-
wpa (2:2.10-21.1) unstable; urgency=medium
* Non-maintainer upload.
* Fix CVE-2023-52160 (Closes: #1064061):
The implementation of PEAP in wpa_supplicant allows
authentication bypass. For a successful attack,
wpa_supplicant must be configured to not verify
the network's TLS certificate during Phase 1
authentication, and an eap_peap_decrypt vulnerability
can then be abused to skip Phase 2 authentication.
The attack vector is sending an EAP-TLV Success packet
instead of starting Phase 2. This allows an adversary
to impersonate Enterprise Wi-Fi networks.
-- Bastien Roucariès <email address hidden> Sun, 28 Apr 2024 21:07:32 +0000
-
wpa (2:2.10-21) unstable; urgency=medium
[ Jan Van Buggenhout ]
* Work around missing /dev/stderr and /dev/stdout during early boot.
-- Andrej Shadura <email address hidden> Mon, 25 Dec 2023 10:47:06 +0100
-
wpa (2:2.10-20) unstable; urgency=medium
* Add a trailing newline to the patch series file.
-- Andrej Shadura <email address hidden> Sun, 10 Dec 2023 17:03:00 +0100
-
wpa (2:2.10-18) unstable; urgency=medium
* Use "command" when calling actual ifupdown and not its shell wrappers
(Closes: #1056976)
-- Andrej Shadura <email address hidden> Thu, 30 Nov 2023 10:01:49 +0100
-
wpa (2:2.10-17) unstable; urgency=medium
[ Guillem Jover ]
* Do not hardcode absolute pathnames to third-party commands.
* Fully move files from / to canonical /usr locations
(Closes: #1056976).
-- Andrej Shadura <email address hidden> Tue, 28 Nov 2023 13:24:46 +0100
-
wpa (2:2.10-16) unstable; urgency=medium
* Move binaries to /usr.
-- Andrej Shadura <email address hidden> Sun, 26 Nov 2023 12:01:06 +0000
-
wpa (2:2.10-15) unstable; urgency=medium
* Apply proposed upstream patch:
- Abort ongoing scan:
Along with canceling queued scan, abort ongoing scan if any, this
ensures Wi-Fi interface is in usable state after disconnect is issued,
else subsequent scan after disconnect might fail with EBUSY.
-- Andrej Shadura <email address hidden> Wed, 30 Aug 2023 14:28:29 +0200
-
wpa (2:2.10-14) unstable; urgency=medium
* Drop a patch with a missing dependency.
-- Andrej Shadura <email address hidden> Wed, 23 Aug 2023 00:37:01 +0200
-
wpa (2:2.10-12) unstable; urgency=medium
* Prevent hostapd units from being started if there’s
no config provided (Closes: #1028088).
* hostapd: Enable 802.11ax support (Closes: #1013732).
-- Andrej Shadura <email address hidden> Fri, 24 Feb 2023 14:01:35 +0100
-
wpa (2:2.10-11) unstable; urgency=medium
* Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1
(Closes: #1011121, LP: #1958267)
* Drop dependency on lsb-base.
-- Andrej Shadura <email address hidden> Tue, 31 Jan 2023 12:58:02 +0100
-
wpa (2:2.10-10) unstable; urgency=medium
* Configure wpa_supplicant.service to create control sockets owned by group netdev
(Closes: #1012844)
-- Andrej Shadura <email address hidden> Wed, 21 Dec 2022 10:03:29 +0100
-
wpa (2:2.10-9) unstable; urgency=medium
[ Sebastien Bacher ]
* debian/patches/allow-legacy-renegotiation.patch:
Allow legacy renegotiation to fix PEAP issues with some servers
(Closes: #1010603, LP: #1962541)
-- Andrej Shadura <email address hidden> Thu, 05 May 2022 11:23:33 +0100
-
wpa (2:2.10-8) unstable; urgency=medium
* Pull the defconfig updates from the upstream’s Git.
* Add an upstream patch: AP: guard FT-SAE code with CONFIG_IEEE80211R_AP.
* Declare Breaks against NM without this patch (Closes: #1003907):
- supplicant: enable WPA3 transition mode only when interface supports PMF
-- Andrej Shadura <email address hidden> Sat, 09 Apr 2022 09:28:35 +0200
-
wpa (2:2.10-7) unstable; urgency=medium
* Support nodoc build profile.
* Disable OWE on kFreeBSD.
-- Andrej Shadura <email address hidden> Mon, 04 Apr 2022 16:56:16 +0200
-
wpa (2:2.10-6) unstable; urgency=medium
* Link against dl on kFreeBSD.
-- Andrej Shadura <email address hidden> Mon, 04 Apr 2022 15:04:12 +0200
-
wpa (2:2.10-5) unstable; urgency=medium
* Synchronise build configs with defconfigs.
* Disable options not compilable on kFreeBSD in kFreeBSD builds.
-- Andrej Shadura <email address hidden> Mon, 04 Apr 2022 13:59:59 +0200
-
wpa (2:2.10-4) unstable; urgency=medium
* Skip GUI build on kFreeBSD, not Hurd.
-- Andrej Shadura <email address hidden> Sat, 02 Apr 2022 17:25:31 +0200
-
wpa (2:2.10-2) unstable; urgency=medium
[ Ryutaroh Matsumoto ]
* Add reload support to the systemd unit files (Closes: #931554).
[ Michael Yartys ]
* Enable OCV in compile-time config.
[ Andrej Shadura ]
* Apply an upstream patch to fix broadcom-wl (Closes: #1004524).
Thanks to David Bauer for the patch.
-- Andrej Shadura <email address hidden> Wed, 02 Feb 2022 01:14:41 +0100
-
wpa (2:2.10-1) unstable; urgency=medium
* Upload to unstable.
* New upstream release.
-- Andrej Shadura <email address hidden> Mon, 17 Jan 2022 10:30:13 +0100
-
wpa (2:2.9.0-23) unstable; urgency=medium
* Implement driver fallback directly in wpa_supplicant.
