Unable to flash old numbering esphome 1.13.6

orange-assistant · September 15, 2022, 9:26pm

Any particular reason you want to create insecure devices? For example this vulnerability was only fixed in 1.15

github.com/esphome/esphome

Mitigate CVE-2020-12638 WiFi WPA Downgrade

esphome:dev ← esphome:mitigate-cve-2020-12638

opened 11:34AM - 27 Jul 20 UTC

OttoWinter

+22 -0

## Description: Got contacted by @s00500 about a CVE for ESP8266/ESP32 where …sending a specially crafted beacon frame during an active wifi connection can downgrade encrypted connections to open ones. See also https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors and https://github.com/esp8266/Arduino/pull/7486 TODO: - [x] Test nothing breaks (when does AUTHMODE_CHANGE event occur, also during connecting?) - [x] Is the check exhaustive enough? Couldn't this be used to also downgrade to WEP, and then break that? I will have to look at how WEP attacks work (if it's during handshake phase or later) - [ ] Test the mitigation actually works (not sure if I'll be able to do that, I don't have the hardware around to create wifi packets in promiscuous mode) **Related issue (if applicable):** fixes <link to issue> **Pull request in [esphome-docs](https://github.com/esphome/esphome-docs) with documentation (if applicable):** esphome/esphome-docs#<esphome-docs PR number goes here> ## Checklist: - [x] The code change is tested and works locally. - [ ] Tests have been added to verify that the new code works (under `tests/` folder). If user exposed functionality or configuration variables are added/changed: - [ ] Documentation added/updated in [esphome-docs](https://github.com/esphome/esphome-docs).

Do you search for a (particular?) regression or why not using the latest and greatest version available?