Page MenuHomeVyOS Platform

CVE-2017-13077 - Update wpa_supplicant
Closed, ResolvedPublicBUG


Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames.

Debian-security for jessie is already patched - we have to double check that we ship patched versions in nightly releases.

Affects: any systems that act like WiFi clients.
Severity: high (MITM attack of unauthorized attacker is possible)

Original investigator's site:
UPSTREAM patches:
Debian security:


Difficulty level
Easy (less than an hour)
Why the issue appeared?
Will be filled on close

Event Timeline

Our nightly builds ships wpasupplicant 2.3-1+deb8u4, according to it's fixed in 2.3-1+deb8u5.

This may address another issue I discovered with the livebuild system. During rebuild, it does not automatically install all the latest security updates available like this one. Anyone knows how to add newer revisions of certain packages to live-build?

@UnicronNL maybe this will fix this issue:

diff --git i/scripts/live-build-config w/scripts/live-build-config
index c1c766f..990cb5c 100755
--- i/scripts/live-build-config
+++ w/scripts/live-build-config
@@ -51,7 +51,8 @@ lb config noauto \
         --mirror-binary {{debian_mirror}} \
         --mirror-binary-security {{debian_security_mirror}} \
         --archive-areas "main contrib non-free" \
-        --firmware-chroot true
+        --firmware-chroot true \
+        --updates true \

Unfortunately the vyos-build repo is not building anymore so I can't test.
This seems to have done the trick thanks.

build issue now hangs on depend on quagga.

This did the trick. Just build a fresh ISO:

root@vyos:/home/vyos# dpkg --list | grep wpa
ii  wpasupplicant                     2.3-1+deb8u5                      amd64        client support for WPA and WPA2 (IEEE 802.11i)

@syncer looks like this is resolved now. All debian security updates are now automatically inserted in every new image.

@UnicronNL Just to make sure, the package included in helium now is also patched?

I've done pkg-release in that package to include the latest commits into debian changelog and update the package version (helium4 now).

syncer claimed this task.
syncer moved this task from In Progress to Finished on the VyOS 1.2 Crux board.
syncer removed a project: VyOS 1.1.x.