Debian Security Advisory DSA 3397-1 (wpa - security update)

Several vulnerabilities have been discovered in wpa_supplicant and hostapd. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-4141 Kostya Kortchinsky of the Google Security Team discovered a vulnerability in the WPS UPnP function with HTTP chunked transfer encoding which may result in a denial of service. CVE-2015-4142 Kostya Kortchinsky of the Google Security Team discovered a vulnerability in the WMM Action frame processing which may result in a denial of service. CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146 Kostya Kortchinsky of the Google Security Team discovered that EAP-pwd payload is not properly validated which may result in a denial of service. CVE-2015-5310 Jouni Malinen discovered a flaw in the WMM Sleep Mode Response frame processing. A remote attacker can take advantage of this flaw to mount a denial of service. CVE-2015-5314 CVE-2015-5315 Jouni Malinen discovered a flaw in the handling of EAP-pwd messages which may result in a denial of service. CVE-2015-5316 Jouni Malinen discovered a flaw in the handling of EAP-pwd Confirm messages which may result in a denial of service. CVE-2015-8041 Incomplete WPS and P2P NFC NDEF record payload length validation may result in a denial of service.

wpa on Debian Linux

This check tests the installed software version using the apt package manager.

For the oldstable distribution (wheezy), these problems have been fixed in version 1.0-3+deb7u3. The oldstable distribution (wheezy) is only affected by CVE-2015-4141, CVE-2015-4142, CVE-2015-4143 and CVE-2015-8041 . For the stable distribution (jessie), these problems have been fixed in version 2.3-1+deb8u3. We recommend that you upgrade your wpa packages.