WPA-2 Vulnerability KRACK

You will all have heard now about the very serious WPA-2 KRACK vulnerability, also in Linux, raspbian and therefore in the Volumio distro. In I suppose that this has the attention of the development team. In Jessy and Stretch this has been resolved now. When can we expect the update in Volumio?

See: bugs-wpa2-protocol-t7810.html

Thanks! :slight_smile:

New version released for PI, X86 will hopefully follow soon

Linux worked swiftly and released KRACK Wi-Fi Patches updates for Ubuntu 14.04+, Arch, OpenBSD, Debian, Gentoo, and Linux upstream.
Source: PureVPN

We already released a pi version which addresses the issue.
And we published our response in the vendor response matrix available here:
github.com/kristate/krackinfo

I am unsure if i ran into a general issue, misunderstoood the solution “New version released for PI” or ran ito a special problem on my host:

After updating my RPI3 from a 1 week old install of ver 2.285 to ver 2.296 via WebUI today I still saw the vulnerable wpa_supplicant version on my host:

root@volumio:/home/volumio# dpkg -l | grep wpasupplicant ii wpasupplicant 2.3-1+deb8u4 armhf client support for WPA and WPA2 (IEEE 802.11i)

What i did to resolve this was:

root@volumio:/home/volumio# sudo apt-get update root@volumio:/home/volumio# apt-get install wpasupplicant

In my understanding this resolved the KRACK vulnerability issue on my host (wpasupplicant was 2.3-1+deb8u4 and is now 2.3-1+deb8u5:

root@volumio:/home/volumio# dpkg -l | grep wpasupplicant ii wpasupplicant 2.3-1+deb8u5 armhf client support for WPA and WPA2 (IEEE 802.11i)

This seems to be the Fixed version for Jessie: https://packages.debian.org/search?searchon=sourcenames&keywords=wpa
Did I do it the the correct way?
Does the Update via WebUI normally resolve the KRACK issue and something went wrong only in my case?
Or should I have done a fresh install of VOLUMIO 2.296 to get the KRACK issue resolved?

WPA-2 Vulnerability KRACK - unsolved?

Hi there,
am I the only one, seeing OTA update not updating the wpasupplicant package?
No response on my latest reply but over 300 views.

I did an OTA update on a 2nd System today (raspi 2, volumio ver 2.285 to ver 2.296).
Same results as last Sunday - The wpasupplicant is stil ver 2.3-1+deb8u4
(KRACK vulnerability was fixed in 2.3-1+deb8u5)

Am I missing something? Any logs I could look into? Normal beahviour?

Thanks for any Feedback.

Tom

edit: Crossposted in DEV/Bug reports wpa2-krack-vulnerability-solved-via-ota-update-t7902.html :wink: