1. 07 Nov, 2018 1 commit
    • Rafał Miłecki's avatar
      mac80211: add iw command wrapper with error logging · 10eb247e
      Rafał Miłecki authored
      
      
      Currently it's close to impossible to tell what part of mac80211 setup
      went wrong. Errors logged into system log look like this:
      radio0 (6155): command failed: No error information (-524)
      radio0 (6155): command failed: Not supported (-95)
      radio0 (6155): command failed: I/O error (-5)
      radio0 (6155): command failed: Too many open files in system (-23)
      
      With this commit change it's getting clear:
      command failed: No error information (-524)
      Failed command: iw dev wlan0 del
      command failed: Not supported (-95)
      Failed command: iw phy phy0 set antenna_gain 0
      command failed: I/O error (-5)
      Failed command: iw phy phy0 set distance 0
      command failed: Too many open files in system (-23)
      Failed command: iw phy phy0 interface add wlan0 type __ap
      Signed-off-by: default avatarRafał Miłecki <rafal@milecki.pl>
      (cherry picked from commit ffa80bf5)
      10eb247e
  2. 12 Sep, 2018 1 commit
  3. 02 Sep, 2018 2 commits
  4. 30 Aug, 2018 7 commits
  5. 27 Aug, 2018 1 commit
  6. 22 Aug, 2018 1 commit
  7. 21 Aug, 2018 9 commits
  8. 17 Aug, 2018 1 commit
  9. 16 Aug, 2018 10 commits
  10. 15 Aug, 2018 2 commits
  11. 10 Aug, 2018 5 commits
    • Hauke Mehrtens's avatar
      mbedtls: update to version 2.7.5 · 5886a506
      Hauke Mehrtens authored
      
      
      This fixes the following security problems:
      * CVE-2018-0497: Remote plaintext recovery on use of CBC based ciphersuites through a timing side-channel
      * CVE-2018-0498: Plaintext recovery on use of CBC based ciphersuites through a cache based side-channel
      Signed-off-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      5886a506
    • Hauke Mehrtens's avatar
      curl: fix some security problems · 9bc43f3e
      Hauke Mehrtens authored
      
      
      This fixes the following security problems:
      * CVE-2017-1000254: FTP PWD response parser out of bounds read
      * CVE-2017-1000257: IMAP FETCH response out of bounds read
      * CVE-2018-1000005: HTTP/2 trailer out-of-bounds read
      * CVE-2018-1000007: HTTP authentication leak in redirects
      * CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write
      * CVE-2018-1000121: LDAP NULL pointer dereference
      * CVE-2018-1000122: RTSP RTP buffer over-read
      * CVE-2018-1000301: RTSP bad headers buffer over-read
      Signed-off-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      9bc43f3e
    • John Crispin's avatar
      wpa_supplicant: fix CVE-2018-14526 · b3983323
      John Crispin authored
      Unauthenticated EAPOL-Key decryption in wpa_supplicant
      
      Published: August 8, 2018
      Identifiers:
      - CVE-2018-14526
      Latest version available from: https://w1.fi/security/2018-1/
      
      Vulnerability
      
      A vulnerability was found in how wpa_supplicant processes EAPOL-Key
      frames. It is possible for an attacker to modify the frame in a way that
      makes wpa_supplicant decrypt the Key Data field without requiring a
      valid MIC value in the frame, i.e., without the frame being
      authenticated. This has a potential issue in the case where WPA2/RSN
      style of EAPOL-Key construction is used with TKIP negotiated as the
      pairwise cipher. It should be noted that WPA2 is not supposed to be used
      with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
      and with that pairwise cipher, this vulnerability is not applicable in
      practice.
      
      When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
      field is encrypted using RC4. This vulnerability allows unauthenticated
      EAPOL-Key frames to be processed and due to the RC4 design, this makes
      it possible for an attacker to modify the plaintext version of the Key
      Data field with bitwise XOR operations without knowing the contents.
      This can be used to cause a denial of service attack by modifying
      GTK/IGTK on the station (without the attacker learning any of the keys)
      which would prevent the station from accepting received group-addressed
      frames. Furthermore, this might be abused by making wpa_supplicant act
      as a decryption oracle to try to recover some of the Key Data payload
      (GTK/IGTK) to get knowledge of the group encryption keys.
      
      Full recovery of the group encryption keys requires multiple attempts
      (128 connection attempts per octet) and each attempt results in
      disconnection due to a failure to complete the 4-way handshake. These
      failures can result in the AP/network getting disabled temporarily or
      even permanently (requiring user action to re-enable) which may make it
      impractical to perform the attack to recover the keys before the AP has
      already changes the group keys. By default, wpa_supplicant is enforcing
      at minimum a ten second wait time between each failed connection
      attempt, i.e., over 20 minutes waiting to recover each octet while
      hostapd AP implementation uses 10 minute default for GTK rekeying when
      using TKIP. With such timing behavior, practical attack would need large
      number of impacted stations to be trying to connect to the same AP to be
      able to recover sufficient information from the GTK to be able to
      determine the key before it gets changed.
      
      Vulnerable versions/configurations
      
      All wpa_supplicant versions.
      
      Acknowledgments
      
      Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
      Leuven for discovering and reporting this issue.
      
      Possible mitigation steps
      
      - Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
      can be done also on the AP side.
      
      - Merge the following commits to wpa_supplicant and rebuild:
      
      WPA: Ignore unauthenticated encrypted EAPOL-Key data
      
      This patch is available from https://w1.fi/security/2018-1/
      
      
      
      - Update to wpa_supplicant v2.7 or newer, once available
      Signed-off-by: default avatarJohn Crispin <john@phrozen.org>
      b3983323
    • Luis Araneda's avatar
      tools: findutils: fix compilation with glibc 2.28 · 6449ed15
      Luis Araneda authored
      
      
      Add a temporary workaround to compile with glibc 2.28
      as some constants were removed and others made private
      Signed-off-by: default avatarLuis Araneda <luaraneda@gmail.com>
      6449ed15
    • Luis Araneda's avatar
      tools: m4: fix compilation with glibc 2.28 · 6e78c550
      Luis Araneda authored
      
      
      Add a temporary workaround to compile with glibc 2.28
      as some constants were removed and others made private
      Signed-off-by: default avatarLuis Araneda <luaraneda@gmail.com>
      6e78c550