To whom it may concern:
I call your attention to the patch in https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=fdf....
It is a part of the fix for CVE--2017-13080.
Larry
On Monday, 16 October 2017 23:53 Larry Finger wrote:
To whom it may concern:
I call your attention to the patch in https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/? id=fdf7cb4185b60c68e1a75e61691c4afdc15dea0e.
It is a part of the fix for CVE--2017-13080.
Thank you for the warning. I don't know the whole context so I would like to ask how urgent the issue is. In particular, is it OK to wait for the resolution of this comment
http://lkml.kernel.org/r/CAHmME9rHMMAgJs3uQYpt15V8eh-PjDqioqURA3KPKEhc2a9OEg...
or would it make sense to add the patch now (either with memcmp() or with crypto_memneq()) and update later?
Michal Kubeček
On Tue, Oct 17, 2017 at 07:34:50AM +0200, Michal Kubecek wrote:
On Monday, 16 October 2017 23:53 Larry Finger wrote:
To whom it may concern:
I call your attention to the patch in https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/? id=fdf7cb4185b60c68e1a75e61691c4afdc15dea0e.
It is a part of the fix for CVE--2017-13080.
Thank you for the warning. I don't know the whole context so I would like to ask how urgent the issue is. In particular, is it OK to wait for the resolution of this comment
http://lkml.kernel.org/r/CAHmME9rHMMAgJs3uQYpt15V8eh-PjDqioqURA3KPKEhc2a9OEg...
or would it make sense to add the patch now (either with memcmp() or with crypto_memneq()) and update later?
I opened bug 1063667.
Are you aware of any other fixes related to KRACK in the kernel mac80211 or other frameworks?
Ciao, Marcus
On Tuesday, 17 October 2017 7:34 Michal Kubecek wrote:
On Monday, 16 October 2017 23:53 Larry Finger wrote:
To whom it may concern:
I call your attention to the patch in https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit /? id=fdf7cb4185b60c68e1a75e61691c4afdc15dea0e.
It is a part of the fix for CVE--2017-13080.
Thank you for the warning. I don't know the whole context so I would like to ask how urgent the issue is. In particular, is it OK to wait for the resolution of this comment
http://lkml.kernel.org/r/CAHmME9rHMMAgJs3uQYpt15V8eh-PjDqioqURA3KPKEh c2a9OEg@mail.gmail.com
or would it make sense to add the patch now (either with memcmp() or with crypto_memneq()) and update later?
OK, so it didn't take too long:
http://lkml.kernel.org/r/1508219181.10607.45.camel@sipsolutions.net
Sounds quite convincing to me.
Michal Kubeček
On 10/17/2017 01:13 AM, Michal Kubecek wrote:
On Tuesday, 17 October 2017 7:34 Michal Kubecek wrote:
On Monday, 16 October 2017 23:53 Larry Finger wrote:
To whom it may concern:
I call your attention to the patch in https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit /? id=fdf7cb4185b60c68e1a75e61691c4afdc15dea0e.
It is a part of the fix for CVE--2017-13080.
Thank you for the warning. I don't know the whole context so I would like to ask how urgent the issue is. In particular, is it OK to wait for the resolution of this comment
http://lkml.kernel.org/r/CAHmME9rHMMAgJs3uQYpt15V8eh-PjDqioqURA3KPKEh c2a9OEg@mail.gmail.com
or would it make sense to add the patch now (either with memcmp() or with crypto_memneq()) and update later?
OK, so it didn't take too long:
http://lkml.kernel.org/r/1508219181.10607.45.camel@sipsolutions.net
Sounds quite convincing to me.
Yes, this is a serious problem for openSUSE (and other Linux systems) when operating on a WPA network in a location where you cannot observe everyone that might be listening to the radio traffic. At home this will not be as severe a problem if you can trust your neighbors.
As you saw in the reference above, Johannes Berg argued that memcmp() is sufficient and that crypto_memneq() would be overkill. My understanding is that this change is all that will be needed for the kernel, but there will need to be changes in wpa_supplicant.
Thanks for your attention,
Larry
-
Larry Finger -
Marcus Meissner -
Michal Kubecek