[Buildroot] [PATCH v2 1/2] package/hostapd: add upstream 2019-1, 2, 3, 4 security patches

Thomas Petazzoni thomas.petazzoni at bootlin.com
Thu Apr 11 16:27:57 UTC 2019


On Thu, 11 Apr 2019 13:11:02 +0200
Peter Korsgaard <peter at korsgaard.com> wrote:

> Fixes the following security vulnerabilities:
> 
> - CVE-2019-9494 (cache attack against SAE)
> 
> For details, see the advisory:
> https://w1.fi/security/2019-1/sae-side-channel-attacks.txt
> 
> - CVE-2019-9495 (cache attack against EAP-pwd)
> 
> For details, see the advisory:
> https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt
> 
> - CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP)
> 
> For details, see the advisory:
> https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt
> 
> - CVE-2019-9497 (EAP-pwd server not checking for reflection attack)
> - CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element)
> - CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element)
> 
> For details, see the advisory:
> https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt
> 
> Notice that SAE is not currently enabled in Buildroot, but the patches are
> included here anyway for completeness.
> 
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> ---
>  package/hostapd/hostapd.hash | 14 ++++++++++++++
>  package/hostapd/hostapd.mk   | 15 +++++++++++++++
>  2 files changed, 29 insertions(+)

Both applied, thanks! It's an interesting practice to delivery those
security fixes only in the form of patches, and not do some proper
point releases. But oh well, if that's how upstream works.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com



More information about the buildroot mailing list