Your submission was sent successfully! Close

CVE-2016-4476

Published: 9 May 2016

hostapd 0.6.7 through 2.5 and wpa_supplicant 0.6.7 through 2.5 do not reject \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
hostapd
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist
(precise was needed)
trusty Does not exist

upstream Needs triage

vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

wpa
Launchpad, Ubuntu, Debian
artful
Released (2.4-0ubuntu10)
bionic
Released (2.4-0ubuntu10)
cosmic
Released (2.4-0ubuntu10)
disco
Released (2.4-0ubuntu10)
eoan
Released (2.4-0ubuntu10)
focal
Released (2.4-0ubuntu10)
groovy
Released (2.4-0ubuntu10)
hirsute
Released (2.4-0ubuntu10)
precise Does not exist

trusty
Released (2.1-0ubuntu1.5)
upstream Needs triage

wily Ignored
(reached end-of-life)
xenial
Released (2.4-0ubuntu6.2)
yakkety Ignored
(reached end-of-life)
zesty
Released (2.4-0ubuntu9.1)
Patches:
upstream: http://w1.fi/security/2016-1/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch
upstream: http://w1.fi/security/2016-1/0002-Reject-psk-parameter-set-with-invalid-passphrase-cha.patch
upstream: http://w1.fi/security/2016-1/0003-Remove-newlines-from-wpa_supplicant-config-network-o.patch
upstream: http://w1.fi/security/2016-1/0004-Reject-SET_CRED-commands-with-newline-characters-in-.patch
upstream: http://w1.fi/security/2016-1/0005-Reject-SET-commands-with-newline-characters-in-the-s.patch
wpasupplicant
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Ignored
(end of ESM support, was needed)
trusty Does not exist

upstream Needs triage

vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist