[Git][security-tracker-team/security-tracker][master] 2 commits: Update severity for CVE-2019-5062/wpa

Sat Mar 7 13:17:49 GMT 2020


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f1fb7807 by Salvatore Bonaccorso at 2020-03-07T14:13:04+01:00
Update severity for CVE-2019-5062/wpa

Unfortunatly the Cisco Talos report is very unclear what the issue is
about. The available information is incosistent and it was not further
cleared up to upstream and does not report any accurate issue. The issue
might be disputed or rejected if someone comes up to do it so. Until
this is done demote the severity to unimportant as in any case any
possible impact is in this context negligible.

- - - - -
5a0a002c by Salvatore Bonaccorso at 2020-03-07T14:15:31+01:00
Update information on CVE-2019-5061/wpa

There is not much relevant security wise impact on this issue. IAPP is
an obsolete functionality in hostapd that had been long moved to the
kernel driver years ago. So apart of doing any fixing change for this
implementation in src:wpa's end, it has just been completely dropped. As
furthermore the commit remvoing the functionality notes, IAPP
implementation was never completed.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -66330,13 +66330,17 @@ CVE-2019-5063 (An exploitable heap buffer overflow vulnerability exists in the d
 	NOTE: https://github.com/opencv/opencv/issues/15857
 	NOTE: Persistence implementation refactored in: https://github.com/opencv/opencv/pull/13011
 CVE-2019-5062 (An exploitable denial-of-service vulnerability exists in the 802.11w s ...)
-	- wpa <unfixed>
+	- wpa <unfixed> (unimportant)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0850
+	NOTE: Issue is not considered the report recieved bogus and at most with very
+	NOTE: negligible impact. Issue likely would need to be disputed or rejected.
 CVE-2019-5061 (An exploitable denial-of-service vulnerability exists in the hostapd 2 ...)
-	- wpa 2:2.9+git20200213+877d9a0-1
+	- wpa 2:2.9+git20200213+877d9a0-1 (unimportant)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0849
 	NOTE: https://w1.fi/cgit/hostap/commit/?id=018edec9b2bd3db20605117c32ff79c1e625c432
-	NOTE: removes IAPP functionality from hostapd.
+	NOTE: removes IAPP functionality from hostapd. IAPP implementation furthermore
+	NOTE: was never really completed on wpa side and this obsoleted functionality in
+	NOTE: hostapd had been moved to the kernel driver already.
 CVE-2019-5060 (An exploitable code execution vulnerability exists in the XPM image re ...)
 	- libsdl2-image 2.0.5+dfsg1-1
 	[buster] - libsdl2-image <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7c20452c1dbfa7355814fe7f9b4d3b72d70780a...5a0a002c68b9b5269349886f67fd5e259ce6ef21

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7c20452c1dbfa7355814fe7f9b4d3b72d70780a...5a0a002c68b9b5269349886f67fd5e259ce6ef21
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200307/c3fbd49c/attachment.html>
