- -------------------------------------------------------------------------
Debian Security Advisory DSA-3397-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 10, 2015                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wpa
CVE ID         : CVE-2015-4141 CVE-2015-4142 CVE-2015-4143 CVE-2015-4144
                 CVE-2015-4145 CVE-2015-4146 CVE-2015-5310 CVE-2015-5314
                 CVE-2015-5315 CVE-2015-5316 CVE-2015-8041
Debian Bug     : 787371 787372 787373 795740 804707 804708 804710

Several vulnerabilities have been discovered in wpa_supplicant and
hostapd. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2015-4141

    Kostya Kortchinsky of the Google Security Team discovered a
    vulnerability in the WPS UPnP function with HTTP chunked transfer
    encoding which may result in a denial of service.

CVE-2015-4142

    Kostya Kortchinsky of the Google Security Team discovered a
    vulnerability in the WMM Action frame processing which may result in
    a denial of service.

CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146

    Kostya Kortchinsky of the Google Security Team discovered that
    EAP-pwd payload is not properly validated which may result in a
    denial of service.

CVE-2015-5310

    Jouni Malinen discovered a flaw in the WMM Sleep Mode Response frame
    processing. A remote attacker can take advantage of this flaw to
    mount a denial of service.

CVE-2015-5314 CVE-2015-5315

    Jouni Malinen discovered a flaw in the handling of EAP-pwd messages
    which may result in a denial of service.

CVE-2015-5316

    Jouni Malinen discovered a flaw in the handling of EAP-pwd Confirm
    messages which may result in a denial of service.

CVE-2015-8041

    Incomplete WPS and P2P NFC NDEF record payload length validation may
    result in a denial of service.

For the oldstable distribution (wheezy), these problems have been fixed
in version 1.0-3+deb7u3. The oldstable distribution (wheezy) is only
affected by CVE-2015-4141, CVE-2015-4142, CVE-2015-4143 and
CVE-2015-8041.

For the stable distribution (jessie), these problems have been fixed in
version 2.3-1+deb8u3.

We recommend that you upgrade your wpa packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

Debian: DSA-3397-1: wpa security update

November 10, 2015
Several vulnerabilities have been discovered in wpa_supplicant and hostapd

Summary

CVE-2015-4141

Kostya Kortchinsky of the Google Security Team discovered a
vulnerability in the WPS UPnP function with HTTP chunked transfer
encoding which may result in a denial of service.

CVE-2015-4142

Kostya Kortchinsky of the Google Security Team discovered a
vulnerability in the WMM Action frame processing which may result in
a denial of service.

CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146

Kostya Kortchinsky of the Google Security Team discovered that
EAP-pwd payload is not properly validated which may result in a
denial of service.

CVE-2015-5310

Jouni Malinen discovered a flaw in the WMM Sleep Mode Response frame
processing. A remote attacker can take advantage of this flaw to
mount a denial of service.

CVE-2015-5314 CVE-2015-5315

Jouni Malinen discovered a flaw in the handling of EAP-pwd messages
which may result in a denial of service.

CVE-2015-5316

Jouni Malinen discovered a flaw in the handling of EAP-pwd Confirm
messages which may result in a denial of service.

CVE-2015-8041

Incomplete WPS and P2P NFC NDEF record payload length validation may
result in a denial of service.

For the oldstable distribution (wheezy), these problems have been fixed
in version 1.0-3+deb7u3. The oldstable distribution (wheezy) is only
affected by CVE-2015-4141, CVE-2015-4142, CVE-2015-4143 and
CVE-2015-8041.

For the stable distribution (jessie), these problems have been fixed in
version 2.3-1+deb8u3.

We recommend that you upgrade your wpa packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

Severity
Several vulnerabilities have been discovered in wpa_supplicant and
hostapd. The Common Vulnerabilities and Exposures project identifies the
following problems:

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up