[USN-7317-1] wpa_supplicant and hostapd vulnerabilities

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEELOLXZEFYQHcSWEHiyfW2m9Ldu6sFAmfGTKIFAwAAAAAACgkQyfW2m9Ldu6u9
mRAAnppkT1sc9be4+WeiogX9Ob2/pJzolTbRszuv0CrFto3khq/GwpMbXWpAFB+mehV9szh5d+XU
5QZ3+rqwlq1PFzy3vAtFuf9HikA87ZE0LVrwWoavozrtIyls0QEYpgVX+zJCP9xaB7wwOLrsWg+E
HqrK3syoFEawz7rcmqFW+5pZNClp0DYzKZOqujevm4V4Y9E2ldxy9V3Um6GGdFHFKoNTd76AA8AB
Dl+raXugyOjDujSSz+d3spijr4ZogZMo3IBuQGxamNqRMgzkFzLEjHWx8n2vXv66ZtqmPwFu7y4D
tabrUtf5Q4lKitJEXVd0HD2oV7neeUKXdKEm3mNyjjxi3CoJ7pCmEMMrSA66/xL/ctcHc42cEDra
kcIjlZv/ieqCqj1CD1y+3+nRrsZ2xSVHV0wu5LUZZVJdahbllSDbtmWtwuWEkBZXKCjromJqCE8l
EtmjPmC1KZ2qE5C7gmj0mdEGtMttFsBLy60+zG66I9en+fXG1HkM3iO73D/24ggWsHhN12hYRnut
xSW74cQwem78cSxvdkoga3Qs94xPvn+XNuCJeSXYWEg4MF+0tdswaxs2adBdSoUg0/G1tJzB3LoO
0sy7YTVKPcTiRYBt1qnM0NG0C0HpWrfT3KYBA5b3WwAcMDCXzBtxkcEihbXW4ejqOwcOGSJy/2QF
mSw=
=UVYR
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7317-1
March 03, 2025

wpa vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

wpa_supplicant and hostapd could be made to expose sensitive information
over the network.

Software Description:
- wpa: client support for WPA and WPA2

Details:

George Chatzisofroniou and Panayiotis Kotzanikolaou discovered that
wpa_supplicant and hostapd reused encryption elements in the PKEX protocol.
An attacker could possibly use this issue to impersonate a wireless access
point, and obtain sensitive information. (CVE-2022-37660)

Daniel De Almeida Braga, Mohamed Sabt, and Pierre-Alain Fouque discovered
that wpa_supplicant and hostapd were vulnerable to side channel attacks due
to the cache access patterns. An attacker could possibly use this issue to
obtain sensitive information. This issue only affected Ubuntu 20.04 LTS.
(CVE-2022-23303, CVE-2022-23304)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
  hostapd                         2:2.10-22ubuntu0.1
  wpasupplicant                   2:2.10-22ubuntu0.1

Ubuntu 24.04 LTS
  hostapd                         2:2.10-21ubuntu0.2
  wpasupplicant                   2:2.10-21ubuntu0.2

Ubuntu 22.04 LTS
  hostapd                         2:2.10-6ubuntu2.2
  wpasupplicant                   2:2.10-6ubuntu2.2

Ubuntu 20.04 LTS
  hostapd                         2:2.9-1ubuntu4.6
  wpasupplicant                   2:2.9-1ubuntu4.6

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7317-1
  CVE-2022-23303, CVE-2022-23304, CVE-2022-37660

Package Information:
  https://launchpad.net/ubuntu/+source/wpa/2:2.10-22ubuntu0.1
  https://launchpad.net/ubuntu/+source/wpa/2:2.10-21ubuntu0.2
  https://launchpad.net/ubuntu/+source/wpa/2:2.10-6ubuntu2.2
  https://launchpad.net/ubuntu/+source/wpa/2:2.9-1ubuntu4.6