diff --git a/config b/config
index 42c3410..f2b3b1e 100644
--- a/config
+++ b/config
@@ -53,6 +53,9 @@ CONFIG_RSN_PREAUTH=y
 # IEEE 802.11w (management frame protection)
 CONFIG_IEEE80211W=y
 
+# Support Operating Channel Validation
+#CONFIG_OCV=y
+
 # Integrated EAP server
 CONFIG_EAP=y
 
@@ -249,6 +252,11 @@ CONFIG_VLAN_NETLINK=y
 # requirements described above.
 #CONFIG_NO_RANDOM_POOL=y
 
+# Should we attempt to use the getrandom(2) call that provides more reliable
+# yet secure randomness source than /dev/random on Linux 3.17 and newer.
+# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
+#CONFIG_GETRANDOM=y
+
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 
@@ -356,8 +364,6 @@ CONFIG_MBO=y
 #CONFIG_TAXONOMY=y
 
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
-# Note: This is an experimental and not yet complete implementation. This
-# should not be enabled for production use.
 #CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
diff --git a/hostapd-2.7.tar.gz b/hostapd-2.7.tar.gz
deleted file mode 100644
index 1ab22a5..0000000
--- a/hostapd-2.7.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:21b0dda3cc3abe75849437f6b9746da461f88f0ea49dd621216936f87440a141
-size 2101166
diff --git a/hostapd-2.7.tar.gz.asc b/hostapd-2.7.tar.gz.asc
deleted file mode 100644
index 07f0376..0000000
--- a/hostapd-2.7.tar.gz.asc
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iEYEABECAAYFAlwEQ5wACgkQK270Mu/IlfpX/gCeKuTFVjKy3P5J0fwW5twOccCZ
-p90An2HZ+1jz75dIAN8m2HVaGGsceGhp
-=DDIo
------END PGP SIGNATURE-----
diff --git a/hostapd-2.8.tar.gz b/hostapd-2.8.tar.gz
new file mode 100644
index 0000000..47928cf
--- /dev/null
+++ b/hostapd-2.8.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:929f522be6eeec38c53147e7bc084df028f65f148a3f7e4fa6c4c3f955cee4b0
+size 2169018
diff --git a/hostapd-2.8.tar.gz.asc b/hostapd-2.8.tar.gz.asc
new file mode 100644
index 0000000..c6f7e2f
--- /dev/null
+++ b/hostapd-2.8.tar.gz.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iEYEABECAAYFAly8dqUACgkQK270Mu/Ilfrz1QCePGQoSBn8O7ZCeCnbGaPhBxdb
+SS0AoI6kfIfpWbgGmA7SQw9Q+lZgA17N
+=oSn7
+-----END PGP SIGNATURE-----
diff --git a/hostapd.changes b/hostapd.changes
index 6073b18..f0ad172 100644
--- a/hostapd.changes
+++ b/hostapd.changes
@@ -1,3 +1,130 @@
+-------------------------------------------------------------------
+Wed Apr 24 07:22:30 UTC 2019 - Michael Ströder <michael@stroeder.com>
+
+- Update to version 2.8
+  * SAE changes
+    - added support for SAE Password Identifier
+    - changed default configuration to enable only group 19
+      (i.e., disable groups 20, 21, 25, 26 from default configuration) and
+      disable all unsuitable groups completely based on REVmd changes
+    - improved anti-clogging token mechanism and SAE authentication
+      frame processing during heavy CPU load; this mitigates some issues
+      with potential DoS attacks trying to flood an AP with large number
+      of SAE messages
+    - added Finite Cyclic Group field in status code 77 responses
+    - reject use of unsuitable groups based on new implementation guidance
+      in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
+      groups with prime >= 256)
+    - minimize timing and memory use differences in PWE derivation
+      [https://w1.fi/security/2019-1/] (CVE-2019-9494)
+    - fixed confirm message validation in error cases
+      [https://w1.fi/security/2019-3/] (CVE-2019-9496)
+  * EAP-pwd changes
+    - minimize timing and memory use differences in PWE derivation
+      [https://w1.fi/security/2019-2/] (CVE-2019-9495)
+    - verify peer scalar/element
+      [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498)
+    - fix message reassembly issue with unexpected fragment
+      [https://w1.fi/security/2019-5/]
+    - enforce rand,mask generation rules more strictly
+    - fix a memory leak in PWE derivation
+    - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
+      27)
+  * Hotspot 2.0 changes
+    - added support for release number 3
+    - reject release 2 or newer association without PMF
+  * added support for RSN operating channel validation
+    (CONFIG_OCV=y and configuration parameter ocv=1)
+  * added Multi-AP protocol support
+  * added FTM responder configuration
+  * fixed build with LibreSSL
+  * added FT/RRB workaround for short Ethernet frame padding
+  * fixed KEK2 derivation for FILS+FT
+  * added RSSI-based association rejection from OCE
+  * extended beacon reporting functionality
+  * VLAN changes
+    - allow local VLAN management with remote RADIUS authentication
