Advisories » MGASA-2016-0199

Updated wpa_supplicant packages fix security vulnerabilities

Publication date: 21 May 2016
Modification date: 21 May 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-4476 , CVE-2016-4477

Description

Updated wpa_suppliant packages fix security vulnerabilities:

A vulnerability was found in how wpa_supplicant writes the configuration file
update for the WPA/WPA2 passphrase parameter. If this parameter has been
updated to include control characters either through a WPS operation
(CVE-2016-4476) or through local configuration change over the wpa_supplicant
control interface (CVE-2016-4477), the resulting configuration file may prevent
the wpa_supplicant from starting when the updated file is used. In addition, it
may be possible to load a local library file and execute code from there with
the same privileges under which the wpa_supplicant process runs.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=18335
• http://w1.fi/security/2016-1/psk-parameter-config-update.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4476
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4477

SRPMS

5/core

• wpa_supplicant-2.3-3.1.mga5