CVE-2019-9495 (retired)

The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable
to side-channel attacks as a result of cache access patterns. All versions
of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. The
ability to install and execute applications is necessary for a successful
attack. Memory access patterns are visible in a shared cache. Weak
passwords may be cracked. Versions of hostapd/wpa_supplicant 2.7 and newer,
are not vulnerable to the timing attack described in CVE-2019-9494. Both
hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior
to and including version 2.7 are affected.
Source: wpa (LP Ubuntu Debian)
Upstream:released (2.8)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):released (2.1-0ubuntu1.7)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.4-0ubuntu6.4)
Ubuntu 18.04 LTS (Bionic Beaver):released (2:2.6-15ubuntu2.2)
Ubuntu 19.04 (Disco Dingo):released (2:2.6-21ubuntu3)
Ubuntu 19.10 (Eoan):released (2:2.6-21ubuntu3)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
More Information

Updated: 2019-08-23 09:40:31 UTC (commit 436fd4ed4cf0038ddd382cb8649607ace163dda7)