Changelog for
hostapd-2.6-8.1.x86_64.rpm :
Wed Oct 18 14:00:00 2017 chrisAATTintrbiz.com
- Fix KRACK attacks (bsc#1063479, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088):
* rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
* rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
* rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
* rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
* rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
* rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
* rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
* rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
Sun Oct 2 14:00:00 2016 chrisAATTintrbiz.com
- update to upstream release 2.6
* fixed EAP-pwd last fragment validation
[http://w1.fi/security/2015-7/] (CVE-2015-5314)
* fixed WPS configuration update vulnerability with malformed passphrase
[http://w1.fi/security/2016-1/] (CVE-2016-4476)
* extended channel switch support for VHT bandwidth changes
* added support for configuring new ANQP-elements with
anqp_elem=
:
* fixed Suite B 192-bit AKM to use proper PMK length
(note: this makes old releases incompatible with the fixed behavior)
* added no_probe_resp_if_max_sta=1 parameter to disable Probe Response
frame sending for not-associated STAs if max_num_sta limit has been
reached
* added option (-S as command line argument) to request all interfaces
to be started at the same time
* modified rts_threshold and fragm_threshold configuration parameters
to allow -1 to be used to disable RTS/fragmentation
* EAP-pwd: added support for Brainpool Elliptic Curves
(with OpenSSL 1.0.2 and newer)
* fixed EAPOL reauthentication after FT protocol run
* fixed FTIE generation for 4-way handshake after FT protocol run
* fixed and improved various FST operations
* TLS server
- support SHA384 and SHA512 hashes
- support TLS v1.2 signature algorithm with SHA384 and SHA512
- support PKCS #5 v2.0 PBES2
- support PKCS #5 with PKCS #12 style key decryption
- minimal support for PKCS #12
- support OCSP stapling (including ocsp_multi)
* added support for OpenSSL 1.1 API changes
- drop support for OpenSSL 0.9.8
- drop support for OpenSSL 1.0.0
* EAP-PEAP: support fast-connect crypto binding
* RADIUS
- fix Called-Station-Id to not escape SSID
- add Event-Timestamp to all Accounting-Request packets
- add Acct-Session-Id to Accounting-On/Off
- add Acct-Multi-Session-Id ton Access-Request packets
- add Service-Type (= Frames)
- allow server to provide PSK instead of passphrase for WPA-PSK
Tunnel_password case
- update full message for interim accounting updates
- add Acct-Delay-Time into Accounting messages
- add require_message_authenticator configuration option to require
CoA/Disconnect-Request packets to be authenticated
* started to postpone WNM-Notification frame sending by 100 ms so that
the STA has some more time to configure the key before this frame is
received after the 4-way handshake
* VHT: added interoperability workaround for 80+80 and 160 MHz channels
* extended VLAN support (per-STA vif, etc.)
* fixed PMKID derivation with SAE
* nl80211
- added support for full station state operations
- fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use
unencrypted EAPOL frames
* added initial MBO support; number of extensions to WNM BSS Transition
Management
* added initial functionality for location related operations
* added assocresp_elements parameter to allow vendor specific elements
to be added into (Re)Association Response frames
* improved Public Action frame addressing
- use Address 3 = wildcard BSSID in GAS response if a query from an
unassociated STA used that address
- fix TX status processing for Address 3 = wildcard BSSID
- add gas_address3 configuration parameter to control Address 3
behavior
* added command line parameter -i to override interface parameter in
hostapd.conf
* added command completion support to hostapd_cli
* added passive client taxonomy determination (CONFIG_TAXONOMY=y
compile option and \"SIGNATURE \" control interface command)
* number of small fixes
