krackinfo icon indicating copy to clipboard operation
krackinfo copied to clipboard
verified publisher icon kristate

Update Apple

Open zeadope-zz opened this issue 8 years ago • 9 comments

  • [x] iOS: 11.1 released: LINK
  • [x] MacOS: 10.13.1 released: LINK
  • [ ] tvOS: 4.1 released?
  • [ ] watchOS: 11.1 released?

zeadope-zz avatar Oct 31 '17 20:10 zeadope-zz

I do agree that iOS 11.1 apparently addresses the KRACK, but I currently can't find any evidence/hint that macOS High Sierra 10.13.1 would do the same. Am I overlooking something?

Disclaimer: I am by far not an Apple-guru... 😶

eaglerainbow avatar Oct 31 '17 22:10 eaglerainbow

It’s fixed since 10.13.1 Beta 3 I believe.

zeadope-zz avatar Nov 01 '17 02:11 zeadope-zz

HT208221 says KRACK is fixed in 10.13.1.

Also, @maljb has already opened pull request #204 to fix this.

acohn avatar Nov 01 '17 06:11 acohn

@acohn Thanks for bringing this up! HT208221 is already convincing me more 😄 However, as far as I can read there, they claim to only have fixed three out of ten of the well-known CVEs. There is no statement about the state of the others (could be that they are a) not affected or b) affected, but still not fixed or c) they have to checked them yet).

Also great that we now have #204, but the current statement is a little too generic to my mind (I will comment also in the review of the PR on this).

In general: Having some (but not all) CVEs fixed is better than having none of them fixed. ==> Still you should apply the patch (if there is nothing else around, which makes that impossible)!

At all: Please feel free to convince me with further links to official statements that all issues are fixed already with MacOS 10.13.1!

@zeadope Having something in for a beta, does not mean that it is also part of the shipment in the release version (though being likely). For instance, during beta testing they detected that the change had an undesirable side-effect, which was more severe than the original issue. So, it could be that they removed the fixes again. (NB: I am not claiming that this is the case here in particular). Though, that is why I trust a correction from beta only, if I have an official statement somewhere saying that the correction is also included also in the final version.

eaglerainbow avatar Nov 01 '17 10:11 eaglerainbow

Update:

  • https://support.apple.com/de-de/HT208219 states that tvOS 11.1 addresses CVE-2017-13080
  • https://support.apple.com/de-de/HT208220 states that watchOS 4.1 addresses CVE-2017-13080

No statement though about all the other CVEs.

https://support.apple.com/en-us/HT201222 states that the two versions would be released in the meantime.

eaglerainbow avatar Nov 01 '17 11:11 eaglerainbow

Also noteworthy (to my mind): https://support.apple.com/en-us/HT208221 states that the "three CVEs" discussed above alre also fixed/will be fixed with

  • macOS Sierra 10.12.6
  • OS X El Capitan 10.11.6

as well. Given the widespread usage of components, I think this justifies an own markdown page documenting the details of what was fixed exactly when...

eaglerainbow avatar Nov 01 '17 11:11 eaglerainbow

Please find at #205 a suggestion, how I think this could look like.

Suggestions / discussion / objections / ideas are welcome!

eaglerainbow avatar Nov 01 '17 12:11 eaglerainbow

Merged #205

kristate avatar Nov 02 '17 02:11 kristate

https://support.apple.com/en-gb/HT208258 (for 802.11n) addresses CVE-2017-13077, CVE-2017-13078, and CVE-2017-13080 for the AirPort Base Station (and Time Capsule) models; perhaps they should also be included in the apple list?

(Apple AirPort Stations can be a client and AP; sometimes TCs connect over WiFi just to be used as a Time Capsule backup)

InternalLoss avatar Dec 23 '17 10:12 InternalLoss