Mandriva Update For Hostapd MDVSA-2012:168 (hostapd) Network Vulnerability

Solution

Please Install the Updated Packages.

Insight

Multiple vulnerabilities has been discovered and corrected in hostapd: hostapd 0.7.3, and possibly other versions before 1.0, uses 0644 permissions for /etc/hostapd/hostapd.conf, which might allow local users to obtain sensitive information such as credentials (CVE-2012-2389). Heap-based buffer overflow in the eap_server_tls_process_fragment function in eap_server_tls_common.c in the EAP authentication server in hostapd 0.6 through 1.0 allows remote attackers to cause a denial of service (crash or abort) via a small TLS Message Length value in an EAP-TLS message with the More Fragments flag set (CVE-2012-4445). The updated packages have been patched to correct these issues.

Affected

hostapd on Mandriva Linux 2011.0

Severity

Classification

CVE CVE-2012-2389, CVE-2012-4445

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P

Related Vulnerabilities

Mandrake Security Advisory MDVSA-2009:160 (ruby)
Mandrake Security Advisory MDVSA-2009:068 (poppler)
Mandrake Security Advisory MDVSA-2009:133 (irssi)
Mandrake Security Advisory MDVSA-2009:212 (python)
Mandrake Security Advisory MDVSA-2009:207 (perl-Compress-Raw-Bzip2)

Mandriva Update for hostapd MDVSA-2012:168 (hostapd)

Take action and discover your vulnerabilities