missing vuxml entry & patches http://w1.fi/security/2016-1/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4476 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4477
A commit references this bug: Author: marino Date: Thu May 19 21:12:08 UTC 2016 New revision: 415527 URL: https://svnweb.freebsd.org/changeset/ports/415527 Log: security/wpa_supplicant: Add security patch set 2016-1 A vulnerability was found in how hostapd and wpa_supplicant writes the configuration file update for the WPA/WPA2 passphrase parameter. If this parameter has been updated to include control characters either through a WPS operation (CVE-2016-4476) or through local configuration change over the wpa_supplicant control interface (CVE-2016-4477), the resulting configuration file may prevent the hostapd and wpa_supplicant from starting when the updated file is used. In addition for wpa_supplicant, it may be possible to load a local library file and execute code from there with the same privileges under which the wpa_supplicant process runs. These patches were developed upstream and published as a response to the security advisories CVE-2016-4476 and CVE-2016-4477. PR: 209564 Requested by: Sevan Janiyan Changes: head/security/wpa_supplicant/Makefile head/security/wpa_supplicant/files/patch-2016_1_1-WPS-Reject-a-Credential-with-invalid-passphrase head/security/wpa_supplicant/files/patch-2016_1_2-Reject-psk-parameter-set-with-invalid-passphrase-cha head/security/wpa_supplicant/files/patch-2016_1_3-Remove-newlines-from-wpa_supplicant-config-network-o head/security/wpa_supplicant/files/patch-2016_1_4-Reject-SET_CRED-commands-with-newline-characters-in head/security/wpa_supplicant/files/patch-2016_1_5-Reject-SET-commands-with-newline-characters-in-the-s
A commit references this bug: Author: junovitch Date: Fri May 20 01:22:32 UTC 2016 New revision: 415536 URL: https://svnweb.freebsd.org/changeset/ports/415536 Log: Document wpa_supplicant security advisory 2016-1 PR: 209564 Reported by: Sevan Janiyan <venture37@geeklan.co.uk> Security: CVE-2016-4477 Security: CVE-2016-4476 Security: https://vuxml.FreeBSD.org/freebsd/967b852b-1e28-11e6-8dd3-002590263bf5.html Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: junovitch Date: Fri May 20 01:23:57 UTC 2016 New revision: 415537 URL: https://svnweb.freebsd.org/changeset/ports/415537 Log: MFH: r415527 security/wpa_supplicant: Add security patch set 2016-1 A vulnerability was found in how hostapd and wpa_supplicant writes the configuration file update for the WPA/WPA2 passphrase parameter. If this parameter has been updated to include control characters either through a WPS operation (CVE-2016-4476) or through local configuration change over the wpa_supplicant control interface (CVE-2016-4477), the resulting configuration file may prevent the hostapd and wpa_supplicant from starting when the updated file is used. In addition for wpa_supplicant, it may be possible to load a local library file and execute code from there with the same privileges under which the wpa_supplicant process runs. These patches were developed upstream and published as a response to the security advisories CVE-2016-4476 and CVE-2016-4477. PR: 209564 Requested by: Sevan Janiyan Security: CVE-2016-4477 Security: CVE-2016-4476 Security: https://vuxml.FreeBSD.org/freebsd/967b852b-1e28-11e6-8dd3-002590263bf5.html Approved by: ports-secteam (with hat) Changes: _U branches/2016Q2/ branches/2016Q2/security/wpa_supplicant/Makefile branches/2016Q2/security/wpa_supplicant/files/patch-2016_1_1-WPS-Reject-a-Credential-with-invalid-passphrase branches/2016Q2/security/wpa_supplicant/files/patch-2016_1_2-Reject-psk-parameter-set-with-invalid-passphrase-cha branches/2016Q2/security/wpa_supplicant/files/patch-2016_1_3-Remove-newlines-from-wpa_supplicant-config-network-o branches/2016Q2/security/wpa_supplicant/files/patch-2016_1_4-Reject-SET_CRED-commands-with-newline-characters-in branches/2016Q2/security/wpa_supplicant/files/patch-2016_1_5-Reject-SET-commands-with-newline-characters-in-the-s