SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for hostapd-debugsource-2.9-bp155.2.12.x86_64.rpm :

* Tue Apr 06 2021 Clemens Famulla-Conrad - Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)
* Tue Feb 23 2021 Michael Ströder - added AppArmor profile (source apparmor-usr.sbin.hostapd)
* Tue Sep 29 2020 Clemens Famulla-Conrad - Add CVE-2020-12695.patch -- UPnP SUBSCRIBE misbehavior in hostapd WPS AP (bsc#1172700)
* Thu Apr 23 2020 Clemens Famulla-Conrad - Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)
* Thu Sep 05 2019 Michael Ströder - Update to version 2.9
* SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/]
* EAP-pwd changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
* added configuration of airtime policy
* fixed FILS to and RSNE into (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* added support for regulatory WMM limitation (for ETSI)
* added support for MACsec Key Agreement using IEEE 802.1X/PSK
* added experimental support for EAP-TEAP server (RFC 7170)
* added experimental support for EAP-TLS server with TLS v1.3
* added support for two server certificates/keys (RSA/ECC)
* added AKMSuiteSelector into \"STA \" control interface data to determine with AKM was used for an association
* added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and fast reauthentication use to be disabled
* fixed an ECDH operation corner case with OpenSSL
* Wed Apr 24 2019 Michael Ströder - Update to version 2.8
* SAE changes - added support for SAE Password Identifier - changed default configuration to enable only group 19 (i.e., disable groups 20, 21, 25, 26 from default configuration) and disable all unsuitable groups completely based on REVmd changes - improved anti-clogging token mechanism and SAE authentication frame processing during heavy CPU load; this mitigates some issues with potential DoS attacks trying to flood an AP with large number of SAE messages - added Finite Cyclic Group field in status code 77 responses - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494) - fixed confirm message validation in error cases [https://w1.fi/security/2019-3/] (CVE-2019-9496)
* EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495) - verify peer scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27)
* Hotspot 2.0 changes - added support for release number 3 - reject release 2 or newer association without PMF
* added support for RSN operating channel validation (CONFIG_OCV=y and configuration parameter ocv=1)
* added Multi-AP protocol support
* added FTM responder configuration
* fixed build with LibreSSL
* added FT/RRB workaround for short Ethernet frame padding
* fixed KEK2 derivation for FILS+FT
* added RSSI-based association rejection from OCE
* extended beacon reporting functionality
* VLAN changes - allow local VLAN management with remote RADIUS authentication - add WPA/WPA2 passphrase/PSK -based VLAN assignment
* OpenSSL: allow systemwide policies to be overridden
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1)
* fixed FT and SA Query Action frame with AP-MLME-in-driver cases
* OWE: allow Diffie-Hellman Parameter element to be included with DPP in preparation for DPP protocol extension
* RADIUS server: started to accept ERP keyName-NAI as user identity automatically without matching EAP database entry
* fixed PTK rekeying with FILS and FT wpa_supplicant:
* SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494)
* EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9499) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27)
* fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
* Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials
* fixed OWE network profile saving
* fixed DPP network profile saving
* added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1)
* added Multi-AP backhaul STA support
* fixed build with LibreSSL
* number of MKA/MACsec fixes and extensions
* extended domain_match and domain_suffix_match to allow list of values
* fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL
* started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled
* extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384
* fixed KEK2 derivation for FILS+FT
* extended client_cert file to allow loading of a chain of PEM encoded certificates
* extended beacon reporting functionality
* extended D-Bus interface with number of new properties
* fixed a regression in FT-over-DS with mac80211-based drivers
* OpenSSL: allow systemwide policies to be overridden
* extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability
* added support for random P2P Device/Interface Address use
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1)
* removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
* extended domain_match and domain_suffix_match to allow list of values
* added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order
* fixed PTK rekeying with FILS and FT
* Fri Dec 28 2018 Jan Engelhardt - Use noun phrase in summary.
* Mon Dec 17 2018 Karol Babioch - Applied spec-cleaner- Added bug reference- Use defconfig file as template for configuration instead of patching it during build. This is easier to maintain in the long run. This removes the patch hostapd-2.6-defconfig.patch in favor of a simple config file, which is copied over from the source directory.- Enabled CLI editing and history support.
* Fri Dec 07 2018 mardnhAATTgmx.de- Update to version 2.7
* fixed WPA packet number reuse with replayed messages and key reinstallation [http://w1.fi/security/2017-1/] (CVE-2017-13082) (bsc#1056061)
* added support for FILS (IEEE 802.11ai) shared key authentication
* added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA)
* added support for DPP (Wi-Fi Device Provisioning Protocol)
* FT: - added local generation of PMK-R0/PMK-R1 for FT-PSK (ft_psk_generate_local=1) - replaced inter-AP protocol with a cleaner design that is more easily extensible; this breaks backward compatibility and requires all APs in the ESS to be updated at the same time to maintain FT functionality - added support for wildcard R0KH/R1KH - replaced r0_key_lifetime (minutes) parameter with ft_r0_key_lifetime (seconds) - fixed wpa_psk_file use for FT-PSK - fixed FT-SAE PMKID matching - added expiration to PMK-R0 and PMK-R1 cache - added IEEE VLAN support (including tagged VLANs) - added support for SHA384 based AKM
* SAE - fixed some PMKSA caching cases with SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - added option to require MFP for SAE associations (sae_require_pmf=1) - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier
* hostapd_cli: added support for command history and completion
* added support for requesting beacon report
* large number of other fixes, cleanup, and extensions
* added option to configure EAPOL-Key retry limits (wpa_group_update_count and wpa_pairwise_update_count)
* removed all PeerKey functionality
* fixed nl80211 AP mode configuration regression with Linux 4.15 and newer
* added support for using wolfSSL cryptographic library
* fixed some 20/40 MHz coexistence cases where the BSS could drop to 20 MHz even when 40 MHz would be allowed
* Hotspot 2.0 - added support for setting Venue URL ANQP-element (venue_url) - added support for advertising Hotspot 2.0 operator icons - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS
* added support for using OpenSSL 1.1.1
* added EAP-pwd server support for salted passwords- Remove not longer needed patches (fixed upstream)
* rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
* rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
* rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
* rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
* rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
* rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
* rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
* rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch- Verify source signature
* Fri Oct 19 2018 Karol Babioch - Added rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).
* Wed Oct 18 2017 chrisAATTintrbiz.com- Fix KRACK attacks (bsc#1063479, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088):
* rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
* rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
* rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
* rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
* rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
* rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
* rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
* rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
* Sun Oct 02 2016 chrisAATTintrbiz.com- update to upstream release 2.6
* fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5314)
* fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476)
* extended channel switch support for VHT bandwidth changes
* added support for configuring new ANQP-elements with anqp_elem=:
* fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior)
* added no_probe_resp_if_max_sta=1 parameter to disable Probe Response frame sending for not-associated STAs if max_num_sta limit has been reached
* added option (-S as command line argument) to request all interfaces to be started at the same time
* modified rts_threshold and fragm_threshold configuration parameters to allow -1 to be used to disable RTS/fragmentation
* EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer)
* fixed EAPOL reauthentication after FT protocol run
* fixed FTIE generation for 4-way handshake after FT protocol run
* fixed and improved various FST operations
* TLS server - support SHA384 and SHA512 hashes - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi)
* added support for OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0
* EAP-PEAP: support fast-connect crypto binding
* RADIUS - fix Called-Station-Id to not escape SSID - add Event-Timestamp to all Accounting-Request packets - add Acct-Session-Id to Accounting-On/Off - add Acct-Multi-Session-Id ton Access-Request packets - add Service-Type (= Frames) - allow server to provide PSK instead of passphrase for WPA-PSK Tunnel_password case - update full message for interim accounting updates - add Acct-Delay-Time into Accounting messages - add require_message_authenticator configuration option to require CoA/Disconnect-Request packets to be authenticated
* started to postpone WNM-Notification frame sending by 100 ms so that the STA has some more time to configure the key before this frame is received after the 4-way handshake
* VHT: added interoperability workaround for 80+80 and 160 MHz channels
* extended VLAN support (per-STA vif, etc.)
