Protect your wifi on Fedora against KRACK

You may have heard about KRACK (for “Key Reinstallation Attack”), a vulnerability in WPA2-protected Wi-Fi. This attack could let attackers decrypt, forge, or steal data, despite WPA2’s improved encryption capabilities. Fear not — fixes for Fedora packages are on their way to stable.

Guarding against KRACK

New wpa_supplicant packages contain the fix for Fedora 25, 26, and 27, as well as Rawhide. The maintainers have submitted them to the stable repos. They should show up within a day or so for most users.

To update your Fedora system, use this command once you configure sudo. Type your password at the prompt, if necessary.

sudo dnf update wpa_supplicant

Fedora provides worldwide mirrors at many download sites to better serve users. Some sites refresh their mirrors at different rates. If you don’t get an update right away, wait until later in the day.

Updating immediately

If you’re worried about waiting until stable updates show up, use this process to get the packages. First, install the bodhi-client package:

sudo dnf install bodhi-client

Then note the build ID for your Fedora system:

  • Fedora 27 prerelease: wpa_supplicant-2.6-11.fc27
  • Fedora 26: wpa_supplicant-2.6-11.fc26
  • Fedora 25: wpa_supplicant-2.6-3.fc25.1

Now download the packages for your system and update them. This example is for Fedora 26:

mkdir ~/krack-update && cd ~/krack-update
bodhi updates download --builds wpa_supplicant-2.6-11.fc26
dnf update ./wpa_supplicant*.rpm

If your system is on Rawhide, run sudo dnf update to get the update.

New in Fedora

47 Comments

  1. test

    Should be:

    bodhi updates download –builds wpa_supplicant-2.6-11.fc26

  2. Berg Bjoern Bergssen

    Congratulations for what I would call an immediate and clear answer to the Fedora Community. Thank you Paul!

  3. Jerry

    The commad:
    bodhi updates download wpa_supplicant-2.6-11.fc26

    Does not work, unexpected extra argument!

  4. Thanks for the post! 🙂

    Note that all the packages listed in the second part of the post already reached the respective stable repositories. It would be nice to add a note to let users know they can safely ignore the bodhi commands as long as they were able to update to one of those specific versions.

    Question: there were 10 CVEs related to this issue. Does the new version contain fixes for all of them?

  5. Adam

    [root@localhost adam]# bodhi updates download wpa_supplicant-2.6-11.fc27
    Usage: bodhi updates download [OPTIONS]

    Error: Got unexpected extra argument (wpa_supplicant-2.6-11.fc27)

    ? ? ? ? ?

  6. Gwendal

    There is a small mistake in the bodhi command. It should be

    bodhi updates download --builds wpa_supplicant-2.6-11.fc26
  7. Lasse Pihlainen

    Dude.

    bodhi updates download wpa_supplicant-2.6-11.fc26

    Usage: bodhi updates download [OPTIONS]

    Error: Got unexpected extra argument (wpa_supplicant-2.6-11.fc26)

    And later..

    bodhi updates download

    ERROR: must specify at least one of –cves, –updateid, –builds

  8. Michal Schmidt

    The bodhi command isn’t quite right:
    Usage: bodhi updates download [OPTIONS]

    This worked for me:
    bodhi updates download –builds wpa_supplicant-2.6-11.fc27

  9. Piotr Rotter

    In my case the instruction was missing a

    --builds

    option to

    bodhi

    . The complete sequence was:

    mkdir ~/krack-update && cd ~/krack-update
    bodhi updates download --builds wpa_supplicant-2.6-11.fc26
    dnf update ./wpa_supplicant*.rpm
  10. Norbert J.

    Many thanks to all involved for providing the security fix so quickly!

    By the way, does anybody know for sure whether hostapd is also affected by that security flaw? At least LEDE provides updates for both wpa_supplicant and hostapd, and although employing Fedora machines as AP is a rather rare use case, hostapd is part of the distribution.

  11. Apologies to all, and thanks to those who caught my bonehead error. There was a missing ‘–builds’ in the article. This has been fixed.

  12. p1n0

    Heyyy, worked great with Fedora 27 Beta, much love thank you.

