New erratas released today: 5.8 errata #8, 5.7 errata #20

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

New erratas released today: 5.8 errata #8, 5.7 errata #20

Stefan Sperling-8
There is a remotely triggerable panic in the wireless subsystem
involving WPA (a.k.a RSN).

RSN element parsing in the input path lacks validation of the group
cipher and group management cipher values. If a bad value is received
it is stored without validation, which will trigger a panic when the
value is used while sending a reply.

This can be used by malicious access points to crash OpenBSD clients,
or by malicious clients to crash OpenBSD access points.

Thanks to Franz Bettag for highlighting this problem.

Links to patches below. Please follow the instructions within.

5.8: http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/008_rsn.patch.sig
5.7: http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/020_rsn.patch.sig