Eight patches have been posted so, it should be easy to patch 2.5, MFC, and bring head up to 2.6 later. This should avoid the risk of possible regressions. I haven't looked at the ports. --- Sent using a tiny phone keyboard. Apologies for any typos and autocorrect. Cy Schubert <Cy.Schubert_at_cschubert.com> or <cy_at_freebsd.org> -----Original Message----- From: Rodney W. Grimes Sent: 16/10/2017 11:14 To: Kevin Oberman Cc: Adrian Chadd; Cy Schubert; Lev Serebryakov; blubee blubeeme; Poul-Henning Kamp; FreeBSD current Subject: Re: cve-2017-13077 - WPA2 security vulni > On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd <adrian.chadd_at_gmail.com> > wrote: > > > hi, > > > > I got the patches a couple days ago. I've been busy with personal life > > stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If > > someone beats me to it, great, otherwise I'll try to do it in the next > > couple days. > > > > I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update > > everything to but so far nope. It should be easy enough to update the > > port for now as it's at 2.6. > > > > > > > > -adrian > > > > > > On 16 October 2017 at 06:04, Cy Schubert <Cy.Schubert_at_komquats.com> wrote: > > > In message <44161b4d-f834-a01d-6ddb-475f208762f9_at_FreeBSD.org>, Lev > > Serebryakov > > > writes: > > >> On 16.10.2017 13:38, blubee blubeeme wrote: > > >> > > >> > well, that's a cluster if I ever seen one. > > >> It is really cluster: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, > > >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, > > >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088. > > > > > > The gory details are here: https://w1.fi/security/2017-1/ > > wpa-packet-number-reuse-with-replayed-messages.txt > > > > > > The announcement is here: > > > https://www.krackattacks.com/ > > > > > > > > > -- > > > Cheers, > > > Cy Schubert <Cy.Schubert_at_cschubert.com> > > > FreeBSD UNIX: <cy_at_FreeBSD.org> Web: http://www.FreeBSD.org > > > > > > The need of the many outweighs the greed of the few. > > > > > > > While I do not encourage waiting, it is quite likely that the upstream > patch wil show up very soon now that the vulnerability is public. > > It's also worth noting that fixing either end of the connection is all that > is required, as I understand it. So getting an update for your AP is not > required. That is very fortunate as the industry has a rather poor record > of getting out firmware updates for hardware more than a few months old. > Also, it appears that Windows and iOS are not vulnerable due to flaws in > their implementation of the WPA2 spec. (Of course, if you update your > AP(s), you no longer need to worry about your end devices. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >From my reading of the attack it is the client side that must be fixed, you can not mitigate the client side bug by an update to the AP. > -- > Kevin Oberman, Part time kid herder and retired Network Engineer > E-mail: rkoberman_at_gmail.com > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 > _______________________________________________ > freebsd-current_at_freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org" > -- Rod Grimes rgrimes_at_freebsd.orgReceived on Mon Oct 16 2017 - 16:50:55 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:13 UTC