From owner-freebsd-current@freebsd.org  Mon Oct 16 19:36:49 2017
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 17F20E42FC7
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Mon, 16 Oct 2017 19:36:49 +0000 (UTC)
 (envelope-from cy.schubert@komquats.com)
Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.139])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "Client", Issuer "CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id D166269C6D;
 Mon, 16 Oct 2017 19:36:48 +0000 (UTC)
 (envelope-from cy.schubert@komquats.com)
Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with SMTP
 id 4BBteajTS8LPZ4BBvedlFl; Mon, 16 Oct 2017 13:36:47 -0600
X-Authority-Analysis: v=2.2 cv=e552ceh/ c=1 sm=1 tr=0
 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17
 a=kj9zAlcOel0A:10 a=02M-m0pO-4AA:10 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8
 a=pGLkceISAAAA:8 a=BWvPGDcYAAAA:8 a=yaAG3qJ-AAAA:8 a=oneE3R1DAAAA:8
 a=YCqnUBC7WgR2pJLgrhsA:9 a=CjuIK1q_8ugA:10 a=a4w0SzYmEskA:10
 a=Ytm8v_FqGBcA:10 a=Fj9iO6pqr7gSyLvOkxId:22 a=Ia-lj3WSrqcvXOmTRaiG:22
 a=IjZwj45LgO3ly-622nXo:22 a=pxhY87DP9d2VeQe4joPk:22 a=oLVlbjkABFOu4cUI0CGI:22
 a=2Fs401WYdkfDm1j_wOhm:22
Received: from slippy.cwsent.com (slippy8 [10.2.2.6])
 by spqr.komquats.com (Postfix) with ESMTPS id D5FAC7A4;
 Mon, 16 Oct 2017 12:36:44 -0700 (PDT)
Received: from slippy (localhost [127.0.0.1])
 by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id v9GJaRLo072189;
 Mon, 16 Oct 2017 12:36:27 -0700 (PDT)
 (envelope-from Cy.Schubert@cschubert.com)
Message-Id: <201710161936.v9GJaRLo072189@slippy.cwsent.com>
X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.6
Reply-to: Cy Schubert <Cy.Schubert@komquats.com>
From: Cy Schubert <Cy.Schubert@komquats.com>
X-os: FreeBSD
X-Sender: cy@cwsent.com
X-URL: http://www.cschubert.com/
To: Oliver Pinter <oliver.pinter@hardenedbsd.org>
cc: Adrian Chadd <adrian.chadd@gmail.com>, Kevin Oberman <rkoberman@gmail.com>,
 Cy Schubert <Cy.Schubert@komquats.com>, Lev Serebryakov <lev@freebsd.org>,
 blubee blubeeme <gurenchan@gmail.com>,
 Poul-Henning Kamp <phk@phk.freebsd.dk>,
 FreeBSD current <freebsd-current@freebsd.org>
Subject: Re: cve-2017-13077 - WPA2 security vulni
In-Reply-To: Message from Oliver Pinter <oliver.pinter@hardenedbsd.org>
 of "Mon, 16 Oct 2017 20:09:37 +0200."
 <CAPQ4ffua_eQ24z6a8XSH=CCBbqrXV6vXzMD5QgSGmYi198wX4w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 16 Oct 2017 12:36:27 -0700
X-CMAE-Envelope: MS4wfI485B0FgU3vH7nz2LsXNWRUR4YHRw/AEs8ZhwLOjM45Oxt+dclYevbA7npuUSkdPjTk8yeUe2La6ct6N6R+7cENFt6YoGjmloRHzymsZWM17I+3becG
 dqesWUyWCgLgoahEQ36wviDUewgwZd3UIVuNJUUOFKXqeE6T/LQrgf0PVF1aNtJ6orSrq27HSiEVTOsKRvOOcFEu6bH+YwkvCRbJvl3j/Ej26OVE2StW2o4r
 mOGJtRj3nNefu06SQgb7u8mt/wvuWtBDw51a3uUaWglY37/lbc/tYtlhzCyA4pf5KkJj6LJZT8u+gHdCCmkSCDlHM1zOFl9OcjzQZCVYifm/t4WN3GbJE045
 xA5wpQeeT15De+e6OLKxcmFjMnDObA==
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Oct 2017 19:36:49 -0000

Looking at the wpa_supplicant port, it may be a quicker win than base at 
the moment.

