This release fixes a critical security issue (CVE-2006-6322) that affected all previous releases. If you use an older version, we highly recommend an update.
Same as 0.9.2:
- Various mode changing and scanning related annoyances (#572, #254, #352, #378)
- Suspend state not working properly (#201)
- Countrycode regression in recent HAL versions (#120)
- Stability and/or performance problems when more than one VAP is in active use (#182, many other tickets)
- MAC address changing currently unsupported (#323) and unstable (#716)
- Documentation about private ioctl's and other features not 100% complete (#324, #486, #527, #399)
- Problems associating to some WEP encrypted Access Points (#651)
As reported earlier by Julien Tinnes  a security issue has been discovered by a group of researchers from France Telecom. The issue, CVE-2006-6332 , is caused by a buffer overflow bug in some routines that are used for scanning for Access Points. The bug can be triggered by sending properly crafted 802.11 beacon and/or probe response frames, which allows to inject and execute code on the scanning hosts. In other words: this issue is remotely exploitable.
This is a critical security flaw. From what we know so far, the bug has been in trunk since r1504 (probably longer). This means that all previous releases of MadWifi (0.9.0, 0.9.1 and 0.9.2) are affected.
In response to Julien's report we released v0.9.2.1 today (which is similar to v0.9.2 plus the fix for CVE-2006-6332) and committed the same fix to trunk in r1842. We recommend to upgrade immediately.
The v0.9.2.1 tarball can be downloaded from sf.net . A snapshot tarball of r1842 is available as well .
The MadWifi team would like to thank Julien Tinnes, Laurent Butti and Jerome Razniewski for their investigation, report and cooperation.