On 10/17/2017 01:13 AM, Michal Kubecek wrote:
On Tuesday, 17 October 2017 7:34 Michal Kubecek
On Monday, 16 October 2017 23:53 Larry Finger
To whom it may concern:
I call your attention to the patch in
It is a part of the fix for CVE--2017-13080.
Thank you for the warning. I don't know the whole context so I would
like to ask how urgent the issue is. In particular, is it OK to wait
for the resolution of this comment
or would it make sense to add the patch now (either with memcmp() or
with crypto_memneq()) and update later?
OK, so it didn't take too long:
Sounds quite convincing to me.
Yes, this is a serious problem for openSUSE (and other Linux systems) when
operating on a WPA network in a location where you cannot observe everyone that
might be listening to the radio traffic. At home this will not be as severe a
problem if you can trust your neighbors.
As you saw in the reference above, Johannes Berg argued that memcmp() is
sufficient and that crypto_memneq() would be overkill. My understanding is that
this change is all that will be needed for the kernel, but there will need to be
changes in wpa_supplicant.
Thanks for your attention,
To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org