded() if available in src/crypto/crypto_openssl.c.
     - debian/patches/CVE-2019-13377-4.patch: run through prf result
       processing even if it >= prime in src/common/sae.c.
     - debian/patches/CVE-2019-13377-5.patch: run through prf result
       processing even if it >= prime in src/eap_common/eap_pwd_common.c.
     - debian/patches/CVE-2019-13377-6.patch: disable use of groups using
       Brainpool curves in src/common/sae.c,
       src/eap_common/eap_pwd_common.c.
     - CVE-2019-13377
Checksums-Sha1:
 0d6f7aa26e2859c49e4f56b0c97160e70888d8c1 2493 wpa_2.8-2ubuntu2.dsc
 9caeba20b4e8b7d34305f6c69374785e54c51e75 88824 wpa_2.8-2ubuntu2.debian.tar.xz
 32e2fdbf9b169a5975b7fce4ab9274c9c0d97eba 13213 wpa_2.8-2ubuntu2_source.buildinfo
Checksums-Sha256:
 01feed84345e0d48bd318530fc5fcca7e31792f382e2b2cb88d3bc34fc6c85ed 2493 wpa_2.8-2ubuntu2.dsc
 7355c3b7d2efa7fb4a5906a60458884b45f4a91c45b85b7bbc583d5bf1ca79d8 88824 wpa_2.8-2ubuntu2.debian.tar.xz
 93a0f94b590201926ab7a0187bd329100fe677f6fcae93cdf8247e651d7c89c6 13213 wpa_2.8-2ubuntu2_source.buildinfo
Files:
 3cac8d2b9b219eb3c23c71f844d3d85e 2493 net optional wpa_2.8-2ubuntu2.dsc
 c88d851c4a068c38464e37011da696b7 88824 net optional wpa_2.8-2ubuntu2.debian.tar.xz
 5f3cc588d9ac2374200bfa2e1bfa466d 13213 net optional wpa_2.8-2ubuntu2_source.buildinfo
Original-Maintainer: Debian wpasupplicant Maintainers <wpa at packages.debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl1S+/QACgkQZWnYVadE
vpO8KhAAheIW5R5Ge9XqIpm0LU5JoRoB76SJQSPVbO1b82nmyhM1/9yp3PE9nd/B
sQX4TiNyBQr4zPHr0yuiobk/EkbQ2cdBH2vnEWDjWQOVzfWAowvSCrzwjNF5klus
XJTPr9JG2ZdWZX8Bt5d5BwW8gVaGtvFg5p9I/gPoSQax9xLJT3djifcbVWm12FD3
7Vc1Gs6LiFoiph+QrRhLmLTdhGvBncu8vk2IxFYYfLN9QWACUY4aOZkLE7StkYj1
JvcTuUqb/RJoZGNvTeg5XU3kYc9rDJFzAzKhcwaEGJVhHQu3DRf5yPRnMDdgZgvV
EYc2SGxVsRAQ4YRy0c+2MrenZFPSOFPNGq7iq1wTKpaiHqzFuD0bW05db48wCzlo
w7eljY4HeXglhj66+Lzb/r7CRasSi7xD2qKDphMYKGrxuiSrB9vhOzKOrfcGMqCY
kNvUGkcFDGvWckZMjL7mC8cAqjkhKdmKkQRHDJDbJIj8W5F6YPRL9uXpe8pauVnS
V3N9paxtHjOnKxyrgMc22XohOVkaetF2YzTJZiGFiEqynhW3rvHcyG6zCAOcl4Yd
Dbk68uUrRg4SyLsBa1rDWmyUZm8/zH1l8SxucmHs172Mb4Pjc64RUAbWE9WUdKdv
XMoJGhXdvfExVshEcmnf0Xh/9dGUPejjiiDXeyWpJS0IGC53Ujs=
=cf9M
-----END PGP SIGNATURE-----

More information about the Eoan-changes mailing list