Red Hat Bugzilla – Bug 546795
CVE-2009-4144 NetworkManager: WPA enterprise network not verified when certificate is removed
Last modified: 2010-04-20 01:42:57 EDT
+++ This bug was initially created as a clone of Bug #546793 +++
If the user had set up a WPA Enterprise or 802.1x connection that used a CA certificate to verify the identity of the network to which the user was connecting, and the user deleted or moved that CA certificate file at a later point, NetworkManager will still connect to that network but without using the CA certificate. This could result in connections to a rogue network that is spoofing the original network as the identity of the network is not verified with the CA certificate after the certificate has been deleted.
Obviously requires direct interaction by the user that configured the connection in the first place to remove the CA certificate file.
--- Additional comment from email@example.com on 2009-12-11 18:50:57 EDT ---
Upstream fix is:
NetworkManager-0.7.2-2.git20091223.fc11 has been submitted as an update for Fedora 11.
NetworkManager-0.7.2-2.git20091223.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2010:0108 https://rhn.redhat.com/errata/RHSA-2010-0108.html