[Git][security-tracker-team/security-tracker][master] 4 commits: CVE-2022-23304,wpa: Mark as ignored for Stretch

Wed Feb 2 15:19:35 GMT 2022


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9c252aac by Markus Koschany at 2022-02-02T16:03:12+01:00
CVE-2022-23304,wpa: Mark as ignored for Stretch

An attacker requires root access to install an application for side-channel
attacks.

The fix for CVE-2022-23304 adds further improvements to the changes which are needed to
address CVE-2019-9495 (patches are available from
https://w1.fi/security/2019-2/).

Only the 0001-OpenSSL-Use-constant-time-operations-for-private-big.patch has been
applied in Debian back then. The version of wpa in Stretch lacks further prerequisites
like the crypto_bignum_legendre and crypto_ec_point_solve_y_coord function and
commit https://w1.fi/cgit/hostap/commit/src?id=22ac3dfebf7b
EAP-pwd: Mask timing of PWE derivation which are all needed to harden against the possible EAP
side-channel attacks. Since it is already unlikely to crack the password and
root access is required to exploit the problem I am going to mark this CVE as ignored.

- - - - -
3431b67b by Markus Koschany at 2022-02-02T16:17:45+01:00
Remove wpa from dla-needed.txt

- - - - -
611cb0fb by Markus Koschany at 2022-02-02T16:18:13+01:00
Remove minetest from dla-needed.txt.

I have contacted utkarsh (frontdesk).

- - - - -
27b20f74 by Markus Koschany at 2022-02-02T16:18:57+01:00
Claim vim in dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3648,6 +3648,7 @@ CVE-2022-0246
 	RESERVED
 CVE-2022-23304 (The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplica ...)
 	- wpa 2:2.10-1
+	[stretch] - wpa <ignored> (Minor issue)
 	NOTE: https://w1.fi/security/2022-1/
 	NOTE: Issue exists because of an incomplete fix for CVE-2019-9495
 CVE-2022-23303 (The implementations of SAE in hostapd before 2.10 and wpa_supplicant b ...)


=====================================
data/dla-needed.txt
=====================================
@@ -64,11 +64,6 @@ linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
 --
-minetest
-  NOTE: 20220130: double check for impact. (utkarsh)
-  NOTE: 20220131: Games are not supported in LTS but I try to fix this problem
-  NOTE: 20220131: in stable (apo)
---
 openjdk-8 (Emilio)
 --
 pgbouncer
@@ -97,10 +92,7 @@ varnish
   NOTE: 20220130: also fix no-dsa issues. (utkarsh)
   NOTE: 20220130: VRB_Ignore function is very different from what's in the patch. (utkarsh)
 --
-vim
---
-wpa (Markus Koschany)
-  NOTE: 20220124: CVE-2018-9495 has been applied
+vim (Markus Koschany)
 --
 zabbix (Sylvain Beucler)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0c2704be1ce1c7e7b24dcbc4087feae9d6a931d1...27b20f74a1ddd38a3088ec49ef6b175e13d754bc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0c2704be1ce1c7e7b24dcbc4087feae9d6a931d1...27b20f74a1ddd38a3088ec49ef6b175e13d754bc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220202/ef711640/attachment.htm>
