Add krackattacks mitigation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wpa (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
See for reference:
https:/
Yes this is not a bug. However, it has been noted on ubuntu-devel that adding some features even to stable releases could be justified in *some* cases.
First of paramount importance is that the fix introduces no regression.
In this case this code is *only* used if a new parameter is set:
wpa_disable_
if this parameter is missing, behaviour will not change.
So any regression introduced will be caused by a deliberate admin decision, from where all responsability could be denied (use at your own risk, yadda, yadda...)
Then is this parameter useful: it could be for the hundred of millions of Android Phone that are not yet patched (6.0 et upper) and will never be patched (about 50% of existing Android Phones).
Please note that at least one wifi provider has already decided to provide this feature to help its users:
https:/
so this is something that leaders do :-)
I have already patched my AP that runs Ubuntu 16 LTS (see attached patch against 2.4-0ubuntu6.2, I have used my AP for 3 days now with a Ubuntu and an Android client without problem) and I could try to provide a patch for Ubuntu 17. This kind of patch is really trivial anyway, since it's just a port of the upstream patch in hostapd:
https:/
However I have a big problem. Any security patch (and this is a security enhancing patch at least) is only worth as much as it is *tested*. And I don't have the means to verify that mitigation is effective, as the vulnerability discoverer has not provided (for obvious reasons) public testing code for clients.
I think that Ubuntu should have this code (or did you just distribute security patches without testing that they are effective ? that would not be very serious IMO).
There is no chance that M. Vanhoef sends his code to any old dog on the internet, so Canonical is my only chance for a real test of this feature on an Ubuntu AP (short of rewriting the attack code myself, not an attractive proposition).
If in fact you don't have the testing (well, attack) code feel free to dismiss my bug report as irrelevant. But if you have please consider the opportunity to add some goodwill to Ubuntu. Thanks.
CVE References
Changed in wpa (Ubuntu): | |
status: | New → Confirmed |
The attachment "Krackattacks mitigation for Ubuntu 16LTS test patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]