Mageia alert MGASA-2012-0291 (hostapd) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2012-0291: hostapd-0.7.3-2.1.mga1
 (1/core),  hostapd-0.7.3-4.1.mga2 (2/core) 
Date:
    	       Thu, 11 Oct 2012 09:48:52 +0200
Message-ID:
    	       <20121011074852.GA18535@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2012-0291
Date: 	October 11th, 2012
Affected releases: 	1, 2


Description:
Updated hostapd package fixes security vulnerabilities:

hostapd 0.7.3, and possibly other versions before 1.0, uses 0644
permissions for /etc/hostapd/hostapd.conf, which might allow local users
to obtain sensitive information such as credentials (CVE-2012-2389).

Timo Warns discovered that the internal authentication server of hostapd,
a user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator,
is vulnerable to a buffer overflow when processing fragmented EAP-TLS
messages. As a result, an internal overflow checking routine terminates
the process. An attacker can abuse this flaw to conduct denial of
service attacks via crafted EAP-TLS messages prior to any authentication
(CVE-2012-4445).


Updated Packages:
Mageia 1:
hostapd-0.7.3-2.1.mga1

Mageia 2:
hostapd-0.7.3-4.1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4445
http://lists.fedoraproject.org/pipermail/package-announce...
http://www.debian.org/security/2012/dsa-2557
https://bugs.mageia.org/show_bug.cgi?id=7746
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...
(Log in to post comments)