+    - add WPA/WPA2 passphrase/PSK -based VLAN assignment
+  * OpenSSL: allow systemwide policies to be overridden
+  * extended PEAP to derive EMSK to enable use with ERP/FILS
+  * extended WPS to allow SAE configuration to be added automatically
+    for PSK (wps_cred_add_sae=1)
+  * fixed FT and SA Query Action frame with AP-MLME-in-driver cases
+  * OWE: allow Diffie-Hellman Parameter element to be included with DPP
+    in preparation for DPP protocol extension
+  * RADIUS server: started to accept ERP keyName-NAI as user identity
+    automatically without matching EAP database entry
+  * fixed PTK rekeying with FILS and FT
+
+  wpa_supplicant:
+  * SAE changes
+    - added support for SAE Password Identifier
+    - changed default configuration to enable only groups 19, 20, 21
+      (i.e., disable groups 25 and 26) and disable all unsuitable groups
+      completely based on REVmd changes
+    - do not regenerate PWE unnecessarily when the AP uses the
+      anti-clogging token mechanisms
+    - fixed some association cases where both SAE and FT-SAE were enabled
+      on both the station and the selected AP
+    - started to prefer FT-SAE over SAE AKM if both are enabled
+    - started to prefer FT-SAE over FT-PSK if both are enabled
+    - fixed FT-SAE when SAE PMKSA caching is used
+    - reject use of unsuitable groups based on new implementation guidance
+      in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
+      groups with prime >= 256)
+    - minimize timing and memory use differences in PWE derivation
+      [https://w1.fi/security/2019-1/] (CVE-2019-9494)
+  * EAP-pwd changes
+    - minimize timing and memory use differences in PWE derivation
+      [https://w1.fi/security/2019-2/] (CVE-2019-9495)
+    - verify server scalar/element
+      [https://w1.fi/security/2019-4/] (CVE-2019-9499)
+    - fix message reassembly issue with unexpected fragment
+      [https://w1.fi/security/2019-5/]
+    - enforce rand,mask generation rules more strictly
+    - fix a memory leak in PWE derivation
+    - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
+      27)
+  * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
+  * Hotspot 2.0 changes
+    - do not indicate release number that is higher than the one
+      AP supports
+    - added support for release number 3
+    - enable PMF automatically for network profiles created from
+      credentials
+  * fixed OWE network profile saving
+  * fixed DPP network profile saving
+  * added support for RSN operating channel validation
+    (CONFIG_OCV=y and network profile parameter ocv=1)
+  * added Multi-AP backhaul STA support
+  * fixed build with LibreSSL
+  * number of MKA/MACsec fixes and extensions
+  * extended domain_match and domain_suffix_match to allow list of values
+  * fixed dNSName matching in domain_match and domain_suffix_match when
+    using wolfSSL
+  * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
+    are enabled
+  * extended nl80211 Connect and external authentication to support
+    SAE, FT-SAE, FT-EAP-SHA384
+  * fixed KEK2 derivation for FILS+FT
+  * extended client_cert file to allow loading of a chain of PEM
+    encoded certificates
+  * extended beacon reporting functionality
+  * extended D-Bus interface with number of new properties
+  * fixed a regression in FT-over-DS with mac80211-based drivers
+  * OpenSSL: allow systemwide policies to be overridden
+  * extended driver flags indication for separate 802.1X and PSK
+    4-way handshake offload capability
+  * added support for random P2P Device/Interface Address use
+  * extended PEAP to derive EMSK to enable use with ERP/FILS
+  * extended WPS to allow SAE configuration to be added automatically
+    for PSK (wps_cred_add_sae=1)
+  * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
+  * extended domain_match and domain_suffix_match to allow list of values
+  * added a RSN workaround for misbehaving PMF APs that advertise
+    IGTK/BIP KeyID using incorrect byte order
+  * fixed PTK rekeying with FILS and FT
+
 -------------------------------------------------------------------
 Fri Dec 28 12:01:55 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
 
diff --git a/hostapd.spec b/hostapd.spec
index 8c0fed0..9a1dc11 100644
--- a/hostapd.spec
+++ b/hostapd.spec
@@ -17,7 +17,7 @@
 
 
 Name:           hostapd
-Version:        2.7
+Version:        2.8
 Release:        0
 Summary:        Daemon for running a WPA capable Access Point
 License:        GPL-2.0-only OR BSD-3-Clause