Hi all,
For those who haven’t seen it, there’s a newly-published vulnerability in the WPA2 WiFi spec which affects pretty much everyone world-wide. See https://www.krackattacks.com/ for details.
This has some impacts, but I don’t think it’s a huge deal for Hestia. The main vulnerability is to steal data and/or redirect client machines to malicious DHCP/DNS servers, and only works in local proximity to the real access point. So the impact on Hestia is not great. Hestia could potentially be forced offline if someone fakes the access point, or they could control your boiler, but they are hardly going to steal your bank details this way.
That said we should be aware of this. Debian have already released patches for Jessie and Stretch (https://www.debian.org/security/2017/dsa-3999) - I’m sure they can be included in the Hestia Touch (paging @HestiaPi to confirm).
However this leaves Hestia Classic vulnerable as there are no patches for Wheezy. I’ll be doing some searches to see if anyone has backported the Jessie fixes, which I’ll report on later this week. I’ll also try to find time to test out a full upgrade to Jessie (as per my Upgrade Classic to Jessie thread).
Obviously, if you’re not already aware of this - go upgrade all your routers, computers and mobile devices too - see https://www.fixkrack.com/
Stay safe people.
