Bug 2265479

Summary: unpatched CVE-2023-52160 in Fedora 38 & 39
Product: [Fedora] Fedora Reporter: customercare
Component: wpa_supplicantAssignee: Lubomir Rintel <lkundrak>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 38CC: bgalvani, blueowl, dcaratti, dcbw, lkundrak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: wpa_supplicant-2.10-9.fc39 wpa_supplicant-2.10-7.fc38 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-02-27 01:08:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description customercare 2024-02-22 09:29:47 UTC 
Media coverage: 

https://thehackernews.com/2024/02/new-wi-fi-vulnerabilities-expose.html

Description of problem:

WPA_SUPPLICANT < 2.11  suffers from CVE-2023-52160

Short: wpa_supplicant fails to/does not verify enterprise-grade-wifi network certs, so those networks can be cloned and user redirected into an attacker created net.

CVE got fixed via backport in F40, but is open in F38 and F39.
Comment 1 Fedora Update System 2024-02-23 00:35:43 UTC 
FEDORA-2024-36d2be00d0 (wpa_supplicant-2.10-7.fc38) has been submitted as an update to Fedora 38.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-36d2be00d0
Comment 2 Fedora Update System 2024-02-23 00:35:46 UTC 
FEDORA-2024-a95bdde55b (wpa_supplicant-2.10-9.fc39) has been submitted as an update to Fedora 39.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-a95bdde55b
Comment 3 Fedora Update System 2024-02-24 01:09:06 UTC 
FEDORA-2024-a95bdde55b has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-a95bdde55b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-a95bdde55b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2024-02-24 02:05:48 UTC 
FEDORA-2024-36d2be00d0 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-36d2be00d0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-36d2be00d0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2024-02-27 01:08:07 UTC 
FEDORA-2024-a95bdde55b (wpa_supplicant-2.10-9.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 6 Fedora Update System 2024-03-10 01:22:58 UTC 
FEDORA-2024-36d2be00d0 (wpa_supplicant-2.10-7.fc38) has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.