I don't have much of my lunch hour left to complete anything.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  http://www.FreeBSD.org

	The need of the many outweighs the greed of the few.


In message <CAPQ4ffua_eQ24z6a8XSH=CCBbqrXV6vXzMD5QgSGmYi198wX4w@mail.gmail.c
om>
, Oliver Pinter writes:
> Hi Adrian!
> 
> How big effort is to update he in-tree wpa_supplicant/hostapd to the
> latest supported version?
> Is there any known regression / feature loss when do the upgrade?
> 
> On 10/16/17, Adrian Chadd <adrian.chadd@gmail.com> wrote:
> > Right, there are backported patches against 2.6, but we're running 2.5
> > in contrib/ .
> >
> > This is all "I'm out of time right now", so if someone wants to do the
> > ports work and/or the contrib work with the patches for this vuln then
> > please do. I should be able to get to it in the next few days but I'm
> > busy with family and employment.
> >
> >
> >
> > -adrian
> >
> >
> > On 16 October 2017 at 10:19, Kevin Oberman <rkoberman@gmail.com> wrote:
> >> On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd <adrian.chadd@gmail.com>
> >> wrote:
> >>>
> >>> hi,
> >>>
> >>> I got the patches a couple days ago. I've been busy with personal life
> >>> stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If
> >>> someone beats me to it, great, otherwise I'll try to do it in the next
> >>> couple days.
> >>>
> >>> I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update
> >>> everything to but so far nope. It should be easy enough to update the
> >>> port for now as it's at 2.6.
> >>>
> >>>
> >>>
> >>> -adrian
> >>>
> >>>
> >>> On 16 October 2017 at 06:04, Cy Schubert <Cy.Schubert@komquats.com>
> >>> wrote:
> >>> > In message <44161b4d-f834-a01d-6ddb-475f208762f9@FreeBSD.org>, Lev
> >>> > Serebryakov
> >>> > writes:
> >>> >> On 16.10.2017 13:38, blubee blubeeme wrote:
> >>> >>
> >>> >> > well, that's a cluster if I ever seen one.
> >>> >>  It is really cluster: CVE-2017-13077, CVE-2017-13078,
> >>> >> CVE-2017-13079,
> >>> >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084,
> >>> >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088.
> >>> >
> >>> > The gory details are here:
> >>> > https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-mes
> sages.txt
> >>> >
> >>> > The announcement is here:
> >>> > https://www.krackattacks.com/
> >>> >
> >>> >
> >>> > --
> >>> > Cheers,
> >>> > Cy Schubert <Cy.Schubert@cschubert.com>
> >>> > FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  http://www.FreeBSD.org
> >>> >
> >>> >         The need of the many outweighs the greed of the few.
> >>> >
> >>
> >>
> >> While I do not encourage waiting, it is quite likely that the upstream
> >> patch
> >> wil show up very soon now that the vulnerability is public.
> >>
> >> It's also worth noting that fixing either end of the connection is all
> >> that
> >> is required, as I understand it. So getting an update for your AP is not
> >> required. That is very fortunate as the industry has a rather poor record
> >> of
> >> getting out firmware updates for hardware more than a few months old.
> >> Also,
> >> it appears that Windows and iOS are not vulnerable due to flaws in their
> >> implementation of the WPA2 spec. (Of course, if you update your AP(s),
> >> you
> >> no longer need to worry about your end devices.
> >> --
> >> Kevin Oberman, Part time kid herder and retired Network Engineer
> >> E-mail: rkoberman@gmail.com
> >> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
> > _______________________________________________
> > freebsd-current@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-current
> > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
> >