- update to 2.10.0:
* SAE changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
- added support for the hash-to-element mechanism (sae_pwe=1 or
sae_pwe=2); this is currently disabled by default, but will likely
get enabled by default in the future
- fixed PMKSA caching with OKC
- added support for SAE-PK
* EAP-pwd changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
* fixed P2P provision discovery processing of a specially constructed
invalid frame
[https://w1.fi/security/2021-1/]
* fixed P2P group information processing of a specially constructed
invalid frame
[https://w1.fi/security/2020-2/]
* fixed PMF disconnection protection bypass in AP mode
[https://w1.fi/security/2019-7/]
* added support for using OpenSSL 3.0
* increased the maximum number of EAP message exchanges (mainly to
support cases with very large certificates)
* fixed various issues in experimental support for EAP-TEAP peer
* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
* a number of MKA/MACsec fixes and extensions
* added support for SAE (WPA3-Personal) AP mode configuration
* added P2P support for EDMG (IEEE 802.11ay) channels
* fixed EAP-FAST peer with TLS GCM/CCM ciphers
* improved throughput estimation and BSS selection
OBS-URL: https://build.opensuse.org/request/show/948384
OBS-URL: https://build.opensuse.org/package/show/hardware/wpa_supplicant?expand=0&rev=130
- Update to 2.9 release:
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled
with ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using anonymous@realm identity
* fixed Hotspot 2.0 credential selection based on roaming consortium
to ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X
4-way handshake
* fixed an ECDH operation corner case with OpenSSL
* SAE changes
- added support for SAE Password Identifier
OBS-URL: https://build.opensuse.org/request/show/745147
OBS-URL: https://build.opensuse.org/package/show/hardware/wpa_supplicant?expand=0&rev=97
- compile eapol_test binary to allow testing via
radius proxy and server
(note: this does not match CONFIG_EAPOL_TEST which sets -Werror
and activates an assert call inside the code of wpa_supplicant)
(bsc#1111873), (fate#326725)o
- add patch to fix wrong operator precedence in ieee802_11.c
wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch
- add patch to avoid redefinition of __bitwise macro
wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch
OBS-URL: https://build.opensuse.org/request/show/642093
OBS-URL: https://build.opensuse.org/package/show/hardware/wpa_supplicant?expand=0&rev=87
- updated to 2.6 / 2016-10-02
* fixed WNM Sleep Mode processing when PMF is not enabled
[http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254)
* fixed EAP-pwd last fragment validation
[http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115)
* fixed EAP-pwd unexpected Confirm message processing
[http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115)
* fixed WPS configuration update vulnerability with malformed passphrase
[http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172)
* fixed configuration update vulnerability with malformed parameters set
over the local control interface
[http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175)
* fixed TK configuration to the driver in EAPOL-Key 3/4 retry case
* extended channel switch support for P2P GO
* started to throttle control interface event message bursts to avoid
issues with monitor sockets running out of buffer space
* mesh mode fixes/improvements
- generate proper AID for peer
- enable WMM by default
- add VHT support
- fix PMKID derivation
- improve robustness on various exchanges
- fix peer link counting in reconnect case
- improve mesh joining behavior
- allow DTIM period to be configured
- allow HT to be disabled (disable_ht=1)
- add MESH_PEER_ADD and MESH_PEER_REMOVE commands
- add support for PMKSA caching
- add minimal support for SAE group negotiation
- allow pairwise/group cipher to be configured in the network profile
OBS-URL: https://build.opensuse.org/request/show/433620
OBS-URL: https://build.opensuse.org/package/show/hardware/wpa_supplicant?expand=0&rev=68
- Previous update did not include version 2.5 tarball
or changed the version number in spec, only the changelog
and removed patches.
- config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable·
random number generator by using /dev/urandom, no need to
keep an internal random number pool which draws entropy from
/dev/random.
- config: prefer using epoll(7) instead of select(2)
by setting CONFIG_ELOOP_EPOLL=y
- wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2)
system call to collect entropy. if it is not present disable
buffering when reading /dev/urandom, otherwise each os_get_random()
call will request BUFSIZ of entropy instead of the few needed bytes.
OBS-URL: https://build.opensuse.org/request/show/360174
OBS-URL: https://build.opensuse.org/package/show/hardware/wpa_supplicant?expand=0&rev=60
