Miroslav Lachman
2018-Aug-27 22:20 UTC
Was wpa_supplicant CVE-2018-14526 fixed in 10.4-p11?
Running pkg audit FreeBSD-10.4_11 gives me one vulnerability: # pkg audit FreeBSD-10.4_11 FreeBSD-10.4_11 is vulnerable: wpa_supplicant -- unauthenticated encrypted EAPOL-Key data CVE: CVE-2018-14526 WWW: https://vuxml.FreeBSD.org/freebsd/6bedc863-9fbe-11e8-945f-206a8a720317.html 1 problem(s) in the installed packages found. But information on the page shows it was fixed in 10.4-p10: Affected packages wpa_supplicant < 2.6_2 FreeBSD <= 10.4_10 FreeBSD <= 11.2_1 So... was it really fixed? Is there incorrect info in VuXML database file or on the web page? Kind regards Miroslav Lachman
Miroslav Lachman
2018-Aug-31 10:24 UTC
Was wpa_supplicant CVE-2018-14526 fixed in 10.4-p11? / PR 231054
Miroslav Lachman wrote on 2018/08/28 00:20:> Running pkg audit FreeBSD-10.4_11 gives me one vulnerability: > > # pkg audit FreeBSD-10.4_11 > FreeBSD-10.4_11 is vulnerable: > wpa_supplicant -- unauthenticated encrypted EAPOL-Key data > CVE: CVE-2018-14526 > WWW: > https://vuxml.FreeBSD.org/freebsd/6bedc863-9fbe-11e8-945f-206a8a720317.html > > 1 problem(s) in the installed packages found. > > But information on the page shows it was fixed in 10.4-p10: > > Affected packages > wpa_supplicant???? <???? 2.6_2 > FreeBSD???? <=???? 10.4_10 > FreeBSD???? <=???? 11.2_1 > > So... was it really fixed? Is there incorrect info in VuXML database > file or on the web page?As noted privately by Dan Lukes, there is wrong entry in vuln.xml - missing < 10.4 and < 11.2 (start of the range) --- vuln.xml.orig 2018-08-30 03:02:57.656941000 +0200 +++ vuln.xml 2018-08-31 12:13:53.564345000 +0200 @@ -525,8 +525,8 @@ </package> <package> <name>FreeBSD</name> - <range><le>10.4_10</le></range> - <range><le>11.2_1</le></range> + <range><ge>10.4</ge><le>10.4_10</le></range> + <range><ge>11.2</ge><le>11.2_1</le></range> </package> </affects> <description> See PR 231054. Miroslav Lachman
Can somebody commit this easy fix, please? It is annoying to get false alarms every day in daily security reports. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231054 Kind Regards Miroslav Lachman Miroslav Lachman wrote on 2018/08/31 12:24:> Miroslav Lachman wrote on 2018/08/28 00:20: >> Running pkg audit FreeBSD-10.4_11 gives me one vulnerability: >> >> # pkg audit FreeBSD-10.4_11 >> FreeBSD-10.4_11 is vulnerable: >> wpa_supplicant -- unauthenticated encrypted EAPOL-Key data >> CVE: CVE-2018-14526 >> WWW: >> https://vuxml.FreeBSD.org/freebsd/6bedc863-9fbe-11e8-945f-206a8a720317.html >> >> >> 1 problem(s) in the installed packages found. >> >> But information on the page shows it was fixed in 10.4-p10: >> >> Affected packages >> wpa_supplicant???? <???? 2.6_2 >> FreeBSD???? <=???? 10.4_10 >> FreeBSD???? <=???? 11.2_1 >> >> So... was it really fixed? Is there incorrect info in VuXML database >> file or on the web page? > > As noted privately by Dan Lukes, there is wrong entry in vuln.xml - > missing < 10.4 and < 11.2 (start of the range) > > --- vuln.xml.orig???? 2018-08-30 03:02:57.656941000 +0200 > +++ vuln.xml????????? 2018-08-31 12:13:53.564345000 +0200 > @@ -525,8 +525,8 @@ > ?????? </package> > ?????? <package> > ??????? <name>FreeBSD</name> > -?????? <range><le>10.4_10</le></range> > -?????? <range><le>11.2_1</le></range> > +?????? <range><ge>10.4</ge><le>10.4_10</le></range> > +?????? <range><ge>11.2</ge><le>11.2_1</le></range> > ?????? </package> > ???? </affects> > ???? <description> > > See PR 231054. > > Miroslav Lachman