Debian Security Advisory
DSA-4538-1 wpa -- security update
- Date Reported:
- 29 Sep 2019
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 934180, Bug 940080.
In Mitre's CVE dictionary: CVE-2019-13377, CVE-2019-16275.
- More information:
Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point).
A timing-based side-channel attack against WPA3's Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password.
Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network.
For the stable distribution (buster), these problems have been fixed in version 2:2.7+git20190128+0c1e29f-6+deb10u1.
We recommend that you upgrade your wpa packages.
For the detailed security status of wpa please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wpa