Thanks to Kees Cook.
* Enable airtime policy support (Closes: #996742)
-- Andrej Shadura <email address hidden> Tue, 19 Oct 2021 10:35:00 +0200
-
wpa (2:2.9.0-22) unstable; urgency=medium
* Test systemctl is available before using it.
* hostapd.service: Do not repeat repeat yourself — remove the second
-B (Closes: #977703)
* Enable IPv6 support in eapol_test (Closes: #985912)
-- Andrej Shadura <email address hidden> Wed, 15 Sep 2021 16:27:12 +0100
-
wpa (2:2.9.0-21) unstable; urgency=high
* Fix typos in the package descriptions.
Thanks to Beatrice Torracca (Closes: #982673).
* SECURITY ISSUE:
- P2P: Fix a corner case in peer addition based on PD Request.
-- Andrej Shadura <email address hidden> Thu, 25 Feb 2021 22:19:14 +0100
-
wpa (2:2.9.0-20) unstable; urgency=medium
* Add IgnoreOnIsolate=yes to keep wpa-supplicant running while
systemctl isolate (LP: #1576024)
* Disable -Werror for eapol_test.
* Update descriptions of the packages.
* Prefer pkgconf to pkg-config.
* Set Rules-Requires-Root: no.
* Remove the unused system-sleep hook.
* Remove get-orig-source/uscan-hook.
* Use execute_before/execute_after instead of overrides in a few places.
* Update descriptions in init scripts and service files.
* Update wpasupplicant.README.Debian.
* Actually delete an old patch not accepted upstream.
-- Andrej Shadura <email address hidden> Fri, 12 Feb 2021 16:09:13 +0100
-
wpa (2:2.9.0-19) unstable; urgency=medium
* Replace proposed fixes with actual changes accepted upstream:
- WPS: Reconfigure credentials on hostapd config reload
- hostapd: Fix error message for radius_accept_attr config option
* Drop old lintian overrides.
* Move libwpa-client-dev to section libdevel.
* Drop old entries from debian/copyright.
-- Andrej Shadura <email address hidden> Fri, 12 Feb 2021 12:01:09 +0100
-
wpa (2:2.9.0-18) unstable; urgency=medium
* Apply upstream patches from Ubuntu (LP: #1879087, #1912609, #1893563):
- D-Bus: Move roam metrics to the correct interface
- nl80211: Unbreak mode processing due to presence of S1G band
- D-Bus: Allow changing an interface bridge via D-Bus
* Enable support for WPA-EAP-SUITE-B(-192) (Closes: #982548).
-- Andrej Shadura <email address hidden> Fri, 12 Feb 2021 11:31:57 +0100
-
wpa (2:2.9.0-17) unstable; urgency=medium
[ Salvatore Bonaccorso ]
* P2P: Fix copying of secondary device types for P2P group client
(CVE-2021-0326) (Closes: #981971).
-- Andrej Shadura <email address hidden> Sat, 06 Feb 2021 18:04:13 +0100
-
wpa (2:2.9.0-16) unstable; urgency=high
* Restrict eapoltest to linux-any kfreebsd-any.
* Add an upstream patch to fix a crash with a long P2P interface name
(Closes: #976091).
* Security fix: CVE-2020-12695.
A vulnerability in the UPnP SUBSCRIBE command can trigger the AP to
initiate a HTTP (TCP/IP) connection to an arbitrary URL or to trigger
misbehavior in hostapd and cause the process to either get terminated
or to start using more CPU resources.
The issue can also be mitigated by building hostapd without UPnP support
(CONFIG_WPS_UPNP=n) or disabling it at runtime by removing the upnp_iface
parameter.
(Closes: #976106)
* Refresh patches.
-- Andrej Shadura <email address hidden> Mon, 30 Nov 2020 10:02:04 +0100
-
wpa (2:2.9.0-15) unstable; urgency=medium
* Don’t fail the build on -Warray-bounds.
-- Andrej Shadura <email address hidden> Mon, 24 Aug 2020 14:21:02 +0200
-
wpa (2:2.9.0-13) unstable; urgency=medium
* Apply upstream patches:
- Avoid sending invalid mgmt frames at startup
- Increase introspection buffer size for D-Bus
-- Andrej Shadura <email address hidden> Tue, 19 May 2020 14:29:29 +0200
-
wpa (2:2.9.0-12) unstable; urgency=medium
* Add an upstream patch to fix the MAC randomisation issue with some cards
(LP: #1867908).
-- Andrej Shadura <email address hidden> Tue, 24 Mar 2020 11:13:16 +0100
-
wpa (2:2.9.0-11) unstable; urgency=medium
* Actually add autopkgtest for libwpa-client-dev and libwpa_test.c.
-- Andrej Shadura <email address hidden> Sat, 07 Mar 2020 13:18:19 +0100
-
wpa (2:2.9.0-10) unstable; urgency=medium
* Rename the package with the client library to libwpa-client-dev.
-- Andrej Shadura <email address hidden> Tue, 25 Feb 2020 20:19:52 +0100
-
wpa (2:2.9.0-9) unstable; urgency=medium
[ Terry Burton ]
* Build and install eapol_test in eapoltest package (Closes: #700870)
[ Didier Raboud ]
* Backport upstream patch to fix build with Debian's VERSION_STR.
[ Andrew Lee (李健秋) ]
* Build libwpa-dev binary package which contains a static
libwpa_client library and the wpa_ctrl header with an example program.
[ Andrej Shadura ]
* Add a patch to provide the BIT() macro locally in wpa_ctrl.h.
* Patch the example to use stddef.h and wpa_ctrl.h from the global location.
* Add an autopkgtest for libwpa-dev and libwpa_test.c.
-- Andrej Shadura <email address hidden> Tue, 25 Feb 2020 18:21:35 +0100
-
wpa (2:2.9.0-8) unstable; urgency=medium
* Reupload as 2.9.0 to undo an accidental experimental upload to unstable.
