Debian Security Advisory
DSA-4898-1 wpa -- security update
- Date Reported:
- 22 Apr 2021
- Affected Packages:
- wpa
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 976106, Bug 981971.
In Mitre's CVE dictionary: CVE-2020-12695, CVE-2021-0326, CVE-2021-27803. - More information:
-
Several vulnerabilities have been discovered in wpa_supplicant and hostapd.
- CVE-2020-12695
It was discovered that hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service.
- CVE-2021-0326
It was discovered that wpa_supplicant does not properly process P2P (Wi-Fi Direct) group information from active group owners. An attacker within radio range of the device running P2P could take advantage of this flaw to cause a denial of service or potentially execute arbitrary code.
- CVE-2021-27803
It was discovered that wpa_supplicant does not properly process P2P (Wi-Fi Direct) provision discovery requests. An attacker within radio range of the device running P2P could take advantage of this flaw to cause a denial of service or potentially execute arbitrary code.
For the stable distribution (buster), these problems have been fixed in version 2:2.7+git20190128+0c1e29f-6+deb10u3.
We recommend that you upgrade your wpa packages.
For the detailed security status of wpa please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wpa
- CVE-2020-12695