Mailinglist Archive: opensuse-commit (1903 mails)

< Previous Next >
commit hostapd for openSUSE:Factory
Hello community,

here is the log from the commit of package hostapd for openSUSE:Factory checked
in at 2019-04-24 13:57:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/hostapd (Old)
and /work/SRC/openSUSE:Factory/.hostapd.new.5536 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "hostapd"

Wed Apr 24 13:57:50 2019 rev:36 rq:697441 version:2.8

Changes:
--------
--- /work/SRC/openSUSE:Factory/hostapd/hostapd.changes 2019-01-08
12:31:37.296066724 +0100
+++ /work/SRC/openSUSE:Factory/.hostapd.new.5536/hostapd.changes
2019-04-24 13:57:52.803969982 +0200
@@ -1,0 +2,127 @@
+Wed Apr 24 07:22:30 UTC 2019 - Michael Ströder <michael@xxxxxxxxxxxx>
+
+- Update to version 2.8
+ * SAE changes
+ - added support for SAE Password Identifier
+ - changed default configuration to enable only group 19
+ (i.e., disable groups 20, 21, 25, 26 from default configuration) and
+ disable all unsuitable groups completely based on REVmd changes
+ - improved anti-clogging token mechanism and SAE authentication
+ frame processing during heavy CPU load; this mitigates some issues
+ with potential DoS attacks trying to flood an AP with large number
+ of SAE messages
+ - added Finite Cyclic Group field in status code 77 responses
+ - reject use of unsuitable groups based on new implementation guidance
+ in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
+ groups with prime >= 256)
+ - minimize timing and memory use differences in PWE derivation
+ [https://w1.fi/security/2019-1/] (CVE-2019-9494)
+ - fixed confirm message validation in error cases
+ [https://w1.fi/security/2019-3/] (CVE-2019-9496)
+ * EAP-pwd changes
+ - minimize timing and memory use differences in PWE derivation
+ [https://w1.fi/security/2019-2/] (CVE-2019-9495)
+ - verify peer scalar/element
+ [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498)
+ - fix message reassembly issue with unexpected fragment
+ [https://w1.fi/security/2019-5/]
+ - enforce rand,mask generation rules more strictly
+ - fix a memory leak in PWE derivation
+ - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
+ 27)
+ * Hotspot 2.0 changes
+ - added support for release number 3
+ - reject release 2 or newer association without PMF
+ * added support for RSN operating channel validation
+ (CONFIG_OCV=y and configuration parameter ocv=1)
+ * added Multi-AP protocol support
+ * added FTM responder configuration
+ * fixed build with LibreSSL
+ * added FT/RRB workaround for short Ethernet frame padding
+ * fixed KEK2 derivation for FILS+FT
+ * added RSSI-based association rejection from OCE
+ * extended beacon reporting functionality
+ * VLAN changes
+ - allow local VLAN management with remote RADIUS authentication
+ - add WPA/WPA2 passphrase/PSK -based VLAN assignment
+ * OpenSSL: allow systemwide policies to be overridden
+ * extended PEAP to derive EMSK to enable use with ERP/FILS
+ * extended WPS to allow SAE configuration to be added automatically
+ for PSK (wps_cred_add_sae=1)
+ * fixed FT and SA Query Action frame with AP-MLME-in-driver cases
+ * OWE: allow Diffie-Hellman Parameter element to be included with DPP
+ in preparation for DPP protocol extension
+ * RADIUS server: started to accept ERP keyName-NAI as user identity
+ automatically without matching EAP database entry
+ * fixed PTK rekeying with FILS and FT
+
+ wpa_supplicant:
+ * SAE changes
+ - added support for SAE Password Identifier
+ - changed default configuration to enable only groups 19, 20, 21
+ (i.e., disable groups 25 and 26) and disable all unsuitable groups
+ completely based on REVmd changes
+ - do not regenerate PWE unnecessarily when the AP uses the
+ anti-clogging token mechanisms
+ - fixed some association cases where both SAE and FT-SAE were enabled
+ on both the station and the selected AP
+ - started to prefer FT-SAE over SAE AKM if both are enabled
+ - started to prefer FT-SAE over FT-PSK if both are enabled
+ - fixed FT-SAE when SAE PMKSA caching is used
+ - reject use of unsuitable groups based on new implementation guidance
+ in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
+ groups with prime >= 256)
+ - minimize timing and memory use differences in PWE derivation
+ [https://w1.fi/security/2019-1/] (CVE-2019-9494)
+ * EAP-pwd changes
+ - minimize timing and memory use differences in PWE derivation
+ [https://w1.fi/security/2019-2/] (CVE-2019-9495)
+ - verify server scalar/element
+ [https://w1.fi/security/2019-4/] (CVE-2019-9499)
+ - fix message reassembly issue with unexpected fragment
+ [https://w1.fi/security/2019-5/]
+ - enforce rand,mask generation rules more strictly
+ - fix a memory leak in PWE derivation
+ - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
+ 27)
+ * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
+ * Hotspot 2.0 changes
+ - do not indicate release number that is higher than the one
+ AP supports
+ - added support for release number 3
+ - enable PMF automatically for network profiles created from
+ credentials
+ * fixed OWE network profile saving
+ * fixed DPP network profile saving
+ * added support for RSN operating channel validation
+ (CONFIG_OCV=y and network profile parameter ocv=1)
+ * added Multi-AP backhaul STA support
+ * fixed build with LibreSSL
+ * number of MKA/MACsec fixes and extensions
+ * extended domain_match and domain_suffix_match to allow list of values
+ * fixed dNSName matching in domain_match and domain_suffix_match when
+ using wolfSSL
+ * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
+ are enabled
+ * extended nl80211 Connect and external authentication to support
+ SAE, FT-SAE, FT-EAP-SHA384
+ * fixed KEK2 derivation for FILS+FT
+ * extended client_cert file to allow loading of a chain of PEM
+ encoded certificates
+ * extended beacon reporting functionality
+ * extended D-Bus interface with number of new properties
+ * fixed a regression in FT-over-DS with mac80211-based drivers
+ * OpenSSL: allow systemwide policies to be overridden
+ * extended driver flags indication for separate 802.1X and PSK
+ 4-way handshake offload capability
+ * added support for random P2P Device/Interface Address use
+ * extended PEAP to derive EMSK to enable use with ERP/FILS
+ * extended WPS to allow SAE configuration to be added automatically
+ for PSK (wps_cred_add_sae=1)
+ * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
+ * extended domain_match and domain_suffix_match to allow list of values
+ * added a RSN workaround for misbehaving PMF APs that advertise
+ IGTK/BIP KeyID using incorrect byte order
+ * fixed PTK rekeying with FILS and FT
+
+-------------------------------------------------------------------

