-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0959
                          hostapd security update
                              9 October 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           hostapd
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-4445  

Original Bulletin: 
   http://www.debian.org/security/2012/dsa-2557

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running hostapd check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2557-1                   security@debian.org
http://www.debian.org/security/                                Nico Golde
October 08, 2012                       http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : hostapd
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-4445

Timo Warns discovered that the internal authentication server of hostapd,
a user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator,
is vulnerable to a buffer overflow when processing fragmented EAP-TLS
messages.  As a result, an internal overflow checking routine terminates
the process.  An attacker can abuse this flaw to conduct denial of service
attacks via crafted EAP-TLS messages prior to any authentication.

For the stable distribution (squeeze), this problem has been fixed in
version 0.6.10-2+squeeze1.

For the testing (wheezy) and unstable (sid) distributions, this problem
will be fixed soon.


We recommend that you upgrade your hostapd packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBykZ8ACgkQHYflSXNkfP8KMwCgrZevrVOPeI76Vm4q6LfvTMLi
bJsAoKp8uuLyBRYI1JewUwPrWTFtdr3c
=VOSf
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUHNrLe4yVqjM2NGpAQLesg/6AlmG7JqWCxmG+x1fTbnBH4Ui9ZDfhR69
Jn5c8saJLYk4pAvzVel2r1JtipY78Eqqx9wYHzP1KjIOppN4BjsKzK4WS42/xEq5
AQnX3W5f60UA2SWlfhimCxhZZdMil0HXrF1V17BwaiN22HJ5bPbOdI4ZJCgf61/i
56tJVUJr7woDpPnIXYp06mTUoKLJIfkyddGgn+Ji7OP/Btx/pu8MsQ+Rq8BVQ7DC
fz6oo33pGq5upHpz1xqziQ34FdDgOrGceQAiSZoUI5sFUiugbOb0vttL9TBFRSST
Sc6QA6Yd6Bw9HrCtOfRQJF8Ql73u4JCrs8/kXY4gkklC4OA2wmVwRawKHXdLo2op
zyl0wliF7UkkmD+EjJ77X+WFnPyk4hCA8dP9MQ/ZR2sjNnWDrfoWWY3Tn1ga80XR
YIbujUItaGcsdhAfUrGKagJlz9h7Ey8KrarFBHcNSUCE9f2SK9H3F1jZ9H6qYC5L
LdFUY+a02TiLqObm5BMxacilisKqoJibsVosh7BtltVG67pHwftdEc6TFKpMWZ1G
gGvSZkxLTCCcXuOx7ZON2bv6CYCPQrgrga38MgF7O7mK6iG+eHQHb8+PMcUO5fcx
84xu0tPdL1WgHbI85dmPDEVL/RUG9Tk0h3tcx7X7uBhm2LZb9i47RdrJoiZdQne3
c9yvdY7UyQg=
=VQD3
-----END PGP SIGNATURE-----