To whom it may concern: I call your attention to the patch in https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=fdf.... It is a part of the fix for CVE--2017-13080. Larry -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Monday, 16 October 2017 23:53 Larry Finger wrote:
To whom it may concern:
I call your attention to the patch in https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/? id=fdf7cb4185b60c68e1a75e61691c4afdc15dea0e.
It is a part of the fix for CVE--2017-13080.
Thank you for the warning. I don't know the whole context so I would like to ask how urgent the issue is. In particular, is it OK to wait for the resolution of this comment http://lkml.kernel.org/r/CAHmME9rHMMAgJs3uQYpt15V8eh-PjDqioqURA3KPKEhc2a9OEg... or would it make sense to add the patch now (either with memcmp() or with crypto_memneq()) and update later? Michal Kubeček -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Tue, Oct 17, 2017 at 07:34:50AM +0200, Michal Kubecek wrote:
On Monday, 16 October 2017 23:53 Larry Finger wrote:
To whom it may concern:
I call your attention to the patch in https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/? id=fdf7cb4185b60c68e1a75e61691c4afdc15dea0e.
It is a part of the fix for CVE--2017-13080.
Thank you for the warning. I don't know the whole context so I would like to ask how urgent the issue is. In particular, is it OK to wait for the resolution of this comment
http://lkml.kernel.org/r/CAHmME9rHMMAgJs3uQYpt15V8eh-PjDqioqURA3KPKEhc2a9OEg...
or would it make sense to add the patch now (either with memcmp() or with crypto_memneq()) and update later?
I opened bug 1063667. Are you aware of any other fixes related to KRACK in the kernel mac80211 or other frameworks? Ciao, Marcus -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Tuesday, 17 October 2017 7:34 Michal Kubecek wrote:
On Monday, 16 October 2017 23:53 Larry Finger wrote:
To whom it may concern:
I call your attention to the patch in https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit /? id=fdf7cb4185b60c68e1a75e61691c4afdc15dea0e.
It is a part of the fix for CVE--2017-13080.
Thank you for the warning. I don't know the whole context so I would like to ask how urgent the issue is. In particular, is it OK to wait for the resolution of this comment
http://lkml.kernel.org/r/CAHmME9rHMMAgJs3uQYpt15V8eh-PjDqioqURA3KPKEh c2a9OEg@mail.gmail.com
or would it make sense to add the patch now (either with memcmp() or with crypto_memneq()) and update later?
OK, so it didn't take too long: http://lkml.kernel.org/r/1508219181.10607.45.camel@sipsolutions.net Sounds quite convincing to me. Michal Kubeček -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On 10/17/2017 01:13 AM, Michal Kubecek wrote:
On Tuesday, 17 October 2017 7:34 Michal Kubecek wrote:
On Monday, 16 October 2017 23:53 Larry Finger wrote:
To whom it may concern:
I call your attention to the patch in https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit /? id=fdf7cb4185b60c68e1a75e61691c4afdc15dea0e.
It is a part of the fix for CVE--2017-13080.
Thank you for the warning. I don't know the whole context so I would like to ask how urgent the issue is. In particular, is it OK to wait for the resolution of this comment
http://lkml.kernel.org/r/CAHmME9rHMMAgJs3uQYpt15V8eh-PjDqioqURA3KPKEh c2a9OEg@mail.gmail.com
or would it make sense to add the patch now (either with memcmp() or with crypto_memneq()) and update later?
OK, so it didn't take too long:
http://lkml.kernel.org/r/1508219181.10607.45.camel@sipsolutions.net
Sounds quite convincing to me.
Yes, this is a serious problem for openSUSE (and other Linux systems) when operating on a WPA network in a location where you cannot observe everyone that might be listening to the radio traffic. At home this will not be as severe a problem if you can trust your neighbors. As you saw in the reference above, Johannes Berg argued that memcmp() is sufficient and that crypto_memneq() would be overkill. My understanding is that this change is all that will be needed for the kernel, but there will need to be changes in wpa_supplicant. Thanks for your attention, Larry -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
participants (3)
-
Larry Finger -
Marcus Meissner -
Michal Kubecek