Debian Package Tracker

From: Mike Gabriel <sunweaver@debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted wpa 2.3-1+deb8u8 (source amd64) into oldoldstable
Date: Wed, 31 Jul 2019 22:00:15 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 31 Jul 2019 22:44:37 +0200
Source: wpa
Binary: hostapd wpagui wpasupplicant wpasupplicant-udeb
Architecture: source amd64
Version: 2.3-1+deb8u8
Distribution: jessie-security
Urgency: medium
Maintainer: Debian wpasupplicant Maintainers <pkg-wpa-devel@lists.alioth.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description:
 hostapd    - IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator
 wpagui     - graphical user interface for wpa_supplicant
 wpasupplicant - client support for WPA and WPA2 (IEEE 802.11i)
 wpasupplicant-udeb - Client support for WPA and WPA2 (IEEE 802.11i) (udeb)
Closes: 927463
Changes:
 wpa (2.3-1+deb8u8) jessie-security; urgency=medium
 .
   * Non-maintainer upload by the LTS team.
 .
   * CVE-2019-9495: only partial mitigation feasible for this wpa version
     + 2019-2/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch
     + FIXME: too invasive to backport (or for someone with more time+expertise):
       [2019-2/0002-Add-helper-functions-for-constant-time-operations.patch]
       [2019-2/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch]
       [2019-2/0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch]
     + For more details, see https://w1.fi/security/2019-2/.
 .
   * Upstream cherry-picks:
     + Pick 2019-4/0001-Add-crypto_ec_point_cmp.patch, required for applying
       2019-4/0012-EAP-pwd-server-Detect-reflection-attacks.patch
       [2019-4/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch]
 .
   * CVE-2019-9498 (partial):
     + 2019-4/0011-EAP-pwd-server-Verify-received-scalar-and-element.patch
   * CVE-2019-9497:
     + 2019-4/0012-EAP-pwd-server-Detect-reflection-attacks.patch
   * CVE-2019-9499 (partial):
     + 2019-4/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch
   * CVE-2019-9498 + CVE-2019-9499 (FIXME):
     + too invasive to backport (or for someone with more time+expertise):
       [2019-4/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch]
 .
   * CVE-2019-11555 (Closes: #927463):
     + 2019-5/0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
     + 2019-5/0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
 .
   * debian/rules: Forcefully enable compilation of the ECC code
     (NEED_ECC=y).
Checksums-Sha1:
 25a0c7541997367a59fa894ad6dc59666e0f47b8 2542 wpa_2.3-1+deb8u8.dsc
 f6fe1be17cabb673214554bce484210475ef1e9b 106176 wpa_2.3-1+deb8u8.debian.tar.xz
 1f8a7e23d56849fe1883719ab5e90b6eef410c42 542120 hostapd_2.3-1+deb8u8_amd64.deb
 2fd732a2d21b90ff2d5f6e5adc17012f09a1d5ee 346400 wpagui_2.3-1+deb8u8_amd64.deb
 09bf8e319616cdc42d49c1d683a4a9d2f3b2cf8d 919484 wpasupplicant_2.3-1+deb8u8_amd64.deb
 46103186388df9e4d213f0fa89bde048ee4469e9 223632 wpasupplicant-udeb_2.3-1+deb8u8_amd64.udeb
Checksums-Sha256:
 97681591351f0202fef995ea99c8539005eef798af2800f020bae48020fb4c9b 2542 wpa_2.3-1+deb8u8.dsc
 1b704d1b66bc0afbc557424f07da94e9933cbd5be86af3c44179d5be570ee956 106176 wpa_2.3-1+deb8u8.debian.tar.xz
 eb4cf6f99d14205c902d55f3aa85fa861a9020e11f0fc08b2eff68512066140b 542120 hostapd_2.3-1+deb8u8_amd64.deb
 b27cae3918e00b67bad81573808b2c95fce468956fb9f49edec69eacaea51733 346400 wpagui_2.3-1+deb8u8_amd64.deb
 ef607cedeeac2814473f7cc056776c4caa3e85c5e84b5af74289a0b566e4ffe2 919484 wpasupplicant_2.3-1+deb8u8_amd64.deb
 6b57333a77dd1a1c6ede53529959a7d3522f87fc8f13b54f632757eaae358535 223632 wpasupplicant-udeb_2.3-1+deb8u8_amd64.udeb
Files:
 1ca7cbac88e8eca578c5a3a87f1e309b 2542 net optional wpa_2.3-1+deb8u8.dsc
 049d1770d947c77c0d982ae7cf8abaf7 106176 net optional wpa_2.3-1+deb8u8.debian.tar.xz
 7d0d222090fc77e10a018a1e236446c0 542120 net optional hostapd_2.3-1+deb8u8_amd64.deb
 455eed6db71e5798e538ef8efffb6fe9 346400 net optional wpagui_2.3-1+deb8u8_amd64.deb
 1b6cfc7ff176f703de94ce419d56edf3 919484 net optional wpasupplicant_2.3-1+deb8u8_amd64.deb
 0c8144990550efc5c1d44553c213c9b9 223632 debian-installer standard wpasupplicant-udeb_2.3-1+deb8u8_amd64.udeb

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl1CCncVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxgLoP/RjogEy+y022iSrQuJ965qP+SqQW
GURQILqmHEbPNoqJXbvghg88tmwOUK4Kod9e3vQnYd5xuYlIKQr33S6Kt+0wQI0b
kRPdZX7q7YOCJwW9UkeQxoF6+F9p5vFqwnoq+p9W2aBtqfJL5i+xURpY2By1lZ4Z
2ch4j7ajPLUXLouTtKLfjYXwcOq3FOoDB0pZtpvcSbp9Q84xRPyRqwXSIWJrMn9g
Aqijx7000bqKamHETYi490O1QI7yWbPCGYDxjArsdj8y2F+jK3AFlET8zNsBFQEu
aq7XSIOuh6pTW8RPdfWfAOpKZp++bc6t98vX3wmr7KNeGmbcyBy/btK9HvjO0BWz
1gOcWmieTWF2P4SDbImv4tWyQ10nZ5BDxeJCTMuBFq3GYV1mkLotE+tWrFQah/LD
Xf0IupPkjHP5QpiIlfhayWTbwMBr60vGK4bKRYY5k4zjoy/bLhrtm8XzWvPqBrxH
aEzuKVzpZvAcFxEZgBEYc4ldsWwICccwft5Z9eJ0WlnPqNuT2PPUL4QYnw1ylJrc
dbQBb8ajXEsfVQECqjuBMcxVSGGvHkJ57msbmnJ7xnOeKXkWWQZKXqzvX6t+eH/d
4f66mg5zmk8iHgmQq/tkUIZNhiXaMZqtJRUh2Q/UWf9h+cpfUAj1XhA5IQJvchml
Si/vjXoYbwHdTKJ3
=jY7m
-----END PGP SIGNATURE-----
News for package wpa