-- Andrej Shadura <email address hidden> Sat, 22 Feb 2020 11:25:29 +0300
-
wpa (2:2.9+git20200213+877d9a0-1) unstable; urgency=medium
* New upstream snapshot.
* Refresh patches.
-- Andrej Shadura <email address hidden> Sat, 15 Feb 2020 16:53:28 +0100
-
wpa (2:2.9-6) unstable; urgency=medium
[ Debian Janitor ]
* Use secure URI in Homepage field.
* Move source package lintian overrides to debian/source.
* Use canonical URL in Vcs-Browser.
* Rely on pre-initialized dpkg-architecture variables.
* Update standards version to 4.4.1, no changes needed.
[ Andrej Shadura ]
* Disable CONFIG_DRIVER_MACSEC_QCA on kfreebsd.
-- Andrej Shadura <email address hidden> Mon, 13 Jan 2020 16:28:58 +0100
-
wpa (2:2.9-5) unstable; urgency=medium
* Fix erroneously inverted logic in postinst.
-- Andrej Shadura <email address hidden> Mon, 13 Jan 2020 10:48:26 +0100
-
wpa (2:2.9-3) unstable; urgency=medium
* Add pkg.wpa.nogui and noudeb build profiles.
-- Andrej Shadura <email address hidden> Fri, 04 Oct 2019 11:47:15 +0200
-
wpa (2:2.9-1) unstable; urgency=high
* New upstream release (Closes: #934180):
- SECURITY UPDATE (CVE-2019-13377):
Timing-based side-channel attack against WPA3's Dragonfly handshake
when using Brainpool curves.
More details:
+ https://w1.fi/security/2019-6/
+ https://wpa3.mathyvanhoef.com/
* Drop a patch applied upstream.
* Update debian/watch.
-- Andrej Shadura <email address hidden> Thu, 08 Aug 2019 15:59:02 +0200
-
wpa (2:2.8-3) unstable; urgency=medium
* Upload to unstable.
* Apply upstream patch:
- Use a separate flag for 4-way handshake offload.
* Spelling: meny -> menu.
* Add lintian overrides for known issues.
-- Andrej Shadura <email address hidden> Thu, 11 Jul 2019 23:19:03 +0200
-
wpa (2:2.7+git20190128+0c1e29f-6+deb10u2) buster; urgency=medium
* Apply upstream patches:
- Do not try to detect PSK mismatch during PTK rekeying.
Fixes the 4-way WPA handshake in some situations.
- Check for FT support when selecting FT suites.
Closes: #942164.
- Fix RTM NEW/DELLINK IFLA_IFNAME copy for maximum ifname length.
Fixes the MAC randomisation issue with some cards.
LP: #1867908.
-- Andrej Shadura <email address hidden> Tue, 24 Mar 2020 11:26:58 +0100
-
wpa (2:2.7+git20190128+0c1e29f-6+deb10u1) buster-security; urgency=medium
* SECURITY UPDATE:
- AP mode PMF disconnection protection bypass.
More details:
+ https://w1.fi/security/2019-7/
Closes: #940080 (CVE-2019-16275)
- Timing-based side-channel attack against WPA3's Dragonfly handshake
when using Brainpool curves.
More details:
+ https://w1.fi/security/2019-6/
+ https://wpa3.mathyvanhoef.com/
Closes: #934180 (CVE-2019-13377)
-- Andrej Shadura <email address hidden> Tue, 17 Sep 2019 11:58:08 +0200
-
wpa (2:2.7+git20190128+0c1e29f-6) unstable; urgency=medium
* Make sure the hostapd unit is masked when there’s no configuration
file available (Closes: #928948)
-- Andrej Shadura <email address hidden> Thu, 06 Jun 2019 15:16:29 +0200
-
wpa (2:2.7+git20190128+0c1e29f-5) unstable; urgency=high
* Fix security issue 2019-5:
- EAP-pwd message reassembly issue with unexpected fragment
(Closes: #927463, no CVE assigned).
-- Andrej Shadura <email address hidden> Fri, 26 Apr 2019 14:55:52 +0200
-
wpa (2:2.7+git20190128+0c1e29f-4) unstable; urgency=high
* Apply security fixes (Closes: #926801):
- CVE-2019-9494: SAE cache attack against ECC groups (VU#871675)
- CVE-2019-9495: EAP-pwd cache attack against ECC groups
- CVE-2019-9496: SAE confirm missing state validation
- CVE-2019-9497: EAP-pwd server not checking for reflection attack
- CVE-2019-9498: EAP-pwd server missing commit validation for scalar/element
- CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element
For more details, see:
- https://w1.fi/security/2019-1/
- https://w1.fi/security/2019-2/
- https://w1.fi/security/2019-3/
- https://w1.fi/security/2019-4/
-- Andrej Shadura <email address hidden> Wed, 10 Apr 2019 19:00:22 +0200
-
wpa (2:2.7+git20190128+0c1e29f-3) unstable; urgency=medium
* Print the warning and exit after sourcing /lib/lsb/init-functions
(Closes: #924666).
* Recognise multiple configs in DAEMON_CONF and verify them all.
* Fix ENGINE support with OpenSSL 1.1+ (Closes: #924632).
-- Andrej Shadura <email address hidden> Fri, 15 Mar 2019 17:44:51 +0100
-
wpa (2:2.7+git20190128+0c1e29f-2) unstable; urgency=medium
* Apply an RFC patch to work around big endian keyidx.
This is likely to fix #919138, but more testing is needed.
-- Andrej Shadura <email address hidden> Tue, 19 Feb 2019 19:14:56 +0100
-
wpa (2:2.7+git20190128+0c1e29f-1) unstable; urgency=medium
* Upload to unstable.
* New upstream snapshot 2.7+git20190128+0c1e29f.
* Add Files-Excluded to debian/copyright.
* Watch the upstream git.