* fixed PMKID derivation with SAE
* nl80211 - added support for full station state operations - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames
* added initial MBO support; number of extensions to WNM BSS Transition Management
* added initial functionality for location related operations
* added assocresp_elements parameter to allow vendor specific elements to be added into (Re)Association Response frames
* improved Public Action frame addressing - use Address 3 = wildcard BSSID in GAS response if a query from an unassociated STA used that address - fix TX status processing for Address 3 = wildcard BSSID - add gas_address3 configuration parameter to control Address 3 behavior
* added command line parameter -i to override interface parameter in hostapd.conf
* added command completion support to hostapd_cli
* added passive client taxonomy determination (CONFIG_TAXONOMY=y compile option and \"SIGNATURE \" control interface command)
* number of small fixes- renamed hostapd-2.5-defconfig.patch to hostapd-2.6-defconfig.patch
* Sun Oct 18 2015 michaelAATTstroeder.com- update to upstream release 2.5- removed 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch (CVE-2015-1863) because it\'s fixed in upstream release 2.5- rebased hostapd-2.4-defconfig.patch -> hostapd-2.5-defconfig.patch ChangeLog for hostapd since 2.4: 2015-09-27 - v2.5
* fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141 bsc#930077)
* fixed WMM Action frame parser [http://w1.fi/security/2015-3/] (CVE-2015-4142 bsc#930078)
* fixed EAP-pwd server missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, bsc#930079)
* fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/]
* nl80211: - fixed vendor command handling to check OUI properly
* fixed hlr_auc_gw build with OpenSSL
* hlr_auc_gw: allow Milenage RES length to be reduced
* disable HT for a station that does not support WMM/QoS
* added support for hashed password (NtHash) in EAP-pwd server
* fixed and extended dynamic VLAN cases
* added EAP-EKE server support for deriving Session-Id
* set Acct-Session-Id to a random value to make it more likely to be unique even if the device does not have a proper clock
* added more 2.4 GHz channels for 20/40 MHz HT co-ex scan
* modified SAE routines to be more robust and PWE generation to be stronger against timing attacks
* added support for Brainpool Elliptic Curves with SAE
* increases maximum value accepted for cwmin/cwmax
* added support for CCMP-256 and GCMP-256 as group ciphers with FT
* added Fast Session Transfer (FST) module
* removed optional fields from RSNE when using FT with PMF (workaround for interoperability issues with iOS 8.4)
* added EAP server support for TLS session resumption
* fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version)
* added mechanism to track unconnected stations and do minimal band steering
* number of small fixes
* Thu Apr 23 2015 michaelAATTstroeder.com- update version 2.4- added 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch for CVE-2015-1863- updated URLs- require pkg-config and libnl3-devel during build- replaced hostapd-2.3-defconfig.patch by hostapd-2.4-defconfig.patch ChangeLog for hostapd since 2.3: 2015-03-15 - v2.4
* allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter)
* fixed number of small issues based on hwsim test case failures and static analyzer reports
* fixed Accounting-Request to not include duplicated Acct-Session-Id
* add support for Acct-Multi-Session-Id in RADIUS Accounting messages
* add support for PMKSA caching with SAE
* add support for generating BSS Load element (bss_load_update_period)
* fixed channel switch from VHT to HT
* add INTERFACE-ENABLED and INTERFACE-DISABLED ctrl_iface events
* add support for learning STA IPv4/IPv6 addresses and configuring ProxyARP support
* dropped support for the madwifi driver interface
* add support for Suite B (128-bit and 192-bit level) key management and cipher suites
* fixed a regression with driver=wired
* extend EAPOL-Key msg 1/4 retry workaround for changing SNonce
* add BSS_TM_REQ ctrl_iface command to send BSS Transition Management Request frames and BSS-TM-RESP event to indicate response to such frame
* add support for EAP Re-Authentication Protocol (ERP)
* fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled
* fixed a regression in HT 20/40 coex Action frame parsing
* set stdout to be line-buffered
* add support for vendor specific VHT extension to enable 256 QAM rates (VHT-MCS 8 and 9) on 2.4 GHz band
* RADIUS DAS: - extend Disconnect-Request processing to allow matching of multiple sessions - support Acct-Multi-Session-Id as an identifier - allow PMKSA cache entry to be removed without association
* expire hostapd STA entry if kernel does not have a matching entry
* allow chanlist to be used to specify a subset of channels for ACS
* improve ACS behavior on 2.4 GHz band and allow channel bias to be configured with acs_chan_bias parameter
* do not reply to a Probe Request frame that includes DSS Parameter Set element in which the channel does not match the current operating channel
* add UPDATE_BEACON ctrl_iface command; this can be used to force Beacon frame contents to be updated and to start beaconing on an interface that used start_disabled=1
* fixed some RADIUS server failover cases
* Mon Jan 05 2015 michaelAATTstroeder.com- update version 2.3- removed patch hostapd-2.1-be-host_to_le.patch because it seems obsolete- hostapd-2.1-defconfig.patch rediffed and renamed to hostapd-2.3-defconfig.patch ChangeLog for hostapd since 2.1: 2014-10-09 - v2.3
* fixed number of minor issues identified in static analyzer warnings
* fixed DFS and channel switch operation for multi-BSS cases
* started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences
* extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary
* added support for number of new RADIUS attributes from RFC 7268 (Mobility-Domain-Id, WLAN-HESSID, WLAN-Pairwise-Cipher, WLAN-Group-Cipher, WLAN-AKM-Suite, WLAN-Group-Mgmt-Pairwise-Cipher)
* fixed GET_CONFIG wpa_pairwise_cipher value
* added code to clear bridge FDB entry on station disconnection
* fixed PMKSA cache timeout from Session-Timeout for WPA/WPA2 cases
* fixed OKC PMKSA cache entry fetch to avoid a possible infinite loop in case the first entry does not match
* fixed hostapd_cli action script execution to use more robust mechanism (CVE-2014-3686) 2014-06-04 - v2.2
* fixed SAE confirm-before-commit validation to avoid a potential segmentation fault in an unexpected message sequence that could be triggered remotely
* extended VHT support - Operating Mode Notification - Power Constraint element (local_pwr_constraint) - Spectrum management capability (spectrum_mgmt_required=1) - fix VHT80 segment picking in ACS - fix vht_capab \'Maximum A-MPDU Length Exponent\' handling - fix VHT20
* fixed HT40 co-ex scan for some pri/sec channel switches
* extended HT40 co-ex support to allow dynamic channel width changes during the lifetime of the BSS
* fixed HT40 co-ex support to check for overlapping 20 MHz BSS
* fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding; this fixes password with include UTF-8 characters that use three-byte encoding EAP methods that use NtPasswordHash
* reverted TLS certificate validation step change in v2.1 that rejected any AAA server certificate with id-kp-clientAuth even if id-kp-serverAuth EKU was included
* fixed STA validation step for WPS ER commands to prevent a potential crash if an ER sends an unexpected PutWLANResponse to a station that is disassociated, but not fully removed
* enforce full EAP authentication after RADIUS Disconnect-Request by removing the PMKSA cache entry
* added support for NAS-IP-Address, NAS-identifier, and NAS-IPv6-Address in RADIUS Disconnect-Request
* added mechanism for removing addresses for MAC ACLs by prefixing an entry with \"-\"
* Interworking/Hotspot 2.0 enhancements - support Hotspot 2.0 Release 2
* OSEN network for online signup connection
* subscription remediation (based on RADIUS server request or control interface HS20_WNM_NOTIF for testing purposes)
* Hotspot 2.0 release number indication in WFA RADIUS VSA
* deauthentication request (based on RADIUS server request or control interface WNM_DEAUTH_REQ for testing purposes)
* Session Info URL RADIUS AVP to trigger ESS Disassociation Imminent
* hs20_icon config parameter to configure icon files for OSU
* osu_
* config parameters for OSU Providers list - do not use Interworking filtering rules on Probe Request if Interworking is disabled to avoid interop issues
* added/fixed nl80211 functionality - AP interface teardown optimization - support vendor specific driver command (VENDOR [])
* fixed PMF protection of Deauthentication frame when this is triggered by session timeout
* internal TLS implementation enhancements/fixes - add SHA256-based cipher suites - add DHE-RSA cipher suites - fix X.509 validation of PKCS#1 signature to check for extra data
* RADIUS server functionality - add minimal RADIUS accounting server support (hostapd-as-server); this is mainly to enable testing coverage with hwsim scripts - allow authentication log to be written into SQLite databse - added option for TLS protocol testing of an EAP peer by simulating various misbehaviors/known attacks - MAC ACL support for testing purposes
* fixed PTK derivation for CCMP-256 and GCMP-256
* extended WPS per-station PSK to support ER case
* added option to configure the management group cipher (group_mgmt_cipher=AES-128-CMAC (default), BIP-GMAC-128, BIP-GMAC-256, BIP-CMAC-256)
* fixed AP mode default TXOP Limit values for AC_VI and AC_VO (these were rounded incorrectly)
* added support for postponing FT response in case PMK-R1 needs to be pulled from R0KH
* added option to advertise 40 MHz intolerant HT capability with ht_capab=[40-INTOLERANT]
* remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled whenever CONFIG_WPS=y is set
* EAP-pwd fixes - fix possible segmentation fault on EAP method deinit if an invalid group is negotiated
* fixed RADIUS client retransmit/failover behavior - there was a potential ctash due to freed memory being accessed - failover to a backup server mechanism did not work properly
* fixed a possible crash on double DISABLE command when multiple BSSes are enabled
* fixed a memory leak in SAE random number generation
* fixed GTK rekeying when the station uses FT protocol
* fixed off-by-one bounds checking in printf_encode() - this could result in deinial of service in some EAP server cases
* various bug fixes
  
ICM