{"id":"MGASA-2019-0229","summary":"Updated wpa_supplicant and hostapd packages fix security vulnerability","details":"A number of potential side channel attacks were discovered in the SAE\nimplementations used by both hostapd (AP) and wpa_supplicant\n(infrastructure BSS station/mesh station). SAE (Simultaneous\nAuthentication of Equals) is also known as WPA3-Personal. The discovered\nside channel attacks may be able to leak information about the used\npassword based on observable timing differences and cache access\npatterns. This might result in full password recovery when combined with\nan offline dictionary attack and if the password is not strong enough to\nprotect against dictionary attacks.\n","modified":"2026-04-16T04:41:33.717786052Z","published":"2019-08-31T13:22:36Z","upstream":["CVE-2019-13377","CVE-2019-9494"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2019-0229.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=25258"},{"type":"WEB","url":"https://w1.fi/security/2019-1/sae-side-channel-attacks.txt"},{"type":"WEB","url":"https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt"}],"affected":[{"package":{"name":"wpa_supplicant","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/wpa_supplicant?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.9-1.1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0229.json"}},{"package":{"name":"hostapd","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/hostapd?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.9-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0229.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}