Was wpa_supplicant CVE-2018-14526 fixed in 10.4-p11? / PR 231054
Miroslav Lachman
000.fbsd at quip.cz
Fri Aug 31 10:24:38 UTC 2018
Miroslav Lachman wrote on 2018/08/28 00:20:
> Running pkg audit FreeBSD-10.4_11 gives me one vulnerability:
>
> # pkg audit FreeBSD-10.4_11
> FreeBSD-10.4_11 is vulnerable:
> wpa_supplicant -- unauthenticated encrypted EAPOL-Key data
> CVE: CVE-2018-14526
> WWW:
> https://vuxml.FreeBSD.org/freebsd/6bedc863-9fbe-11e8-945f-206a8a720317.html
>
> 1 problem(s) in the installed packages found.
>
> But information on the page shows it was fixed in 10.4-p10:
>
> Affected packages
> wpa_supplicant < 2.6_2
> FreeBSD <= 10.4_10
> FreeBSD <= 11.2_1
>
> So... was it really fixed? Is there incorrect info in VuXML database
> file or on the web page?
As noted privately by Dan Lukes, there is wrong entry in vuln.xml -
missing < 10.4 and < 11.2 (start of the range)
--- vuln.xml.orig 2018-08-30 03:02:57.656941000 +0200
+++ vuln.xml 2018-08-31 12:13:53.564345000 +0200
@@ -525,8 +525,8 @@
</package>
<package>
<name>FreeBSD</name>
- <range><le>10.4_10</le></range>
- <range><le>11.2_1</le></range>
+ <range><ge>10.4</ge><le>10.4_10</le></range>
+ <range><ge>11.2</ge><le>11.2_1</le></range>
</package>
</affects>
<description>
See PR 231054.
Miroslav Lachman
More information about the freebsd-security
mailing list