Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0959 hostapd security update 9 October 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: hostapd Publisher: Debian Operating System: Debian GNU/Linux 6 UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-4445 Original Bulletin: http://www.debian.org/security/2012/dsa-2557 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running hostapd check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2557-1 security@debian.org http://www.debian.org/security/ Nico Golde October 08, 2012 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : hostapd Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-4445 Timo Warns discovered that the internal authentication server of hostapd, a user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator, is vulnerable to a buffer overflow when processing fragmented EAP-TLS messages. As a result, an internal overflow checking routine terminates the process. An attacker can abuse this flaw to conduct denial of service attacks via crafted EAP-TLS messages prior to any authentication. For the stable distribution (squeeze), this problem has been fixed in version 0.6.10-2+squeeze1. For the testing (wheezy) and unstable (sid) distributions, this problem will be fixed soon. We recommend that you upgrade your hostapd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBykZ8ACgkQHYflSXNkfP8KMwCgrZevrVOPeI76Vm4q6LfvTMLi bJsAoKp8uuLyBRYI1JewUwPrWTFtdr3c =VOSf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUHNrLe4yVqjM2NGpAQLesg/6AlmG7JqWCxmG+x1fTbnBH4Ui9ZDfhR69 Jn5c8saJLYk4pAvzVel2r1JtipY78Eqqx9wYHzP1KjIOppN4BjsKzK4WS42/xEq5 AQnX3W5f60UA2SWlfhimCxhZZdMil0HXrF1V17BwaiN22HJ5bPbOdI4ZJCgf61/i 56tJVUJr7woDpPnIXYp06mTUoKLJIfkyddGgn+Ji7OP/Btx/pu8MsQ+Rq8BVQ7DC fz6oo33pGq5upHpz1xqziQ34FdDgOrGceQAiSZoUI5sFUiugbOb0vttL9TBFRSST Sc6QA6Yd6Bw9HrCtOfRQJF8Ql73u4JCrs8/kXY4gkklC4OA2wmVwRawKHXdLo2op zyl0wliF7UkkmD+EjJ77X+WFnPyk4hCA8dP9MQ/ZR2sjNnWDrfoWWY3Tn1ga80XR YIbujUItaGcsdhAfUrGKagJlz9h7Ey8KrarFBHcNSUCE9f2SK9H3F1jZ9H6qYC5L LdFUY+a02TiLqObm5BMxacilisKqoJibsVosh7BtltVG67pHwftdEc6TFKpMWZ1G gGvSZkxLTCCcXuOx7ZON2bv6CYCPQrgrga38MgF7O7mK6iG+eHQHb8+PMcUO5fcx 84xu0tPdL1WgHbI85dmPDEVL/RUG9Tk0h3tcx7X7uBhm2LZb9i47RdrJoiZdQne3 c9yvdY7UyQg= =VQD3 -----END PGP SIGNATURE-----