* Refresh hostapd/wpasupplicant configs, enable CONFIG_GETRANDOM
(Closes: #914490)
-- Andrej Shadura <email address hidden> Tue, 29 Jan 2019 18:11:01 +0100
-
wpa (2:2.7-3) unstable; urgency=medium
* Upload to unstable.
* Refresh dbus-available-sta.patch from the upstream.
* Since we use Type=forking, pass -B to hostapd (Closes: #918861).
* Apply upstream fixes for 802.1X 4-way handshake offload.
* Bump Standards-Version to 4.3.0.
* Use debhelper-compat (= 12).
* Drop dh_systemd_enable calls and overrides.
* Move manual installs into .install as much as possible.
* Drop ancient preinst scripts.
* Add Pre-Depends to hostapd.
* Display a warning if DAEMON_CONF is not /etc/hostapd/hostapd.conf.
* Default to /etc/hostapd/hostapd.conf.
* Update README.Debian in hostapd.
-- Andrej Shadura <email address hidden> Fri, 11 Jan 2019 00:17:14 +0100
-
wpa (2:2.6-21) unstable; urgency=medium
* Fix a typo in the patch.
-- Andrej Shadura <email address hidden> Sat, 15 Dec 2018 17:38:19 +0100
-
wpa (2:2.6-19) unstable; urgency=medium
[ Ondřej Nový ]
* d/copyright: Use https protocol in Format field
* d/changelog: Remove trailing whitespaces
[ Andrej Shadura ]
* Re-enable TLSv1.0 and security level 1 for wpasupplicant.
(Closes: #907518, #911297).
* Modernise debian/rules.
-- Andrej Shadura <email address hidden> Sat, 15 Dec 2018 15:21:08 +0100
-
wpa (2:2.6-18) unstable; urgency=high
* Fix NL80211_ATTR_SMPS_MODE encoding (Closes: #903952)
* SECURITY UPDATE:
- CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data
(Closes: #905739)
-- Andrej Shadura <email address hidden> Wed, 08 Aug 2018 22:50:11 +0200
-
wpa (2:2.6-17) unstable; urgency=medium
* Fix get-orig-source so that it can produce pre-release snapshots.
* Remove dbus changes to StaAuthorized/StaDeauthorized after discussions
with the upstream.
-- Andrej Shadura <email address hidden> Fri, 08 Jun 2018 14:30:54 +0200
-
wpa (2:2.6-16) unstable; urgency=medium
* Fix README.Debian: MyNetWork, not NETBEER (Closes: #791333).
* Restart hostapd on a failure after 2s.
* Add a template for per-interface hostapd services (Closes: #889508).
* Merge a patch from Ubuntu:
- debian/patches/dbus-available-sta.patch: Make the list of connected
stations available on DBus for hotspot mode; along with some of the
station properties, such as rx/tx packets, bytes, capabilities, etc.
-- Andrej Shadura <email address hidden> Mon, 07 May 2018 15:32:41 +0200
-
wpa (2:2.6-15) unstable; urgency=medium
* Update debian/control:
- Update Maintainer field to point to $<email address hidden>
- Update Vcs-* fields to point to salsa.d.o
- Drop no longer active uploaders.
-- Andrew Shadura <email address hidden> Thu, 28 Dec 2017 11:26:28 +0100
-
wpa (2:2.6-14) unstable; urgency=medium
* Replace the PEM fix patch by Lukasz Siudut with an upstream patch.
Thanks to David Benjamin <email address hidden>.
* Apply patches from Beniamino Galvani:
- Fix race condition in detecting MAC address change
- Update MAC address when driver detects a change
* Disable WNM to resolve a compatibility issue with wl.
Thanks to YOSHINO Yoshihito <email address hidden>.
Hopefully really closes: #833507.
-- Andrew Shadura <email address hidden> Thu, 28 Dec 2017 09:51:29 +0100
-
wpa (2:2.6-13) unstable; urgency=medium
* Fix a typo in functions.sh (Closes: #883659).
-- Andrew Shadura <email address hidden> Thu, 07 Dec 2017 18:24:27 +0100
-
wpa (2:2.6-12) unstable; urgency=medium
* Add wl to the blacklist for MAC randomisation. (Closes: #833507)
* Blacklist an out-of-tree driver for Realtek RTL8188EU too.
-- Andrew Shadura <email address hidden> Tue, 05 Dec 2017 12:32:27 +0100
-
wpa (2:2.6-11) unstable; urgency=medium
* Unbreak EAP-TLS.
Thanks to Dmitry Borodaenko <email address hidden>
-- Andrew Shadura <email address hidden> Thu, 30 Nov 2017 11:21:43 +0100
-
wpa (2:2.6-10) unstable; urgency=medium
* Mask hostapd every time it has no valid configuration.
-- Andrew Shadura <email address hidden> Tue, 28 Nov 2017 12:28:13 +0100
-
wpa (2:2.6-8) unstable; urgency=medium
* Revert "Build wpa_supplicant with interface matching support."
(Closes: #882716).
* Drop override_dh_builddeb.
* Use dh 10.
* Prevent hostapd from failing on the package install when there
isn't a valid configuration file yet (Closes: #882740):
- Don't enable hostapd.service by default.
- Mask hostapd.service on the first install.
-- Andrew Shadura <email address hidden> Sun, 26 Nov 2017 19:38:57 +0000
-
wpa (2:2.6-7) unstable; urgency=medium
* Upload to unstable.
* Optional AP side workaround for key reinstallation attacks (LP: #1730399).
