Please note: This project is no longer active. The website is kept online for historic purposes only.
If you´re looking for a Linux driver for your Atheros WLAN device, you should continue here .

Changes from Version 1 of news/20070416/no-known-security-issues-in-v0-9-3

Author:
mrenzmann (IP: 0.0.0.0)
Timestamp:
04/16/07 14:12:31 (12 years ago)
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • news/20070416/no-known-security-issues-in-v0-9-3

    v v1  
     1= No known security issues in v0.9.3 = 
     2== For the impatient == 
     3There is currently no known security issue that needs to be addressed. Recent reports deal with a hole that has been found in December 2006, and that hole has been fixed already - make sure you have either MadWifi v0.9.2.1 or - better yet - v0.9.3 (which is the latest release at this time). 
     4 
     5== Background == 
     6On April 10, 2007 the news site [http://www.darkreading.com Dark Reading] has published an article called [http://www.darkreading.com/document.asp?doc_id=121536&WT.svl=news1_1 Critical WiFi Bug Found on Linux]. The story deals with a remotely exploitable security issue that was discovered by Laurent Butti, a researcher from France Telecom. Maybe that rings a bell for some of you. 
     7 
     8The article is technically correct about the existence and the nature of this issue. But unfortunately it failed to make clear that the issue is [wiki:news/20061207/release-0-9-2-1-fixes-critical-security-issue known for about 4 months now] and has been fixed in [wiki:Releases/0.9.2.1 MadWifi release v0.9.2.1] even before it was publically reported. The only hint that could be found was: 
     9 
     10{{{ 
     11#!blockquote 
     12"We contacted them and waited for them to patch the issue" first, he says, which they did. 
     13}}} 
     14 
     15This one sentence was easy to miss (which, to be honest, happened to me at first) and left a bit of room for speculation. I have contacted Laurent Butti, asking him for a clarification. He immediately responded and explained that Dark Reading has interviewed him in response to [http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Butti his BlackHat Europe 2007 talk] at end of march. He clarified that the article in fact refers to [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6332 CVE-2006-6332] which was addressed in MadWifi v0.9.2.1. Or in other words: there is no new hole in MadWifi. 
     16 
     17Other news sources, such as [http://www.pcworld.com/article/id,130717-pg,1/article.html pcworld.com] or [http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9016598 computerworld.com], managed to make it sound even more sensational by claiming that the hole has been found "'''in''' Linux" (and not '''on''', as Dark Reading wrote before). It should be a well-known fact that MadWifi is by no means part of Linux (the kernel), as it relies on a binary-only part which prevents it from being accepted for inclusion to the kernel. Let's hope that this is no indicator for the general reliability and accuracy of the security-related news they publish...  
     18 
     19If you still are unsure whether you're vulnerable please feel free to contact our [wiki:Support regular support channels].