From owner-freebsd-current@freebsd.org Mon Oct 16 20:07:17 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CDA09E43D4A for ; Mon, 16 Oct 2017 20:07:17 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 91CF86B08A; Mon, 16 Oct 2017 20:07:17 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with SMTP id 4BfOeatv18LPZ4BfPedsj1; Mon, 16 Oct 2017 14:07:16 -0600 X-Authority-Analysis: v=2.2 cv=e552ceh/ c=1 sm=1 tr=0 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17 a=kj9zAlcOel0A:10 a=02M-m0pO-4AA:10 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=VxmjJ2MpAAAA:8 a=pGLkceISAAAA:8 a=BWvPGDcYAAAA:8 a=yaAG3qJ-AAAA:8 a=oneE3R1DAAAA:8 a=DrAYh1O1B3FoTUCQS64A:9 a=CjuIK1q_8ugA:10 a=a4w0SzYmEskA:10 a=Ytm8v_FqGBcA:10 a=Fj9iO6pqr7gSyLvOkxId:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=7gXAzLPJhVmCkEl4_tsf:22 a=pxhY87DP9d2VeQe4joPk:22 a=oLVlbjkABFOu4cUI0CGI:22 a=2Fs401WYdkfDm1j_wOhm:22 Received: from slippy.cwsent.com (slippy8 [10.2.2.6]) by spqr.komquats.com (Postfix) with ESMTPS id 7CA7F7EF; Mon, 16 Oct 2017 13:07:14 -0700 (PDT) Received: from slippy (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id v9GK6v7G077342; Mon, 16 Oct 2017 13:06:57 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <201710162006.v9GK6v7G077342@slippy.cwsent.com> X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.6 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Cy Schubert cc: Oliver Pinter , Adrian Chadd , Kevin Oberman , Cy Schubert , Lev Serebryakov , blubee blubeeme , Poul-Henning Kamp , FreeBSD current Subject: Re: cve-2017-13077 - WPA2 security vulni In-Reply-To: Message from Cy Schubert of "Mon, 16 Oct 2017 12:36:27 -0700." <201710161936.v9GJaRLo072189@slippy.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 16 Oct 2017 13:06:57 -0700 X-CMAE-Envelope: MS4wfBkOGfq2kWPsEvTsdD7jSyfdFc1O5Pd4m8SNUv0KoOoFAqHHT11Se9Jk9RyJXpkEGBVNWFBZsnFVSkCHsoYoH8Ku3rKXvzycapZYjLVVq6dWWOMGzmLy 7xJaMYzoyxeJ42VSTsKDa+sQEB99gYzWlLfk+QbePtzNA6dzgLLtCQq0B/gTOVfJkv6xx+aniZILKFh22VKUoEhQPRspI3AjFuDCJ/I1l+WuFjteTdvS46db QKmS/t8MqteIvuTxbXbPwKM2J73OEAoZ68vfWRr2ttwIsxuoCDa5SzISG5XIosxjT9cVI2H7qFD3JFcbRzitrcEsrLGDOohCq3/JjU211UCbNpacr5WLG5bO SJz6+xUu X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Oct 2017 20:07:17 -0000 I'll commit the wpa_supplicant port now but I don't have enough time this lunch hour to create a vuxml entry or to update the hostapd port. It may be simpler to update base to 2.6 to facilitate patching. What do people think? -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few. In message <201710161936.v9GJaRLo072189@slippy.cwsent.com>, Cy Schubert writes: > Looking at the wpa_supplicant port, it may be a quicker win than base at > the moment. > > I don't have much of my lunch hour left to complete anything. > > > -- > Cheers, > Cy Schubert > FreeBSD UNIX: Web: http://www.FreeBSD.org > > The need of the many outweighs the greed of the few. > > > In message om> > , Oliver Pinter writes: > > Hi Adrian! > > > > How big effort is to update he in-tree wpa_supplicant/hostapd to the > > latest supported version? > > Is there any known regression / feature loss when do the upgrade? > > > > On 10/16/17, Adrian Chadd wrote: > > > Right, there are backported patches against 2.6, but we're running 2.5 > > > in contrib/ . > > > > > > This is all "I'm out of time right now", so if someone wants to do the > > > ports work and/or the contrib work with the patches for this vuln then > > > please do. I should be able to get to it in the next few days but I'm > > > busy with family and employment. > > > > > > > > > > > > -adrian > > > > > > > > > On 16 October 2017 at 10:19, Kevin Oberman wrote: > > >> On Mon, Oct 16, 2017 at 8:55 AM, Adrian Chadd > > >> wrote: > > >>> > > >>> hi, > > >>> > > >>> I got the patches a couple days ago. I've been busy with personal life > > >>> stuff so I haven't updated our in-tree hostapd/wpa_supplicant. If > > >>> someone beats me to it, great, otherwise I'll try to do it in the next > > >>> couple days. > > >>> > > >>> I was hoping (!) for a hostap/wpa_supplicant 2.7 update to just update > > >>> everything to but so far nope. It should be easy enough to update the > > >>> port for now as it's at 2.6. > > >>> > > >>> > > >>> > > >>> -adrian > > >>> > > >>> > > >>> On 16 October 2017 at 06:04, Cy Schubert > > >>> wrote: > > >>> > In message <44161b4d-f834-a01d-6ddb-475f208762f9@FreeBSD.org>, Lev > > >>> > Serebryakov > > >>> > writes: > > >>> >> On 16.10.2017 13:38, blubee blubeeme wrote: > > >>> >> > > >>> >> > well, that's a cluster if I ever seen one. > > >>> >> It is really cluster: CVE-2017-13077, CVE-2017-13078, > > >>> >> CVE-2017-13079, > > >>> >> CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, > > >>> >> CVE-2017-13086,CVE-2017-13087, CVE-2017-13088. > > >>> > > > >>> > The gory details are here: > > >>> > https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-m > es > > sages.txt > > >>> > > > >>> > The announcement is here: > > >>> > https://www.krackattacks.com/ > > >>> > > > >>> > > > >>> > -- > > >>> > Cheers, > > >>> > Cy Schubert > > >>> > FreeBSD UNIX: Web: http://www.FreeBSD.org > > >>> > > > >>> > The need of the many outweighs the greed of the few. > > >>> > > > >> > > >> > > >> While I do not encourage waiting, it is quite likely that the upstream > > >> patch > > >> wil show up very soon now that the vulnerability is public. > > >> > > >> It's also worth noting that fixing either end of the connection is all > > >> that > > >> is required, as I understand it. So getting an update for your AP is not > > >> required. That is very fortunate as the industry has a rather poor recor > d > > >> of > > >> getting out firmware updates for hardware more than a few months old. > > >> Also, > > >> it appears that Windows and iOS are not vulnerable due to flaws in their > > >> implementation of the WPA2 spec. (Of course, if you update your AP(s), > > >> you > > >> no longer need to worry about your end devices. > > >> -- > > >> Kevin Oberman, Part time kid herder and retired Network Engineer > > >> E-mail: rkoberman@gmail.com > > >> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 > > > _______________________________________________ > > > freebsd-current@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-current > > > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org > " > > > >