-- Andrew Shadura <email address hidden> Fri, 24 Nov 2017 16:29:25 +0000
-
wpa (2:2.4-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix multiple issues in WPA protocol (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
- hostapd: Avoid key reinstallation in FT handshake
- Prevent reinstallation of an already in-use group key
- Extend protection of GTK/IGTK reinstallation of
- Fix TK configuration to the driver in EAPOL-Key 3/4
- Prevent installation of an all-zero TK
- Fix PTK rekeying to generate a new ANonce
- TDLS: Reject TPK-TK reconfiguration
- WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode
- WNM: Ignore WNM-Sleep Mode Response without pending
- FT: Do not allow multiple Reassociation Response frames
- TDLS: Ignore incoming TDLS Setup Response retries
-- Yves-Alexis Perez <email address hidden> Mon, 16 Oct 2017 10:28:41 +0200
-
wpa (2:2.4-1+deb9u2) stretch; urgency=high
* SECURITY UPDATE:
- CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data
(Closes: #905739)
-- Andrej Shadura <email address hidden> Thu, 09 Aug 2018 09:23:49 +0200
-
wpa (2:2.4-1+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix multiple issues in WPA protocol (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
- hostapd: Avoid key reinstallation in FT handshake
- Prevent reinstallation of an already in-use group key
- Extend protection of GTK/IGTK reinstallation of
- Fix TK configuration to the driver in EAPOL-Key 3/4
- Prevent installation of an all-zero TK
- Fix PTK rekeying to generate a new ANonce
- TDLS: Reject TPK-TK reconfiguration
- WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode
- WNM: Ignore WNM-Sleep Mode Response without pending
- FT: Do not allow multiple Reassociation Response frames
- TDLS: Ignore incoming TDLS Setup Response retries
-- Yves-Alexis Perez <email address hidden> Sat, 14 Oct 2017 14:18:32 +0200
-
wpa (2:2.4-1) unstable; urgency=medium
[ Vincent Danjean ]
* Build with libssl1.0-dev (Closes: #828601).
* Add an upstream patch to fix hostapd in SMPS mode (Closes: #854719).
[ Andrew Shadura ]
* Don't install debian/system-sleep/wpasupplicant (originally introduced
to fix LP: #1422143), it doesn't improve the state of the things,
introduces regressions in some cases, and at all isn't supposed to
work with how wpa-supplicant is started these days (Closes: #835648).
* Bump the epoch to 2:, so that we can set the upstream version to
what we really mean. It also has to be higher than 2.6 in unstable
and 1:2.6 (what hostapd binary package in unstable has).
* Drop the binary package epoch override.
-- Andrew Shadura <email address hidden> Mon, 20 Feb 2017 11:55:11 +0100
-
wpa (2.6-3) unstable; urgency=medium
* Cherry-pick the following patches from the upstream:
- WPS: Force BSSID for WPS provisioning step connection
- Check for NULL qsort() base pointers
- Always propagate scan results to all interfaces
- wpa_supplicant: Restore permanent MAC address on reassociation
- nl80211: Update channel information after channel switch notification
- Extend ieee80211_freq_to_channel_ext() to cover channels 52-64
- Use estimated throughput to avoid signal based roaming decision
- Use random MAC address for scanning only in non-connected state
-- Andrew Shadura <email address hidden> Thu, 26 Jan 2017 17:53:41 +0100
-
wpa (2.6-2) unstable; urgency=medium
* Upload to unstable.
* Restore the patch descriptions.
* Don't install debian/system-sleep/wpasupplicant (originally introduced
to fix LP: #1422143), it doesn't improve the state of the things,
introduces regressions in some cases, and at all isn't supposed to
work with how wpa-supplicant is started these days.
-- Andrew Shadura <email address hidden> Tue, 20 Dec 2016 21:50:26 +0100
-
wpa (2.5-2+v2.4-3) unstable; urgency=medium
[ Helmut Grohne ]
* Address FTCBFS: Set PKG_CONFIG (Closes: #836074).
[ Andrew Shadura ]
* Don't run wpa_cli suspend/resume if /run/wpa_supplicant isn't around
(Closes: #835648).
-- Andrew Shadura <email address hidden> Wed, 14 Sep 2016 11:11:01 +0200
-
wpa (2.5-2+v2.4-2) unstable; urgency=medium
* Apply patches from upstream to unbreak dedicated P2P Device support
(closes: #833402).
* Reapply an accidentally lost patch to fix pkcs11 OpenSSL engine
initialisation (Closes: #827253).
* Retroactively redact the last changelog entry to represent the actual
upload more accurately.
-- Andrew Shadura <email address hidden> Tue, 09 Aug 2016 20:11:27 +0200
-
wpa (2.5-2+v2.4-1) unstable; urgency=medium
[ Ricardo Salveti de Araujo ]
* debian/patches/dbus-fix-operations-for-p2p-mgmt.patch: fix operations
when P2P management interface is used (LP: #1482439)
[ Stefan Lippers-Hollmann ]
* wpasupplicant: install systemd unit (Closes: #766746).
* wpasupplicant: configure driver fallback for networkd.
* import changelogs from the security queues.
* move previous patch for CVE-2015-1863 into a new subdirectory,
debian/patches/2015-1/.
* replace the Debian specific patch "wpasupplicant: fix systemd unit
dependencies" with a backport of its official upstream change "systemd:
Order wpa_supplicant before network.target".
* fix dependency odering when invoked with DBus, by making sure that DBus
isn't shut down before wpa_supplicant, as that would also bring down
wireless links which are still holding open NFS shares. Thanks to Facundo
Gaich <email address hidden> and Michael Biebl <email address hidden>
(Closes: #785579).
* import NMU changelogs and integrate NMU changes.
* Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to Salvatore
Bonaccorso <email address hidden> (Closes: #823411):
- WPS: Reject a Credential with invalid passphrase
- Reject psk parameter set with invalid passphrase character
- Remove newlines from wpa_supplicant config network output
- Reject SET_CRED commands with newline characters in the string values
- Reject SET commands with newline characters in the string values
* use --buildsystem=qmake_qt4 (available since dh 8.9.1) for debhelper
(Closes: #823171).
* fix clean target, by splitting the find call into individual searches.
* building wpa in a current unstable chroot using debhelper >= 9.20151219
will introduce automatic dbgsym packages, thereby indirectly providing
the requested debug packages for stretch and upwards (Closes: #729934).