- renamed hostapd-2.5-defconfig.patch to hostapd-2.6-defconfig.patch
Sun Oct 18 14:00:00 2015 michaelAATTstroeder.com
- update to upstream release 2.5
- removed 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
(CVE-2015-1863) because it\'s fixed in upstream release 2.5
- rebased hostapd-2.4-defconfig.patch -> hostapd-2.5-defconfig.patch
ChangeLog for hostapd since 2.4:
2015-09-27 - v2.5
* fixed WPS UPnP vulnerability with HTTP chunked transfer encoding
[http://w1.fi/security/2015-2/] (CVE-2015-4141 bsc#930077)
* fixed WMM Action frame parser
[http://w1.fi/security/2015-3/] (CVE-2015-4142 bsc#930078)
* fixed EAP-pwd server missing payload length validation
[http://w1.fi/security/2015-4/]
(CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, bsc#930079)
* fixed validation of WPS and P2P NFC NDEF record payload length
[http://w1.fi/security/2015-5/]
* nl80211:
- fixed vendor command handling to check OUI properly
* fixed hlr_auc_gw build with OpenSSL
* hlr_auc_gw: allow Milenage RES length to be reduced
* disable HT for a station that does not support WMM/QoS
* added support for hashed password (NtHash) in EAP-pwd server
* fixed and extended dynamic VLAN cases
* added EAP-EKE server support for deriving Session-Id
* set Acct-Session-Id to a random value to make it more likely to be
unique even if the device does not have a proper clock
* added more 2.4 GHz channels for 20/40 MHz HT co-ex scan
* modified SAE routines to be more robust and PWE generation to be
stronger against timing attacks
* added support for Brainpool Elliptic Curves with SAE
* increases maximum value accepted for cwmin/cwmax
* added support for CCMP-256 and GCMP-256 as group ciphers with FT
* added Fast Session Transfer (FST) module
* removed optional fields from RSNE when using FT with PMF
(workaround for interoperability issues with iOS 8.4)
* added EAP server support for TLS session resumption
* fixed key derivation for Suite B 192-bit AKM (this breaks
compatibility with the earlier version)
* added mechanism to track unconnected stations and do minimal band
steering
* number of small fixes
Thu Apr 23 14:00:00 2015 michaelAATTstroeder.com
- update version 2.4
- added 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
for CVE-2015-1863
- updated URLs
- require pkg-config and libnl3-devel during build
- replaced hostapd-2.3-defconfig.patch by hostapd-2.4-defconfig.patch
ChangeLog for hostapd since 2.3:
2015-03-15 - v2.4
* allow OpenSSL cipher configuration to be set for internal EAP server
(openssl_ciphers parameter)
* fixed number of small issues based on hwsim test case failures and
static analyzer reports
* fixed Accounting-Request to not include duplicated Acct-Session-Id
* add support for Acct-Multi-Session-Id in RADIUS Accounting messages
* add support for PMKSA caching with SAE
* add support for generating BSS Load element (bss_load_update_period)
* fixed channel switch from VHT to HT
* add INTERFACE-ENABLED and INTERFACE-DISABLED ctrl_iface events
* add support for learning STA IPv4/IPv6 addresses and configuring
ProxyARP support
* dropped support for the madwifi driver interface
* add support for Suite B (128-bit and 192-bit level) key management and
cipher suites
* fixed a regression with driver=wired
* extend EAPOL-Key msg 1/4 retry workaround for changing SNonce
* add BSS_TM_REQ ctrl_iface command to send BSS Transition Management
Request frames and BSS-TM-RESP event to indicate response to such
frame
* add support for EAP Re-Authentication Protocol (ERP)
* fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled
* fixed a regression in HT 20/40 coex Action frame parsing
* set stdout to be line-buffered
* add support for vendor specific VHT extension to enable 256 QAM rates
(VHT-MCS 8 and 9) on 2.4 GHz band
* RADIUS DAS:
- extend Disconnect-Request processing to allow matching of multiple
sessions
- support Acct-Multi-Session-Id as an identifier
- allow PMKSA cache entry to be removed without association
* expire hostapd STA entry if kernel does not have a matching entry
* allow chanlist to be used to specify a subset of channels for ACS
* improve ACS behavior on 2.4 GHz band and allow channel bias to be
configured with acs_chan_bias parameter
* do not reply to a Probe Request frame that includes DSS Parameter Set
element in which the channel does not match the current operating
channel
* add UPDATE_BEACON ctrl_iface command; this can be used to force Beacon
frame contents to be updated and to start beaconing on an interface
that used start_disabled=1
* fixed some RADIUS server failover cases
Mon Jan 5 13:00:00 2015 michaelAATTstroeder.com
- update version 2.3
- removed patch hostapd-2.1-be-host_to_le.patch because it
seems obsolete
- hostapd-2.1-defconfig.patch rediffed and renamed to hostapd-2.3-defconfig.patch
ChangeLog for hostapd since 2.1:
2014-10-09 - v2.3
* fixed number of minor issues identified in static analyzer warnings
* fixed DFS and channel switch operation for multi-BSS cases
* started to use constant time comparison for various password and hash
values to reduce possibility of any externally measurable timing
differences
* extended explicit clearing of freed memory and expired keys to avoid
keeping private data in memory longer than necessary
* added support for number of new RADIUS attributes from RFC 7268
(Mobility-Domain-Id, WLAN-HESSID, WLAN-Pairwise-Cipher,
WLAN-Group-Cipher, WLAN-AKM-Suite, WLAN-Group-Mgmt-Pairwise-Cipher)
* fixed GET_CONFIG wpa_pairwise_cipher value
* added code to clear bridge FDB entry on station disconnection
* fixed PMKSA cache timeout from Session-Timeout for WPA/WPA2 cases
* fixed OKC PMKSA cache entry fetch to avoid a possible infinite loop
in case the first entry does not match
* fixed hostapd_cli action script execution to use more robust mechanism
(CVE-2014-3686)
2014-06-04 - v2.2
* fixed SAE confirm-before-commit validation to avoid a potential
segmentation fault in an unexpected message sequence that could be
triggered remotely
* extended VHT support
- Operating Mode Notification
- Power Constraint element (local_pwr_constraint)
- Spectrum management capability (spectrum_mgmt_required=1)
- fix VHT80 segment picking in ACS
- fix vht_capab \'Maximum A-MPDU Length Exponent\' handling
- fix VHT20
* fixed HT40 co-ex scan for some pri/sec channel switches
* extended HT40 co-ex support to allow dynamic channel width changes
during the lifetime of the BSS
* fixed HT40 co-ex support to check for overlapping 20 MHz BSS
* fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding;
this fixes password with include UTF-8 characters that use
three-byte encoding EAP methods that use NtPasswordHash
* reverted TLS certificate validation step change in v2.1 that rejected
any AAA server certificate with id-kp-clientAuth even if
id-kp-serverAuth EKU was included
* fixed STA validation step for WPS ER commands to prevent a potential
crash if an ER sends an unexpected PutWLANResponse to a station that
is disassociated, but not fully removed
* enforce full EAP authentication after RADIUS Disconnect-Request by
removing the PMKSA cache entry
* added support for NAS-IP-Address, NAS-identifier, and NAS-IPv6-Address
in RADIUS Disconnect-Request
* added mechanism for removing addresses for MAC ACLs by prefixing an
entry with \"-\"
* Interworking/Hotspot 2.0 enhancements
- support Hotspot 2.0 Release 2
* OSEN network for online signup connection
* subscription remediation (based on RADIUS server request or
control interface HS20_WNM_NOTIF for testing purposes)
* Hotspot 2.0 release number indication in WFA RADIUS VSA
* deauthentication request (based on RADIUS server request or
control interface WNM_DEAUTH_REQ for testing purposes)
* Session Info URL RADIUS AVP to trigger ESS Disassociation Imminent
* hs20_icon config parameter to configure icon files for OSU
* osu_
* config parameters for OSU Providers list
- do not use Interworking filtering rules on Probe Request if
Interworking is disabled to avoid interop issues
* added/fixed nl80211 functionality
- AP interface teardown optimization
- support vendor specific driver command