Old:
----
hostapd-2.7.tar.gz
hostapd-2.7.tar.gz.asc

New:
----
hostapd-2.8.tar.gz
hostapd-2.8.tar.gz.asc

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ hostapd.spec ++++++
--- /var/tmp/diff_new_pack.tLjsHm/_old 2019-04-24 13:57:53.463969569 +0200
+++ /var/tmp/diff_new_pack.tLjsHm/_new 2019-04-24 13:57:53.467969566 +0200
@@ -17,7 +17,7 @@


Name: hostapd
-Version: 2.7
+Version: 2.8
Release: 0
Summary: Daemon for running a WPA capable Access Point
License: GPL-2.0-only OR BSD-3-Clause

++++++ config ++++++
--- /var/tmp/diff_new_pack.tLjsHm/_old 2019-04-24 13:57:53.495969549 +0200
+++ /var/tmp/diff_new_pack.tLjsHm/_new 2019-04-24 13:57:53.499969546 +0200
@@ -53,6 +53,9 @@
# IEEE 802.11w (management frame protection)
CONFIG_IEEE80211W=y

+# Support Operating Channel Validation
+#CONFIG_OCV=y
+
# Integrated EAP server
CONFIG_EAP=y

@@ -249,6 +252,11 @@
# requirements described above.
#CONFIG_NO_RANDOM_POOL=y

+# Should we attempt to use the getrandom(2) call that provides more reliable
+# yet secure randomness source than /dev/random on Linux 3.17 and newer.
+# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
+#CONFIG_GETRANDOM=y
+
# Should we use poll instead of select? Select is used by default.
#CONFIG_ELOOP_POLL=y

@@ -356,8 +364,6 @@
#CONFIG_TAXONOMY=y

# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
-# Note: This is an experimental and not yet complete implementation. This
-# should not be enabled for production use.
#CONFIG_FILS=y
# FILS shared key authentication with PFS
#CONFIG_FILS_SK_PFS=y

++++++ hostapd-2.7.tar.gz -> hostapd-2.8.tar.gz ++++++
++++ 27045 lines of diff (skipped)



< Previous Next >
This Thread
  • No further messages