Don't add a versioned build-dependency in order to avoid unnecessary
complications with backports.
* change Vcs-Browser location to prefer https, but keep the unsecure tag for
Vcs-Svn, as there is no option allowing to pull from the svn+ssh://
location without an alioth account, this only makes lintian partially happy
in regards to vcs-field-uses-insecure-uri.
* debian/*: fix spelling errors noticed by lintian.
* drop the obsolete Debian menu entry for wpa_gui, according to the tech-ctte
decision on #741573.
* fix debian/get-orig-source for wpa 2.6~.
* add debian/watch file for the custom tarball generation.
[ Paul Donohue ]
* debian/ifupdown/functions.sh: Fix handling for "wpa-roam". Call ifquery
instead of directly parsing /run/*/ifstate files to work with current
ifupdown. (Closes: #545766, LP: #1545363)
[ Martin Pitt ]
* Add debian/system-sleep/wpasupplicant: Call wpa_cli suspend/resume
before/after suspend, like the pm-utils hook. In some cases this brings
back missing Wifi connection after resuming. (LP: #1422143)
[ Andrew Shadura ]
* New upstream release (Closes: #806889).
* Refresh patches, drop patches applied upstream.
* Fix pkcs11 OpenSSL engine initialisation (Closes: #827253).
* Update Vcs-* to point to Git.
-- Andrew Shadura <email address hidden> Fri, 05 Aug 2016 20:45:14 +0200
-
wpa (2.5-2) unstable; urgency=medium
* Apply patches from upstream to unbreak dedicated P2P Device support
(hopefully closes: #833402).
-- Andrew Shadura <email address hidden> Thu, 04 Aug 2016 11:17:37 +0300
-
wpa (2.5-1) unstable; urgency=medium
[ Stefan Lippers-Hollmann ]
* wpasupplicant: install systemd unit (Closes: #766746).
* wpasupplicant: configure driver fallback for networkd.
* import changelogs from the security queues.
* move previous patch for CVE-2015-1863 into a new subdirectory,
debian/patches/2015-1/.
* fix dependency ordering when invoked with DBus, by making sure that DBus
isn't shut down before wpa_supplicant, as that would also bring down
wireless links which are still holding open NFS shares. Thanks to Facundo
Gaich <email address hidden> and Michael Biebl <email address hidden>
(Closes: #785579).
* import NMU changelogs and integrate NMU changes.
* Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to Salvatore
Bonaccorso <email address hidden> (Closes: #823411):
- WPS: Reject a Credential with invalid passphrase
- Reject psk parameter set with invalid passphrase character
- Remove newlines from wpa_supplicant config network output
- Reject SET_CRED commands with newline characters in the string values
- Reject SET commands with newline characters in the string values
* use --buildsystem=qmake_qt4 (available since dh 8.9.1) for debhelper
(Closes: #823171).
* fix clean target, by splitting the find call into individual searches.
* building wpa in a current unstable chroot using debhelper >= 9.20151219
will introduce automatic dbgsym packages, thereby indirectly providing
the requested debug packages for stretch and upwards (Closes: #729934).
Don't add a versioned build-dependency in order to avoid unnecessary
complications with backports.
* change Vcs-Browser location to prefer https
* debian/*: fix spelling errors noticed by lintian.
* drop the obsolete Debian menu entry for wpa_gui, according to the tech-ctte
decision on #741573.
* fix debian/get-orig-source for wpa 2.6~.
* add debian/watch file for the custom tarball generation.
[ Paul Donohue ]
* debian/ifupdown/functions.sh: Fix handling for "wpa-roam". Call ifquery
instead of directly parsing /run/*/ifstate files to work with current
ifupdown. (Closes: #545766, LP: #1545363)
[ Martin Pitt ]
* Add debian/system-sleep/wpasupplicant: Call wpa_cli suspend/resume
before/after suspend, like the pm-utils hook. In some cases this brings
back missing Wifi connection after resuming. (LP: #1422143)
[ Andrew Shadura ]
* New upstream release (Closes: #806889).
* Refresh patches, drop patches applied upstream.
* Fix pkcs11 OpenSSL engine initialisation (Closes: #827253).
* Update Vcs-* to point to Git.
-- Andrew Shadura <email address hidden> Sun, 31 Jul 2016 18:05:59 +0300
-
wpa (2.3-2.4) unstable; urgency=medium
* Non-maintainer upload.
* Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to
Salvatore Bonaccorso <email address hidden> (Closes: #823411):
- WPS: Reject a Credential with invalid passphrase
- Reject psk parameter set with invalid passphrase character
- Remove newlines from wpa_supplicant config network output
- Reject SET_CRED commands with newline characters in the string values
- Reject SET commands with newline characters in the string values
* Refresh patches to apply cleanly.
-- Andrew Shadura <email address hidden> Thu, 21 Jul 2016 09:01:51 +0200
-
wpa (2.3-2.3) unstable; urgency=high
* Non-maintainer upload.
* Add patch to address CVE-2015-5310.
CVE-2015-5310: wpa_supplicant unauthorized WNM Sleep Mode GTK control.
(Closes: #804707)
* Add patches to address CVE-2015-5314 and CVE-2015-5315.
CVE-2015-5314: hostapd: EAP-pwd missing last fragment length validation.
CVE-2015-5315: wpa_supplicant: EAP-pwd missing last fragment length
validation. (Closes: #804708)
* Add patch to address CVE-2015-5316.
CVE-2015-5316: EAP-pwd peer error path failure on unexpected Confirm
message. (Closes: #804710)
-- Salvatore Bonaccorso <email address hidden> Thu, 12 Nov 2015 20:54:12 +0100
-
wpa (2.3-2.2) unstable; urgency=high
* Non-maintainer upload.
* Add patch to address CVE-2015-4141.
CVE-2015-4141: WPS UPnP vulnerability with HTTP chunked transfer
encoding. (Closes: #787372)
* Add patch to address CVE-2015-4142.