(VENDOR [])
* fixed PMF protection of Deauthentication frame when this is triggered
by session timeout
* internal TLS implementation enhancements/fixes
- add SHA256-based cipher suites
- add DHE-RSA cipher suites
- fix X.509 validation of PKCS#1 signature to check for extra data
* RADIUS server functionality
- add minimal RADIUS accounting server support (hostapd-as-server);
this is mainly to enable testing coverage with hwsim scripts
- allow authentication log to be written into SQLite databse
- added option for TLS protocol testing of an EAP peer by simulating
various misbehaviors/known attacks
- MAC ACL support for testing purposes
* fixed PTK derivation for CCMP-256 and GCMP-256
* extended WPS per-station PSK to support ER case
* added option to configure the management group cipher
(group_mgmt_cipher=AES-128-CMAC (default), BIP-GMAC-128, BIP-GMAC-256,
BIP-CMAC-256)
* fixed AP mode default TXOP Limit values for AC_VI and AC_VO (these
were rounded incorrectly)
* added support for postponing FT response in case PMK-R1 needs to be
pulled from R0KH
* added option to advertise 40 MHz intolerant HT capability with
ht_capab=[40-INTOLERANT]
* remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled
whenever CONFIG_WPS=y is set
* EAP-pwd fixes
- fix possible segmentation fault on EAP method deinit if an invalid
group is negotiated
* fixed RADIUS client retransmit/failover behavior
- there was a potential ctash due to freed memory being accessed
- failover to a backup server mechanism did not work properly
* fixed a possible crash on double DISABLE command when multiple BSSes
are enabled
* fixed a memory leak in SAE random number generation
* fixed GTK rekeying when the station uses FT protocol
* fixed off-by-one bounds checking in printf_encode()
- this could result in deinial of service in some EAP server cases
* various bug fixes
Tue May 27 14:00:00 2014 crrodriguezAATTopensuse.org
- Update hostapd-2.1-defconfig.patch and spec file
to build with libnl3 instead of libnl1
Wed Apr 16 14:00:00 2014 iAATTmarguerite.su
- update version 2.1
* see http://hostap.epitest.fi/cgit/hostap/log/ for details.
- change hostapd.diff to hostapd-2.1-defconfig.patch
- remove patch: hostapd-tmp.diff, no longer needed.
Wed Oct 2 14:00:00 2013 dvaleevAATTsuse.com
- fix host_to_le32 undefined on BigEndian architectures
(hostapd-be-host_to_le.patch)
Thu Apr 18 14:00:00 2013 ajAATTsuse.com
- Do not package /etc/init.d
- Do not install init file since package contains a service file and
is only build for Factory
- Cleanup spec file
- Use /run instead of /var/run
Wed Apr 17 14:00:00 2013 cfarrellAATTsuse.com
- license update: GPL-2.0 or BSD-3-Clause
README makes it clear that this is a dual license - i.e. choice of either
or
Tue Apr 9 14:00:00 2013 avm-xandryAATTyandex.ru
- update to version 2.0
- fix corrected file name hostapd.dif to hostapd.diff
- in default config includes all features (IEEE 802.11w, Hotspot 2.0, IEEE 802.11ac, WPS, etc.)
Tue Nov 6 13:00:00 2012 crrodriguezAATTopensuse.org
- Add Native systemd units
Tue May 15 14:00:00 2012 glinAATTsuse.com
- update to version 1.0
- respin hostapd.dif to fit the new defconfig
- change the file permission of the config files with passwords
to 600 (bnc#740964)
Wed Oct 12 14:00:00 2011 lnusselAATTsuse.de
- update to version 0.7.3
- don\'t use /tmp for dump file in default config
- verbose build
- fix build for older distros
- enable driver \'none\' for radius only mode
- add init script
Fri Sep 30 14:00:00 2011 uliAATTsuse.com
- cross-build fix: use %__cc macro
Fri Sep 16 14:00:00 2011 jengelhAATTmedozas.de
- Select libnl-1_1-devel
Sun Oct 31 13:00:00 2010 jengelhAATTmedozas.de
- Use %_smp_mflags
Wed Jun 9 14:00:00 2010 sndirschAATTsuse.de
- udpated to release 0.6.10
- updated hostapd.dif
- git-commit-eb1f744.diff:
* Move DTIM period configuration into Beacon set operation; fixes
\"Could not set DTIM period for kernel driver; wlan0: Unable to
setup interface.rmdir[ctrl_interface]: No such file or
directory\" error when using \"nl80211\" driver
