Candidate: CVE-2019-9494
CRD: 2019-04-10 15:00:00 UTC
PublicDate: 2019-04-17 14:29:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9494
 https://w1.fi/security/2019-1/
Description:
 The implementations of SAE in hostapd and wpa_supplicant are vulnerable to
 side channel attacks as a result of observable timing differences and cache
 access patterns. An attacker may be able to gain leaked information from a
 side channel attack that can be used for full password recovery. Both
 hostapd with SAE support and wpa_supplicant with SAE support prior to and
 including version 2.7 are affected.
Ubuntu-Description: 
Notes: 
 mdeslaur> SAE support not built in Ubuntu
Bugs: 
Priority: medium
Discovered-by: Mathy Vanhoef and Eyal Ronen
Assigned-to: 
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]


Patches_wpa:
upstream_wpa: released (2.8)
precise/esm_wpa: DNE
trusty_wpa: not-affected (code not built)
trusty/esm_wpa: not-affected (code not built)
xenial_wpa: not-affected (code not built)
esm-infra/xenial_wpa: not-affected (code not built)
bionic_wpa: not-affected (code not built)
cosmic_wpa: not-affected (code not built)
devel_wpa: not-affected (code not built)

Patches_wpasupplicant:
upstream_wpasupplicant: needs-triage
precise/esm_wpasupplicant: not-affected (code not built)
trusty_wpasupplicant: DNE
trusty/esm_wpasupplicant: DNE
xenial_wpasupplicant: DNE
bionic_wpasupplicant: DNE
cosmic_wpasupplicant: DNE
devel_wpasupplicant: DNE