Accepting request 339613 from home:stroeder:branches:Base:System

update to upstream release 2.5 (successfully tested on armv6l with WPA2/PSK) OBS-URL: https://build.opensuse.org/request/show/339613 OBS-URL: https://build.opensuse.org/package/show/Base:System/hostapd?expand=0&rev=34
2015-10-23 20:42:34 +00:00 · 2015-10-23 20:42:34 +00:00 · 5a7ee34c7c
commit 5a7ee34c7c
parent 1686b1cbe4
5 changed files with 68 additions and 16 deletions
--- a/hostapd-2.4.tar.gz
+++ b/hostapd-2.4.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6fe0eb6bd1c9cbd24952ece8586b6f7bd14ab358edfda99794e79b9b9dbd657f
-size 1658872
--- a/hostapd-2.5-defconfig.patch
+++ b/hostapd-2.5-defconfig.patch
@ -1,5 +1,5 @@
--- hostapd/defconfig.orig	2015-04-23 22:09:41.502518110 +0200
-+++ hostapd/defconfig	2015-04-23 22:15:09.225421010 +0200
+--- ./hostapd/defconfig.orig	2015-10-18 15:11:32.152380752 +0200
+++ ./hostapd/defconfig	2015-10-18 15:18:07.240441471 +0200
@@ -28,7 +28,7 @@
 #CONFIG_LIBNL20=y
 
@ -18,7 +18,7 @@
 
 # IEEE 802.11F/IAPP
 CONFIG_IAPP=y
-@@ -78,50 +78,50 @@
+@@ -78,53 +78,53 @@
 CONFIG_EAP_TTLS=y
 
 # EAP-SIM for the integrated EAP server
@ -83,7 +83,11 @@
 +CONFIG_EAP_TNC=y
 
 # EAP-EKE for the integrated EAP server
- #CONFIG_EAP_EKE=y
+-#CONFIG_EAP_EKE=y
+CONFIG_EAP_EKE=y
+ 
+ # PKCS#12 (PFX) support (used to read private key and certificate file from
+ # a file that usually has extension .p12 or .pfx)
@@ -132,27 +132,27 @@
 
 # RADIUS authentication server. This provides access to the integrated EAP
@ -127,7 +131,13 @@
 
 # Use netlink-based kernel API for VLAN operations instead of ioctl()
 # Note: This requires libnl 3.1 or newer.
-@@ -250,11 +250,11 @@
+@@ -251,16 +251,16 @@
+ # gnutls = GnuTLS
+ # internal = Internal TLSv1 implementation (experimental)
+ # none = Empty template
+-#CONFIG_TLS=openssl
+CONFIG_TLS=openssl
+ 
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used.
@ -141,7 +151,7 @@
 
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
-@@ -275,13 +275,13 @@
+@@ -281,13 +281,13 @@
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks.
@ -156,5 +166,5 @@
 -#CONFIG_SQLITE=y
 +CONFIG_SQLITE=y
 
- # Testing options
- # This can be used to enable some testing options (see also the example
+ # Enable Fast Session Transfer (FST)
+ #CONFIG_FST=y
--- a/hostapd-2.5.tar.gz
+++ b/hostapd-2.5.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8e272d954dc0d7026c264b79b15389ec2b2c555b32970de39f506b9f463ec74a
+size 1720783
--- a/hostapd.changes
+++ b/hostapd.changes
@ -1,3 +1,48 @@
+-------------------------------------------------------------------
+Sun Oct 18 12:59:02 UTC 2015 - michael@stroeder.com
+
+- update to upstream release 2.5
+- removed 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
+  (CVE-2015-1863) because it's fixed in upstream release 2.5
+
+ChangeLog for hostapd since 2.4:
+
+2015-09-27 - v2.5
+	* fixed WPS UPnP vulnerability with HTTP chunked transfer encoding
+	  [http://w1.fi/security/2015-2/] (CVE-2015-4141)
+	* fixed WMM Action frame parser
+	  [http://w1.fi/security/2015-3/] (CVE-2015-4142)
+	* fixed EAP-pwd server missing payload length validation
+	  [http://w1.fi/security/2015-4/]
+	  (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145)
+	* fixed validation of WPS and P2P NFC NDEF record payload length
+	  [http://w1.fi/security/2015-5/]
+	* nl80211:
+	  - fixed vendor command handling to check OUI properly
+	* fixed hlr_auc_gw build with OpenSSL
+	* hlr_auc_gw: allow Milenage RES length to be reduced
+	* disable HT for a station that does not support WMM/QoS
+	* added support for hashed password (NtHash) in EAP-pwd server
+	* fixed and extended dynamic VLAN cases
+	* added EAP-EKE server support for deriving Session-Id
+	* set Acct-Session-Id to a random value to make it more likely to be
+	  unique even if the device does not have a proper clock
+	* added more 2.4 GHz channels for 20/40 MHz HT co-ex scan
+	* modified SAE routines to be more robust and PWE generation to be
+	  stronger against timing attacks
+	* added support for Brainpool Elliptic Curves with SAE
+	* increases maximum value accepted for cwmin/cwmax
+	* added support for CCMP-256 and GCMP-256 as group ciphers with FT
+	* added Fast Session Transfer (FST) module
+	* removed optional fields from RSNE when using FT with PMF
+	  (workaround for interoperability issues with iOS 8.4)
+	* added EAP server support for TLS session resumption
+	* fixed key derivation for Suite B 192-bit AKM (this breaks
+	  compatibility with the earlier version)
+	* added mechanism to track unconnected stations and do minimal band
+	  steering
+	* number of small fixes
+
 -------------------------------------------------------------------
 Thu Apr 23 19:45:41 UTC 2015 - michael@stroeder.com

--- a/hostapd.spec
+++ b/hostapd.spec
@ -26,15 +26,13 @@ BuildRequires:  pkgconfig(systemd)
 Summary:        Turns Your WLAN Card into a WPA capable Access Point
 License:        GPL-2.0 or BSD-3-Clause
 Group:          Hardware/Wifi
-Version:        2.4
+Version:        2.5
 Release:        0
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Url:            http://w1.fi/
 Source:         http://w1.fi/releases/hostapd-%{version}.tar.gz
 Source1:        hostapd.service
-Patch0:         hostapd-2.4-defconfig.patch
-# CVE-2015-1863
-Patch1:         0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
+Patch0:         hostapd-2.5-defconfig.patch
 %{?systemd_requires}

 %description
@ -49,7 +47,6 @@ authentication via any ethernet driver.
 %prep
 %setup -q -n hostapd-%{version}
 %patch0 -p0
-%patch1 -p1

 cd hostapd
 cp defconfig .config