You may have heard about KRACK (for “Key Reinstallation Attack”), a vulnerability in WPA2-protected Wi-Fi. This attack could let attackers decrypt, forge, or steal data, despite WPA2’s improved encryption capabilities. Fear not — fixes for Fedora packages are on their way to stable.
Guarding against KRACK
New wpa_supplicant packages contain the fix for Fedora 25, 26, and 27, as well as Rawhide. The maintainers have submitted them to the stable repos. They should show up within a day or so for most users.
To update your Fedora system, use this command once you configure sudo. Type your password at the prompt, if necessary.
sudo dnf update wpa_supplicant
Fedora provides worldwide mirrors at many download sites to better serve users. Some sites refresh their mirrors at different rates. If you don’t get an update right away, wait until later in the day.
Updating immediately
If you’re worried about waiting until stable updates show up, use this process to get the packages. First, install the bodhi-client package:
sudo dnf install bodhi-client
Then note the build ID for your Fedora system:
- Fedora 27 prerelease: wpa_supplicant-2.6-11.fc27
- Fedora 26: wpa_supplicant-2.6-11.fc26
- Fedora 25: wpa_supplicant-2.6-3.fc25.1
Now download the packages for your system and update them. This example is for Fedora 26:
mkdir ~/krack-update && cd ~/krack-update bodhi updates download --builds wpa_supplicant-2.6-11.fc26 dnf update ./wpa_supplicant*.rpm
If your system is on Rawhide, run sudo dnf update to get the update.
test
Should be:
bodhi updates download –builds wpa_supplicant-2.6-11.fc26
Paul W. Frields
Just so, thanks. Fixed.
Berg Bjoern Bergssen
Congratulations for what I would call an immediate and clear answer to the Fedora Community. Thank you Paul!
Jerry
The commad:
bodhi updates download wpa_supplicant-2.6-11.fc26
Does not work, unexpected extra argument!
Paul W. Frields
@Jerry: My apologies, it should have had –builds in there. Fixed as mentioned above.
Athos Ribeiro
Thanks for the post! 🙂
Note that all the packages listed in the second part of the post already reached the respective stable repositories. It would be nice to add a note to let users know they can safely ignore the bodhi commands as long as they were able to update to one of those specific versions.
Question: there were 10 CVEs related to this issue. Does the new version contain fixes for all of them?
Paul W. Frields
@Athos: The new version contains all the fixes shown here in the Fedora 26 case: https://bodhi.fedoraproject.org/updates/FEDORA-2017-60bfb576b7
Adam
[root@localhost adam]# bodhi updates download wpa_supplicant-2.6-11.fc27
Usage: bodhi updates download [OPTIONS]
Error: Got unexpected extra argument (wpa_supplicant-2.6-11.fc27)
? ? ? ? ?
Paul W. Frields
@Adam: My apologies, this has been fixed.
V
thank you paul
i am really impressed of this article and how fast you gave the correct solution to this problem …
Gwendal
There is a small mistake in the bodhi command. It should be
Lasse Pihlainen
Dude.
bodhi updates download wpa_supplicant-2.6-11.fc26
Usage: bodhi updates download [OPTIONS]
Error: Got unexpected extra argument (wpa_supplicant-2.6-11.fc26)
And later..
bodhi updates download
ERROR: must specify at least one of –cves, –updateid, –builds
Michal Schmidt
The bodhi command isn’t quite right:
Usage: bodhi updates download [OPTIONS]
This worked for me:
bodhi updates download –builds wpa_supplicant-2.6-11.fc27
Piotr Rotter
In my case the instruction was missing a
option to
. The complete sequence was:
bodhi updates download --builds wpa_supplicant-2.6-11.fc26
dnf update ./wpa_supplicant*.rpm
Norbert J.
Many thanks to all involved for providing the security fix so quickly!
By the way, does anybody know for sure whether hostapd is also affected by that security flaw? At least LEDE provides updates for both wpa_supplicant and hostapd, and although employing Fedora machines as AP is a rather rare use case, hostapd is part of the distribution.
Paul W. Frields
Apologies to all, and thanks to those who caught my bonehead error. There was a missing ‘–builds’ in the article. This has been fixed.
p1n0
Heyyy, worked great with Fedora 27 Beta, much love thank you.
Son Nguyen
Excuse me, when I typed “dnf update ./wpa_supplicant*.rpm”, they appeared on screen:
Package wpa_supplicant of higher version already installed, cannot update it.
Package wpa_supplicant-gui not installed, cannot update it.
No match for argument: wpa_supplicant-gui-2.6-11.fc26.x86_64.rpm
Dependencies resolved.
Nothing to do.
Complete!
Are there any problems here? Thank you
Son Nguyen
One more thing, I’m using Fedora Workstation 26
Paul W. Frields
@Son: You should do ‘rpm -qa wpa_supplicant*’ to see what you have installed. It sounds like you may be drawing from updates-testing or something else already.
Son Nguyen
2 lines appeared on screen:
wpa_supplicant-2.6-11.fc26.x86_64
wpa_supplicant-gui-2.6-11.fc26.x86_64
Paul W. Frields
@Son: You already have the fixed packages installed. Nothing further to do.
Milos
Thanks for the fix!
I wish BigG had been so fast in update too…but no…
Kjetil Nygård
It gives me some insight into bodhi.
But I would love it Fedora had 1. page that described, how to simply create and upload a package to the fedora repos. (And the slightly alternative path of sending a pull-request for a modification on a package.)
crossingtheair.wordpress.com
I have wpa_supplicant-2.6-11.fc26 in my Fedora 26. Is that fine?
Paul W. Frields
Yes! You’re good to go.
david
when I do the “bodhi updates download wpa_supplicant-2.6-11.fc26” command it shows an error message:
Usage: bodhi updates download [OPTIONS]
Error: Got unexpected extra argument (wpa_supplicant-2.6-11.fc26)
[ ]$
Other commands before work well. Don’t know if the update and protection is complete this way (think not).
Paul W. Frields
@David: Please reread the article — there was a text error but it was fixed yesterday. Also, at this point the update is stable so you probably don’t need to use bodhi, just do a regular dnf update.
david
yes thank you. seems to be fixed
James A. Jaworski
I am still running f24. Considering moving to CentOS because Fedora cycle is too fast.
Paul W. Frields
@James: Users who want a slow and stable community-supported platform choose CentOS for that reason. CentOS is part of our family and it’s a great distro for that.
Ujjwal Dey
Thank You to contributors for the quick response. Very Grateful for this active community support.
Jamie Klassen
Hello. Just out of curiosity, what is the full command line to remove as well as uninstall the application and the repo on fedora 26, please?
Thank you in advance for your response.
Jamie Klassen
Hello.
Terribly sorry but did forget to query what the command would also be for reverting to the original wpa_supplicant before the upgrade to the newer wpa_supplicant as stated above.
Again thank you in advance for your prompt response.
Paul W. Frields
I’m not sure why this is needed, but you can use ‘dnf downgrade’ to revert to whatever earlier package is available in the repositories. However, realize that may leave you vulnerable to this attack.
Jamie Klassen
It’s because this bodhi client, since the moment of installing it, has repeatedly dropped my wifi. Probably the newer wpa_supplicant as well. I’m far more comfortable waiting for a regular update.
Dave Huh
Any insight as to when a patched HOSTAPD via the normal DNF Update will be available? I use it in conjunction with Fedora 26 and a PCEngines box as a wireless router.
Imtiaz Khan
Would the wpa_supplicant patch work on Fedora 20 & 23?
Odysseo
I’m on FC25 MATE.
I typed the following:
sudo dnf update wpa_supplicant
Last metadata expiration check: 3:45:36 ago on Sat Oct 28 06:51:19 2017.
Dependencies resolved.
Nothing to do.
Complete!
Then
rpm -qa wpa_supplicant
wpa_supplicant-2.6-3.fc25.1.x86_64
Am I good to go?
Paul W. Frields
@Odysseo: Yes.
odysseo
Many thanks for the prompt response!
odysseo
Many thanks for the prompt response!
Michael
Is the fix for wpa_supplicant included in the Fedora 26 live iso spin “Fedora-Xfce-Live-x86_64-26-1.5.iso”?
Paul W. Frields
@Michael: There’s no way it could be. Fedora 26 was issued in June 2017, and KRACK was revealed and fixed in October 2017. Simply update after installation to have the fix applied.
Michael
Thanks. On my regular laptop with Fedora 26 it’s updated. I’m using an usb drive to boot Fedora spin XFCE for testing and showing Fedora for friends and family. So the fix should be in Fedora 27 and I can create an bootable usb once again when Fedora 27 is available to have the fix?
Paul W. Frields
@Michael: Yes, that’s correct.
Michael
Thanks!