  13. Son Nguyen

    Excuse me, when I typed “dnf update ./wpa_supplicant*.rpm”, they appeared on screen:

    Package wpa_supplicant of higher version already installed, cannot update it.
    Package wpa_supplicant-gui not installed, cannot update it.
    No match for argument: wpa_supplicant-gui-2.6-11.fc26.x86_64.rpm
    Dependencies resolved.
    Nothing to do.
    Complete!

    Are there any problems here? Thank you

    • Son Nguyen

      One more thing, I’m using Fedora Workstation 26

      • @Son: You should do ‘rpm -qa wpa_supplicant*’ to see what you have installed. It sounds like you may be drawing from updates-testing or something else already.

        • Son Nguyen

          2 lines appeared on screen:
          wpa_supplicant-2.6-11.fc26.x86_64
          wpa_supplicant-gui-2.6-11.fc26.x86_64

  14. Milos

    Thanks for the fix!

    I wish BigG had been so fast in update too…but no…

  15. Kjetil Nygård

    It gives me some insight into bodhi.

    But I would love it Fedora had 1. page that described, how to simply create and upload a package to the fedora repos. (And the slightly alternative path of sending a pull-request for a modification on a package.)

  16. I have wpa_supplicant-2.6-11.fc26 in my Fedora 26. Is that fine?

  17. david

    when I do the “bodhi updates download wpa_supplicant-2.6-11.fc26” command it shows an error message:
    Usage: bodhi updates download [OPTIONS]

    Error: Got unexpected extra argument (wpa_supplicant-2.6-11.fc26)
    [ ]$

    Other commands before work well. Don’t know if the update and protection is complete this way (think not).

    • @David: Please reread the article — there was a text error but it was fixed yesterday. Also, at this point the update is stable so you probably don’t need to use bodhi, just do a regular dnf update.

  18. James A. Jaworski

    I am still running f24. Considering moving to CentOS because Fedora cycle is too fast.

    • @James: Users who want a slow and stable community-supported platform choose CentOS for that reason. CentOS is part of our family and it’s a great distro for that.

  19. Thank You to contributors for the quick response. Very Grateful for this active community support.

  20. Jamie Klassen

    Hello. Just out of curiosity, what is the full command line to remove as well as uninstall the application and the repo on fedora 26, please?
    Thank you in advance for your response.

  21. Jamie Klassen

    Hello.
    Terribly sorry but did forget to query what the command would also be for reverting to the original wpa_supplicant before the upgrade to the newer wpa_supplicant as stated above.
    Again thank you in advance for your prompt response.

    • I’m not sure why this is needed, but you can use ‘dnf downgrade’ to revert to whatever earlier package is available in the repositories. However, realize that may leave you vulnerable to this attack.

  22. Jamie Klassen

    It’s because this bodhi client, since the moment of installing it, has repeatedly dropped my wifi. Probably the newer wpa_supplicant as well. I’m far more comfortable waiting for a regular update.

  23. Dave Huh

    Any insight as to when a patched HOSTAPD via the normal DNF Update will be available? I use it in conjunction with Fedora 26 and a PCEngines box as a wireless router.

  24. Imtiaz Khan

    Would the wpa_supplicant patch work on Fedora 20 & 23?

  25. Odysseo

    I’m on FC25 MATE.

    I typed the following:

    sudo dnf update wpa_supplicant
    Last metadata expiration check: 3:45:36 ago on Sat Oct 28 06:51:19 2017.
    Dependencies resolved.
    Nothing to do.
    Complete!

    Then

    rpm -qa wpa_supplicant
    wpa_supplicant-2.6-3.fc25.1.x86_64

    Am I good to go?

  26. odysseo

    Many thanks for the prompt response!

  27. Michael

    Is the fix for wpa_supplicant included in the Fedora 26 live iso spin “Fedora-Xfce-Live-x86_64-26-1.5.iso”?

    • @Michael: There’s no way it could be. Fedora 26 was issued in June 2017, and KRACK was revealed and fixed in October 2017. Simply update after installation to have the fix applied.

      • Michael

        Thanks. On my regular laptop with Fedora 26 it’s updated. I’m using an usb drive to boot Fedora spin XFCE for testing and showing Fedora for friends and family. So the fix should be in Fedora 27 and I can create an bootable usb once again when Fedora 27 is available to have the fix?

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions