-
wpa (2:2.7+git20190128+0c1e29f-6+deb10u3) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
* WPS UPnP: Do not allow event subscriptions with URLs to other networks
(CVE-2020-12695) (Closes: #976106)
* WPS UPnP: Fix event message generation using a long URL path
(CVE-2020-12695) (Closes: #976106)
* WPS UPnP: Handle HTTP initiation failures for events more properly
(CVE-2020-12695) (Closes: #976106)
* P2P: Fix copying of secondary device types for P2P group client
(CVE-2021-0326) (Closes: #981971)
* P2P: Fix a corner case in peer addition based on PD Request
(CVE-2021-27803)
-- Salvatore Bonaccorso <email address hidden> Fri, 16 Apr 2021 15:07:06 +0200
-
wpa (2:2.7+git20190128+0c1e29f-6+deb10u2) buster; urgency=medium
* Apply upstream patches:
- Do not try to detect PSK mismatch during PTK rekeying.
Fixes the 4-way WPA handshake in some situations.
- Check for FT support when selecting FT suites.
Closes: #942164.
- Fix RTM NEW/DELLINK IFLA_IFNAME copy for maximum ifname length.
Fixes the MAC randomisation issue with some cards.
LP: #1867908.
-- Andrej Shadura <email address hidden> Tue, 24 Mar 2020 11:26:58 +0100
-
wpa (2:2.7+git20190128+0c1e29f-6+deb10u1) buster-security; urgency=medium
* SECURITY UPDATE:
- AP mode PMF disconnection protection bypass.
More details:
+ https://w1.fi/security/2019-7/
Closes: #940080 (CVE-2019-16275)
- Timing-based side-channel attack against WPA3's Dragonfly handshake
when using Brainpool curves.
More details:
+ https://w1.fi/security/2019-6/
+ https://wpa3.mathyvanhoef.com/
Closes: #934180 (CVE-2019-13377)
-- Andrej Shadura <email address hidden> Tue, 17 Sep 2019 11:58:08 +0200
-
wpa (2:2.7+git20190128+0c1e29f-6) unstable; urgency=medium
* Make sure the hostapd unit is masked when there’s no configuration
file available (Closes: #928948)
-- Andrej Shadura <email address hidden> Thu, 06 Jun 2019 15:16:29 +0200
-
wpa (2:2.7+git20190128+0c1e29f-5) unstable; urgency=high
* Fix security issue 2019-5:
- EAP-pwd message reassembly issue with unexpected fragment
(Closes: #927463, no CVE assigned).
-- Andrej Shadura <email address hidden> Fri, 26 Apr 2019 14:55:52 +0200
-
wpa (2:2.7+git20190128+0c1e29f-4) unstable; urgency=high
* Apply security fixes (Closes: #926801):
- CVE-2019-9494: SAE cache attack against ECC groups (VU#871675)
- CVE-2019-9495: EAP-pwd cache attack against ECC groups
- CVE-2019-9496: SAE confirm missing state validation
- CVE-2019-9497: EAP-pwd server not checking for reflection attack
- CVE-2019-9498: EAP-pwd server missing commit validation for scalar/element
- CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element
For more details, see:
- https://w1.fi/security/2019-1/
- https://w1.fi/security/2019-2/
- https://w1.fi/security/2019-3/
- https://w1.fi/security/2019-4/
-- Andrej Shadura <email address hidden> Wed, 10 Apr 2019 19:00:22 +0200
-
wpa (2:2.7+git20190128+0c1e29f-3) unstable; urgency=medium
* Print the warning and exit after sourcing /lib/lsb/init-functions
(Closes: #924666).
* Recognise multiple configs in DAEMON_CONF and verify them all.
* Fix ENGINE support with OpenSSL 1.1+ (Closes: #924632).
-- Andrej Shadura <email address hidden> Fri, 15 Mar 2019 17:44:51 +0100
-
wpa (2:2.7+git20190128+0c1e29f-2) unstable; urgency=medium
* Apply an RFC patch to work around big endian keyidx.
This is likely to fix #919138, but more testing is needed.
-- Andrej Shadura <email address hidden> Tue, 19 Feb 2019 19:14:56 +0100
-
wpa (2:2.6-21) unstable; urgency=medium
* Fix a typo in the patch.
