Recommended update for wpa_supplicant SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:1030-1 Final 1 1 2015-06-03T16:39:31Z current 2015-06-03T16:39:31Z 2015-06-03T16:39:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Recommended update for wpa_supplicant wpa_supplicant was updated to fix three security issues. The following vulnerabilities were fixed: CVE-2015-4141: WPS UPnP vulnerability with HTTP chunked transfer encoding (boo#930077) CVE-2015-4142: Integer underflow in AP mode WMM Action frame processing (boo#930078) CVE-2015-4143: EAP-pwd missing payload length validation (boo#930079) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-06/msg00019.html E-Mail link for openSUSE-SU-2015:1030-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings wpa_supplicant-2.0-3.14.1 wpa_supplicant-gui-2.0-3.14.1 The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplicant, when using WPS external registrar (ER), 0.7.0 through 2.4 allows remote attackers to cause a denial of service (crash) via a negative chunk length, which triggers an out-of-bounds read or heap-based buffer overflow. CVE-2015-4141 low Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-06/msg00019.html https://www.suse.com/security/cve/CVE-2015-4141.html CVE-2015-4141 https://bugzilla.suse.com/915323 SUSE Bug 915323 https://bugzilla.suse.com/930077 SUSE Bug 930077 Integer underflow in the WMM Action frame parser in hostapd 0.5.5 through 2.4 and wpa_supplicant 0.7.0 through 2.4, when used for AP mode MLME/SME functionality, allows remote attackers to cause a denial of service (crash) via a crafted frame, which triggers an out-of-bounds read. CVE-2015-4142 low Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-06/msg00019.html https://www.suse.com/security/cve/CVE-2015-4142.html CVE-2015-4142 https://bugzilla.suse.com/915323 SUSE Bug 915323 https://bugzilla.suse.com/930078 SUSE Bug 930078 The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) Commit or (2) Confirm message payload. CVE-2015-4143 low Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-06/msg00019.html https://www.suse.com/security/cve/CVE-2015-4143.html CVE-2015-4143 https://bugzilla.suse.com/930079 SUSE Bug 930079