Siduction Forum => Upgrade Warnings => Topic started by: michaa7 on 2015/04/23, 19:36:28
Title: [solved] wpasupplicant possibly bears security problem
Post by: michaa7 on 2015/04/23, 19:36:28
There is a warning (german only) (http://www.heise.de/newsticker/meldung/Schadcode-durch-WLAN-Pakete-2618115.html) about wpasupplicant being vulnerable ***if*** compiled with Build-Option CONFIG_P2P .
Does anyone have a clue how to find out whether or not this is the case with the current Debian version
Until there is a new version, you (1) may patch and recompile your own package using Debian sources or you (2) may disable "p2p_disabled" in your wpa_supplicant.conf by setting it to "1". (Debian name may be slighly differnet).
As this is related to security I think it is ok to post it here in this section.
EDIT:
On my system I found only "/etc/dbus-1/system.d/wpa_supplicant.conf" without any reference to "p2p_disabled".
So this warning may be unnecessary .
Title: Re: wpasupplicant: there might be a security problem
Post by: musca on 2015/04/24, 17:57:04
Hello micha,
a fixed wpasupplicant 2.3-2 package is pending in incoming:
* import "P2P: Validate SSID element length before copying it (CVE-2015-1863)" from upstream (Closes: #783148 (http://bugs.debian.org/783148)).