[Git][security-tracker-team/security-tracker][master] Reserve DLA-4123-1 for wpa

Bastien Roucariès (@rouca) rouca at debian.org
Sat Apr 12 20:48:01 BST 2025 


Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
64c1f75f by Bastien Roucariès at 2025-04-12T21:47:48+02:00
Reserve DLA-4123-1 for wpa

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -232997,7 +232997,6 @@ CVE-2022-37661 (SmartRG SR506n 2.5.15 and SR510n 2.6.13 routers are vulnerable t
 CVE-2022-37660 (In hostapd 2.10 and earlier, the PKEX code remains active even after a ...)
 	- wpa 2:2.10-24
 	[bookworm] - wpa <no-dsa> (Minor issue)
-	[bullseye] - wpa <postponed> (Minor issue)
 	NOTE: https://link.springer.com/article/10.1007/s10207-025-00988-3
 	NOTE: Fixed by: https://w1.fi/cgit/hostap/commit/?id=15af83cf1846870873a011ed4d714732f01cd2e4 (hostap_2_11)
 CVE-2022-37659
@@ -275759,14 +275758,12 @@ CVE-2022-0246 (The settings of the iQ Block Country WordPress plugin before 1.2.
 	NOT-FOR-US: WordPress plugin
 CVE-2022-23304 (The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplica ...)
 	- wpa 2:2.10-1
-	[bullseye] - wpa <no-dsa> (Minor issue)
 	[buster] - wpa <no-dsa> (Minor issue)
 	[stretch] - wpa <ignored> (Minor issue)
 	NOTE: https://w1.fi/security/2022-1/
 	NOTE: Issue exists because of an incomplete fix for CVE-2019-9495
 CVE-2022-23303 (The implementations of SAE in hostapd before 2.10 and wpa_supplicant b ...)
 	- wpa 2:2.10-1
-	[bullseye] - wpa <no-dsa> (Minor issue)
 	[buster] - wpa <no-dsa> (Minor issue)
 	[stretch] - wpa <not-affected> (CVE-2019-9494 was not applied and is marked as ignored)
 	NOTE: https://w1.fi/security/2022-1/


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[12 Apr 2025] DLA-4123-1 wpa - security update
+	{CVE-2022-23303 CVE-2022-23304 CVE-2022-37660}
+	[bullseye] - wpa 2:2.9.0-21+deb11u3
 [09 Apr 2025] DLA-4122-1 libbssolv-perl - security update
 	[bullseye] - libbssolv-perl 0.17-3+deb11u1
 [08 Apr 2025] DLA-4121-1 phpmyadmin - security update


=====================================
data/dla-needed.txt
=====================================
@@ -336,11 +336,6 @@ wget (Adrian Bunk)
   NOTE: 20250409: Follow fixes from bookworm 12.10 (CVE-2024-38428)
   NOTE: 20250409: Also check postponed issues (Beuc/front-desk)
 --
-wpa (rouca)
-  NOTE: 20250409: Added by Front-Desk (Beuc)
-  NOTE: 20250409: Also address pending side-channel issues CVE-2022-23303/CVE-2022-23304 (Beuc/front-desk)
-  NOTE: 20250410: Wait for review (rouca)
---
 xmlrpc-c (Adrian Bunk)
   NOTE: 20250411: Added by Front-Desk (Beuc)
   NOTE: 20250411: See issues with old embedded expat library:



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64c1f75fbe15975e547c60801d407c2ea006b7e1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64c1f75fbe15975e547c60801d407c2ea006b7e1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250412/a37de7a0/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list