Debian Package Tracker

From: Andrej Shadura <andrewsh@debian.org>
To: <>
Subject: Accepted wpa 2:2.4-1+deb9u3 (source) into stable->embargoed, stable
Date: Thu, 11 Apr 2019 06:10:50 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 10 Apr 2019 18:57:51 +0200
Source: wpa
Architecture: source
Version: 2:2.4-1+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Debian wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>
Changed-By: Andrej Shadura <andrewsh@debian.org>
Closes: 905739
Changes:
 wpa (2:2.4-1+deb9u3) stretch-security; urgency=high
 .
   * Apply a partial security fix for CVE-2019-9495:
     - OpenSSL: Use constant time operations for private bignums.
     - See https://w1.fi/security/2019-2/ for more details.
   * Apply security fixes:
     - EAP-pwd server: Detect reflection attacks (CVE-2019-9497)
     - EAP-pwd client: Verify received scalar and element
       (partial fix for CVE-2019-9498)
     - EAP-pwd server: Verify received scalar and element
       (partial fix for CVE-2019-9499)
     - See https://w1.fi/security/2019-4/ for more details.
   * Add an upstream patch to add crypto_ec_point_cmp() required
     by the fixes for CVE-2019-9497.
   * Forcefully enable compilation of the ECC code.
 .
 wpa (2:2.4-1+deb9u2) stretch; urgency=high
 .
   * SECURITY UPDATE:
     - CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data
       (Closes: #905739)
Checksums-Sha1:
 26df4ffe448bd47985c887aa8bbf18a1b841733c 2186 wpa_2.4-1+deb9u3.dsc
 4ec25de069baa2f46e9d81e3db1e15ee03ae188e 99400 wpa_2.4-1+deb9u3.debian.tar.xz
Checksums-Sha256:
 8a876fc8dd2ef3cccea29a161944031201b8696008ca0fe629a412c79ea69934 2186 wpa_2.4-1+deb9u3.dsc
 b7390be9e0fc313e7c00485f5196b12a85be0925d067f74a3650be4c20edba6f 99400 wpa_2.4-1+deb9u3.debian.tar.xz
Files:
 ab6a8bf46d421a9dee1dd20aac0dea6b 2186 net optional wpa_2.4-1+deb9u3.dsc
 2105006e2320e3ce42e8e064b5b7055e 99400 net optional wpa_2.4-1+deb9u3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAlyuWwkACgkQXkCM2RzY
OdLdlwgAu3SCaLouEn2Co0zcjKLH3SM5oA4LNcwCQJrIuSit3wHRGcdWqn5Eid+T
brL6pp4fWH+GzVXkob/0qJhvLiJa514Y/LDYUmwWO4KEMLlYGZJb/qrrY+SFEtsE
g33f7FcRRKhbo/XJsIhpMfpD0Dh+iRpGZ/d8MgO0ORRVkrQLu5QCoHxSfTm61WiH
brGP7Oaxpn/7ZI0t0ZHeRC+0j44pZYwdVj1ToW8MQnElWoh4BGYEZclNtPlG4y4P
ilMpchX5XWeyqLCoToq40aUnOXA07HWhpJkjXoCixA3y3puI8CCsDMbKRU0tAqD5
/kPKn04Uu2FNL8IyNvB5JjFR6dzAKQ==
=Aklv
-----END PGP SIGNATURE-----
News for package wpa
