[Pkg-utopia-maintainers] Bug#560067: CVE-2009-4144: WPA enterprise network not verified when certificate is removed

Giuseppe Iuculano giuseppe at iuculano.it
Sat Jan 2 14:47:58 UTC 2010


Hi,

this issue got a CVE id:

CVE-2009-4144[0]:
| NetworkManager (NM) 0.7.2 does not ensure that the configured
| Certification Authority (CA) certificate file for a (1) WPA Enterprise
| or (2) 802.1x network remains present upon a connection attempt, which
| might allow remote attackers to obtain sensitive information or cause
| a denial of service (connectivity disruption) by spoofing the identity
| of a wireless network.

Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable and oldstable. It
does not warrant a DSA.

However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.


If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4144
    http://security-tracker.debian.org/tracker/CVE-2009-4144
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20100102/f7a79b61/attachment.pgp>


More information about the Pkg-utopia-maintainers mailing list