I'm just asking which versions of OpenWRT are affected by CVE-2022-23303 and/or CVE-2022-23304?
Running OpenWRT 19.07.8 I only have hostapd installed, but version says 2019-08-08-ca8c2bd2-7 so I guess it is affected?
wpa_supplicant is available as optional package, but I guess it is affected too?
Will there be a hotfix?
Thanks in advance for any info.
In package list on homepage there is a newer version. But the version number doesn’t make any sense. The cve say version 2.10 but the real hostapd package version is a date?
OpenWrt builds hostapd from git, so the version number is "weird":
OK, so we have to find out, when "2.10" was released to know, if the version we are using is affected or not.
Any info appreciated, I will start my research.
EDIT: OK this was pretty easy:
2.10 = stable release from 16th of January 2022.
So every version of hostapd and wpa_supplicant in stable OpenWRT releases up to 21.02.1 is affected.
So will there be a patch? If yes, how to apply?
Usually in the form of 21.02.2.
hostapd in the master branch has been updated:
Thank you very much, now for OpenWRT "endusers":
Is there an easy way to apply? Does the package need a build system to get the updated version?
Soon to be released OpenWrt 21.02.2 has those fixes.
The vulnerability only affects dictionary attack vulnerable passwords as per my understanding