Description of problem: From: Johannes Berg <johannes> If somebody sends an invalid beacon/probe response, that can trash the whole BSS descriptor. The descriptor is, luckily, large enough so that it cannot scribble past the end of it; it's well above 400 bytes long.
Reference: http://article.gmane.org/gmane.linux.kernel.wireless.general/23049
Proposed upstream patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=48735d8d8bd701b1e0cd3d49c21e5e385ddcb077
The driver was included in the upstream kernel since 2.6.22. We did not backport it to our RHEL kernels.
Our official statement can be found at: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5134
This issue has been addressed in following products: Red Hat Enterprise MRG v1 for Red Hat Enterprise Linux (version 5) Via RHSA-2009:0053 available at https://rhn.redhat.com/errata/RHSA-2009-0053.html