[3.6] hostapd: SAE confirm missing state validation in hostapd/AP (CVE-2019-9496)
An invalid authentication sequence could result in the hostapd process
terminating due to missing state validation steps when
processing the SAE confirm message when in hostapd/AP mode. All version
of hostapd with SAE support are vulnerable.
Update to hostapd v2.8 or newer, once available.
References:
https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt
https://www.kb.cert.org/vuls/id/871675/
Patch:
https://w1.fi/cgit/hostap/commit/?id=ac8fa9ef198640086cf2ce7c94673be2b6a018a0
(from redmine: issue id 10336, created on 2019-04-25, closed on 2019-06-20)
- Relations:
- parent #10331 (closed)
- Changesets:
- Revision 091dec18 on 2019-06-05T08:58:44Z:
main/hostapd: security fix (CVE-2019-9496)
Fixes #10336