Please note: This project is no longer active. The website is kept online for historic purposes only.
If you´re looking for a Linux driver for your Atheros WLAN device, you should continue here .

No known security issues in v0.9.3

For the impatient

There is currently no known security issue that needs to be addressed. Recent reports deal with a hole that has been found in December 2006, and that hole has been fixed already - make sure you have either MadWifi v0.9.2.1 or - better yet - v0.9.3 (which is the latest release at this time).

Background

On April 10, 2007 the news site Dark Reading has published an article called Critical WiFi Bug Found on Linux. The story deals with a remotely exploitable security issue that was discovered by Laurent Butti, a researcher from France Telecom. Maybe that rings a bell for some of you.

The article is technically correct about the existence and the nature of this issue. But unfortunately it failed to make clear that the issue is known for about 4 months now and has been fixed in MadWifi release v0.9.2.1 even before it was publically reported. The only hint that could be found was:

"We contacted them and waited for them to patch the issue" first, he says, which they did.

This one sentence was easy to miss (which, to be honest, happened to me at first) and left a bit of room for speculation. I have contacted Laurent Butti, asking him for a clarification. He immediately responded and explained that Dark Reading has interviewed him in response to his BlackHat Europe 2007 talk at end of march. He clarified that the article in fact refers to CVE-2006-6332 which was addressed in MadWifi v0.9.2.1. Or in other words: there is no new hole in MadWifi.

Other news sources, such as pcworld.com or computerworld.com, managed to make it sound even more sensational by claiming that the hole has been found "in Linux" (and not on, as Dark Reading wrote before). It should be a well-known fact that MadWifi is by no means part of Linux (the kernel), as it relies on a binary-only part which prevents it from being accepted for inclusion to the kernel. Let's hope that this is no indicator for the general reliability and accuracy of the security-related news they publish...

If you still are unsure whether you're vulnerable please feel free to contact our regular support channels.