[3.4] hostapd: denial of service via crafted WPA/WPA2 passphrase parameter (CVE-2016-4476)
hostapd 0.6.7 through 2.5 do not reject \n and \r characters in
passphrase parameters, which allows remote attackers
to cause a denial of service (daemon outage) via a crafted WPS
operation.
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4476
http://www.openwall.com/lists/oss-security/2016/05/03/12
(from redmine: issue id 5645, created on 2016-05-29, closed on 2016-06-23)
- Relations:
- parent #5644 (closed)
- Changesets:
- Revision 6accf459 by Natanael Copa on 2016-05-30T17:39:08Z:
main/hostapd: security fix for CVE-2016-4476
fixes #5645