CVE-2015-4142: Integer underflow in AP mode WMM Action frame processing.
(Closes: #787373)
* Add patches to address CVE-2015-414{3,4,5,6}
CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146: EAP-pwd missing
payload length validation. (Closes: #787371)
* Add patch to address 2015-5 vulnerability.
NFC: Fix payload length validation in NDEF record parser (Closes: #795740)
* Thanks to Julian Wollrath <email address hidden> for the initial debdiff
provided in #787371.
-- Salvatore Bonaccorso <email address hidden> Sat, 31 Oct 2015 14:13:50 +0100
-
wpa (2.3-2.1) unstable; urgency=medium
* Non-maintainer upload.
* Import four patches from upstream git (wpasupplicant_band_selection_*.patch),
manually unfuzzed, to improve 2.4/5 GHz band selection. (Closes: #795722)
-- Steinar H. Gunderson <email address hidden> Sun, 30 Aug 2015 14:47:56 +0200
-
wpa (2.3-2) unstable; urgency=high
* remove Kel Modderman from Uploaders as per his request, many thanks for
all past efforts Kel.
* fix systemd unit dependencies for wpasupplicant, it needs to be started
before the network target (Closes: 780552), many thanks to Michael Biebl
<email address hidden> for reporting and suggesting the patch.
* hostapd: avoid segfault with driver=wired, by merging upstream commit
e9b783d58c23a7bb50b2f25bce7157f1f3b5d58b "Fix hostapd operation without
hw_mode driver data."
* import "P2P: Validate SSID element length before copying it
(CVE-2015-1863)" from upstream (Closes: #783148).
-- Stefan Lippers-Hollmann <email address hidden> Thu, 23 Apr 2015 05:02:21 +0200
-
wpa (2.3-1+deb8u4) jessie; urgency=medium
* Non-maintainer upload.
* Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to
Salvatore Bonaccorso <email address hidden> (Closes: #823411):
- WPS: Reject a Credential with invalid passphrase
- Reject psk parameter set with invalid passphrase character
- Remove newlines from wpa_supplicant config network output
- Reject SET_CRED commands with newline characters in the string values
- Reject SET commands with newline characters in the string values
* Refresh patches to apply cleanly.
-- Andrew Shadura <email address hidden> Thu, 21 Jul 2016 09:01:51 +0200
-
wpa (2.3-1+deb8u3) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* Add CVE-2015-5314.patch patch.
CVE-2015-5314: hostapd: EAP-pwd missing last fragment length validation.
* Add CVE-2015-5315.patch patch.
CVE-2015-5315: wpa_supplicant: EAP-pwd missing last fragment length
validation.
* Add CVE-2015-5316.patch patch.
CVE-2015-5316: EAP-pwd peer error path failure on unexpected Confirm
message.
-- Salvatore Bonaccorso <email address hidden> Sat, 07 Nov 2015 16:05:23 +0100
-
wpa (2.3-1+deb8u1) jessie-security; urgency=high
* import "P2P: Validate SSID element length before copying it
(CVE-2015-1863)" from upstream (Closes: #783148).
-- Stefan Lippers-Hollmann <email address hidden> Thu, 23 Apr 2015 19:32:29 +0200
-
wpa (2.3-1) unstable; urgency=medium
* New upstream release:
- fixed by the new upstream version:
+ wpa: arbitrary command execution via action scripts (Closes: #765352).
wpasupplicant: fixed wpa_cli action script execution to use more
robust mechanism (CVE-2014-3686).
hostapd: fixed hostapd_cli action script execution to use more robust
mechanism (CVE-2014-3686).
+ wpasupplicant: MAC addressing changing broken after updating to 2.2-1
(Closes: #763775).
+ drop ap_config_c_fix-typo-for-capabilities, applied upstream.
- backport "Include ieee802_11_common.c in wpa_supplicant build
unconditionally" from HEAD, to fix a newly introduced FTBS on, at least,
kfreebsd.
* bump standards version to 3.9.6, no changes necessary.
-- Stefan Lippers-Hollmann <email address hidden> Tue, 14 Oct 2014 21:29:37 +0200
-
wpa (2.2-1) unstable; urgency=medium
* New upstream release:
- import suggested changes from Gerald Turner <email address hidden> (see
#718651 for details).
+ disable ACS for hostapd on kfreebsd-any (FTBS).
- fixed by the new upstream version:
+ wpa_supplicant: OpenSSL: tls_connection_handshake - Failed to read
(Closes: #561081).
+ wpasupplicant: new upstream release 2.2 (Closes: #718651).
+ wpasupplicant: -s option not documented in man page (Closes: #608135).
- refresh patches:
+ drop 13_human_readable_signal.patch, applied upstream.
+ drop hostapd_fix-WDS-VLAN-bridge-handling.patch, applied upstream.
+ drop fix-spelling-s-algorith-algorithm.patch, applied upstream.
- adapt build configs for hostapd/ wpa_supplicant 2.2:
+ sync with updated upstream defconfigs.
+ keep Hotspot 2.0 support disabled for the time being.
+ hostapd: keep sqlite3 support disabled for the time being.
- update debian/copyright manually, the wpa v2 branch was relicensed from
(BSD-3-clause || GPL-2) to BSD-3-clause only (for the most part). This
doesn't change the licensing state as the BSD-3-clause license is
compatible with GPL-2.
* drop pre-wheezy /lib/init/rw/sendsigs.omit.d/ migration support, invert the
versioned initscripts dependency to a versioned breaks relation.
* migrate from /var/run/ to /run/.
* adapt get-orig-source for wpa 2.2.
* drop version qualifiers for libnl3 build dependencies, as they're
fullfilled by wheezy.
* drop version qualifiers for the lsb-base build dependency, as they're
fullfilled by squeeze.
* shorten short description for hostapd.
* sort debian/control entries.
* make lintian happy (invalid-short-name-in-dep5-copyright bsd) and call it
BSD-3-clause.
