Ubuntu
wpa package

[security] WPA2: Many vulnerabilities discovered

Bug #1723909 reported by dino99
306
This bug affects 11 people
Affects Status Importance Assigned to Milestone
wpa (Ubuntu)
Fix Released
Critical
Unassigned

Bug Description

This is a high vulnerability problem:

The attack works against all modern protected Wi-Fi networks

All details:
https://www.krackattacks.com/

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: wpasupplicant 2.4-0ubuntu9
ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
Uname: Linux 4.13.0-16-generic x86_64
ApportVersion: 2.20.7-0ubuntu3
Architecture: amd64
CurrentDesktop: GNOME
Date: Mon Oct 16 11:54:57 2017
EcryptfsInUse: Yes
SourcePackage: wpa
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
dino99 (9d9) wrote :
summary: - [security] Many vulnerabilies discovered
+ [security] Many vulnerabilities discovered
Revision history for this message
dino99 (9d9) wrote : Re: [security] Many vulnerabilities discovered

Does not know why Ubuntu has a delta with Debian Experimental. Some cve were fixed.
http://metadata.ftp-master.debian.org/changelogs/main/w/wpa/wpa_2.6-4_changelog

well, maybe due to grave & serious reported bugs :
https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=wpasupplicant;dist=unstable

Source: http://w1.fi/security/2017-1/

information type: Public → Public Security
dino99 (9d9)
summary: - [security] Many vulnerabilities discovered
+ [security] WPA2: Many vulnerabilities discovered
Revision history for this message
Eero (eero+launchpad) wrote :

Debian has patched the following CVEs:
CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080
CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088

https://lists.debian.org/debian-security-announce/2017/msg00261.html

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in wpa (Ubuntu):
status: New → Confirmed
Gianfranco Costamagna (costamagnagianfranco)
Changed in wpa (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Anthony Harrington (linuxchemist) wrote :

This has been a mighty fine (and speedy) response to a big WPA2 flaw. Kudos!

wpa (2.4-0ubuntu9.1) for zesty;
wpa (2.4-0ubuntu6.2) for xenial;
and wpa (2.1-0ubuntu1.5) for trusty are done so far and they address this bug.

(Obviously yakkety is no longer supported and ubuntu 16.10 users who have stumbled upon this bug (or otherwise) are strongly encouraged to upgrade. Ubuntu 16.10 reached EOL on July 20th 2017.)

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Updates have been released:

  https://usn.ubuntu.com/usn/usn-3455-1/

Changed in wpa (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Anthony Harrington (linuxchemist) wrote :

As 17.10 is also affected, what's the plan for artful?

Can 2.4-0ubuntu9.1 (or something else/numbered differently) simply be copied over?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

An update has already been uploaded to artful and is awaiting approval by the release team.

Revision history for this message
Anthony Harrington (linuxchemist) wrote :

Thanks for the info, I'm just jumping the gun a little :D

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.