-- Andrej Shadura <email address hidden> Sat, 15 Dec 2018 17:38:19 +0100
-
wpa (2:2.6-18) unstable; urgency=high
* Fix NL80211_ATTR_SMPS_MODE encoding (Closes: #903952)
* SECURITY UPDATE:
- CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data
(Closes: #905739)
-- Andrej Shadura <email address hidden> Wed, 08 Aug 2018 22:50:11 +0200
-
wpa (2:2.6-17) unstable; urgency=medium
* Fix get-orig-source so that it can produce pre-release snapshots.
* Remove dbus changes to StaAuthorized/StaDeauthorized after discussions
with the upstream.
-- Andrej Shadura <email address hidden> Fri, 08 Jun 2018 14:30:54 +0200
-
wpa (2:2.6-16) unstable; urgency=medium
* Fix README.Debian: MyNetWork, not NETBEER (Closes: #791333).
* Restart hostapd on a failure after 2s.
* Add a template for per-interface hostapd services (Closes: #889508).
* Merge a patch from Ubuntu:
- debian/patches/dbus-available-sta.patch: Make the list of connected
stations available on DBus for hotspot mode; along with some of the
station properties, such as rx/tx packets, bytes, capabilities, etc.
-- Andrej Shadura <email address hidden> Mon, 07 May 2018 15:32:41 +0200
-
wpa (2:2.6-15) unstable; urgency=medium
* Update debian/control:
- Update Maintainer field to point to $<email address hidden>
- Update Vcs-* fields to point to salsa.d.o
- Drop no longer active uploaders.
-- Andrew Shadura <email address hidden> Thu, 28 Dec 2017 11:26:28 +0100
-
wpa (2:2.4-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix multiple issues in WPA protocol (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
- hostapd: Avoid key reinstallation in FT handshake
- Prevent reinstallation of an already in-use group key
- Extend protection of GTK/IGTK reinstallation of
- Fix TK configuration to the driver in EAPOL-Key 3/4
- Prevent installation of an all-zero TK
- Fix PTK rekeying to generate a new ANonce
- TDLS: Reject TPK-TK reconfiguration
- WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode
- WNM: Ignore WNM-Sleep Mode Response without pending
- FT: Do not allow multiple Reassociation Response frames
- TDLS: Ignore incoming TDLS Setup Response retries
-- Yves-Alexis Perez <email address hidden> Mon, 16 Oct 2017 10:28:41 +0200
-
wpa (2:2.4-1+deb9u2) stretch; urgency=high
* SECURITY UPDATE:
- CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data
(Closes: #905739)
-- Andrej Shadura <email address hidden> Thu, 09 Aug 2018 09:23:49 +0200
-
wpa (2:2.4-1+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix multiple issues in WPA protocol (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
- hostapd: Avoid key reinstallation in FT handshake
- Prevent reinstallation of an already in-use group key
- Extend protection of GTK/IGTK reinstallation of
- Fix TK configuration to the driver in EAPOL-Key 3/4
- Prevent installation of an all-zero TK
- Fix PTK rekeying to generate a new ANonce
- TDLS: Reject TPK-TK reconfiguration
- WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode
- WNM: Ignore WNM-Sleep Mode Response without pending
- FT: Do not allow multiple Reassociation Response frames
- TDLS: Ignore incoming TDLS Setup Response retries
-- Yves-Alexis Perez <email address hidden> Sat, 14 Oct 2017 14:18:32 +0200
-
wpa (2:2.4-1) unstable; urgency=medium
[ Vincent Danjean ]
* Build with libssl1.0-dev (Closes: #828601).
* Add an upstream patch to fix hostapd in SMPS mode (Closes: #854719).
[ Andrew Shadura ]
* Don't install debian/system-sleep/wpasupplicant (originally introduced
to fix LP: #1422143), it doesn't improve the state of the things,
introduces regressions in some cases, and at all isn't supposed to
work with how wpa-supplicant is started these days (Closes: #835648).
* Bump the epoch to 2:, so that we can set the upstream version to
what we really mean. It also has to be higher than 2.6 in unstable
and 1:2.6 (what hostapd binary package in unstable has).
* Drop the binary package epoch override.
-- Andrew Shadura <email address hidden> Mon, 20 Feb 2017 11:55:11 +0100