* enable DEBUG_SYSLOG and set DEBUG_SYSLOG_FACILITY=LOG_DAEMON, as requested
by Cyril Brulebois <email address hidden> to improve logging options for d-i and
netcfg (Closes: #761922).
* fix various typos around "existence", thanks to A. Costa <email address hidden>,
(Closes: #683636).
* ap_config.c: fix typo for "capabilities".
* remove no longer required lintian override (spelling-error-in-binary for
the).
-- Stefan Lippers-Hollmann <email address hidden> Wed, 17 Sep 2014 04:52:36 +0200
-
wpa (1.1-1) unstable; urgency=medium
* New upstream release:
- drop 11_wpa_gui_ftbfs_gcc_4_7, applied upstream.
- drop EAP-TLS-server_fix-TLS-Message-length-validation, applied upstream.
- fixes:
- EAP access point constantly roaming with proactive key caching
(Closes: #711063).
* enable IBSS RSN, thanks to Nicolas Cavallari <email address hidden>
(Closes: #678147).
* enable simple AP support for wpasupplicant, thanks to Patrik Flykt
<email address hidden> (Closes: #690536).
* use the readline6, wpa_cli doesn't link to openssl.
* link with --as-needed.
* compress binaries with xz.
* debian/get-orig-source: switch to xz compressed upstream tarballs.
* debian/get-orig-source: adapt for the post 1.x upstream branch.
* debian/get-orig-source: support named snapshots, see debian/README.source
for detailed syntax and semantics.
* debian/README.source: explain fetching git snapshots by specifying their
git hash.
* debian/README.source: update to match current reality and apply grammar
fixes.
* debian/README.source: drop trailing whitespace.
* fix hardening flags, thanks a lot to Florent Daigniere
<email address hidden> (Closes: #725865).
* debian/control: fold dependencies.
* bump standards version to 3.9.5, no changes necessary.
* reflect reality and adapt the maintainer mail address not to claim
representing Ubuntu.
* drop wheezy-specific comments in the configuration files.
* glob 'wpa-password' as well and hide its debugging output, this hopefully
closes: #728092.
* enable EAP-FAST, openssl in Debian is now new enough (Closes: #685685).
* update to new alioth URIs (vcs-field-not-canonical).
* add Keywords entry for desktop files (desktop-entry-lacks-keywords-entry).
* functions.sh: s/particuarly/particularly/, thanks to Vincent Lefevre
<email address hidden> (Closes: #734422).
* fix FTBS using gcc-4.8 by linking with -ldl on kfreebsd-any; the udeb
packages don't provide EAP support and are therefore unaffected. This is
already accounted for by the upstream Makefile, however wrongly depending
on !CONFIG_DRIVER_BSD, while it is actually depending on the target libc
rather than the kernel (Closes: #737465). Thanks to Cyril Brulebois
<email address hidden> and Steven Chamberlain <email address hidden>.
* import "hostapd: Fix WDS VLAN bridge handling" by Felix Fietkau
<email address hidden> from upstream, thanks to Mark Hindley
<email address hidden> (Closes: #737109).
* drop build-conflicts with libqt3-dev as the package is no longer available
>= lenny, thanks to Michael Biebl <email address hidden>.
* drop pre-dependency on dpkg (>= 1.15.6~), data.tar.xz-member-without-dpkg-
pre-depends is no longer a problem after Ubuntu lucid is EOL. Thanks to
Michael Biebl for noticing.
* drop build-dependency on libdbus-glib-1-dev, it is no longer required for
dbus-binding-tool, thanks to Michael Biebl.
* allow parallel building.
* fix spelling s/algorith/algorithm/.
* add lintian overrides for false positive spelling complaints.
-- Stefan Lippers-Hollmann <email address hidden> Fri, 21 Feb 2014 01:07:28 +0100
-
wpa (1.0-3.1) unstable; urgency=low
* Non-Maintainer Upload
* enable IBSS RSN, thanks to Nicolas Cavallari <email address hidden>
(Closes: #678147).
-- Daniel Kahn Gillmor <email address hidden> Thu, 05 Dec 2013 13:56:15 -0500
-
wpa (1.0-3+deb7u1) wheezy-security; urgency=high
* Apply upstream patches for CVE-2014-3686 (Closes: #765352):
- add os_exec() helper to run external programs
- wpa_cli: Use os_exec() for action script execution
- hostapd_cli: Use os_exec() for action script execution
-- Stefan Lippers-Hollmann <email address hidden> Wed, 15 Oct 2014 23:32:54 +0200
-
wpa (1.0-3) unstable; urgency=high
* ship forgotten README-P2P.
* revert to GNU readline for wpa_cli, instead of using the internal readline
implementation added in wpa 1~. Prefer libreadline-gplv2-dev, because libnl
is GPL-2 (only) - switching back to the internal readline implementation is
targeted for wheezy+1 (Closes: #677993, #678077).
* Fix DoS via specially crafted EAP-TLS messages with longer message
length than TLS data length (CVE-2012-4445, DSA 2557-1, Closes: #689990).
-- Stefan Lippers-Hollmann <email address hidden> Mon, 08 Oct 2012 17:48:04 +0200
-
wpa (1.0-2) unstable; urgency=low
* Really enable hardened build flags, thanks Simon Ruderich
<email address hidden>. (Closes: #657332)
* Do not suppress compilation output, set V=1.
-- Kel Modderman <email address hidden> Mon, 14 May 2012 06:39:13 +1000
-
wpa (1.0-1) unstable; urgency=low
[ Stefan Lippers-Hollmann ]
* New upstream release, no code changes since 1.0~rc3.
* upload to unstable, to fix FTBS with gcc-4.7.
* update debian/README.source.
[ Kel Modderman ]
* No longer explicitly add --as-needed to LDFLAGS, it is no longer
required since wpa_cli stopped linking to libreadline (WPA_CLI_EDIT=y).
-- Kel Modderman <email address hidden> Fri, 11 May 2012 13:58:51 +1000
