-
wpa (2:2.6-15ubuntu2.8) bionic-security; urgency=medium
* SECURITY UPDATE: DoS and possible code execution via P2P provision
discovery requests
- debian/patches/CVE-2021-27803.patch: fix a corner case in peer
addition based on PD Request in src/p2p/p2p_pd.c.
- CVE-2021-27803
-- Marc Deslauriers <email address hidden> Mon, 01 Mar 2021 08:45:44 -0500
-
wpa (2:2.6-15ubuntu2.7) bionic-security; urgency=medium
* SECURITY UPDATE: P2P discovery heap overflow
- debian/patches/CVE-2021-0326.patch: P2P: Fix copying of secondary
device types for P2P group client
- CVE-2021-0326
* SECURITY UPDATE: UPnP SUBSCRIBE misbehavior in WPS AP
- debian/patches/CVE-2020-12695-1.patch: WPS UPnP: Do not allow
event subscriptions with URLs to other networks
- debian/patches/CVE-2020-12695-2.patch: WPS UPnP: Fix event message
generation using a long URL path
- debian/patches/CVE-2020-12695-3.patch: WPS UPnP: Handle HTTP
initiation failures for events more properly
- CVE-2020-12695
-- Steve Beattie <email address hidden> Tue, 09 Feb 2021 22:30:21 -0800
-
wpa (2:2.6-15ubuntu2.6) bionic; urgency=medium
* debian/patches/fix-dbus-getall-request.patch:
- update to a fixed version of the patch to not error out when not
in AP mode, thanks Michael Nazzareno Trimarchi (lp: #1899262)
-- Sebastien Bacher <email address hidden> Wed, 11 Nov 2020 10:50:58 +0100
-
wpa (2:2.6-15ubuntu2.5) bionic-security; urgency=medium
* SECURITY UPDATE: Incorrect indication of disconnection in certain
situations
- debian/patches/CVE-2019-16275.patch: silently ignore management
frame from unexpected source address in src/ap/drv_callbacks.c,
src/ap/ieee882_11.c.
- CVE-2019-16275
-- <email address hidden> (Leonidas S. Barbosa) Tue, 17 Sep 2019 08:45:06 -0300
-
wpa (2:2.6-15ubuntu2.4) bionic-security; urgency=medium
* SECURITY UPDATE: SAE/EAP-pwd side-channel attack w/Brainpool curves
- debian/patches/CVE-2019-13377-2.patch: use const_time_memcmp() for
pwd_value >= prime comparison in src/eap_common/eap_pwd_common.c.
- debian/patches/CVE-2019-13377-3.patch: use BN_bn2binpad() or
BN_bn2bin_padded() if available in src/crypto/crypto_openssl.c.
- debian/patches/CVE-2019-13377-5.patch: run through prf result
processing even if it >= prime in src/eap_common/eap_pwd_common.c.
- debian/patches/CVE-2019-13377-pre6.patch: disallow ECC groups with a
prime under 256 bits in src/eap_common/eap_pwd_common.c.
- debian/patches/CVE-2019-13377-6.patch: disable use of groups using
Brainpool curves in src/eap_common/eap_pwd_common.c.
- CVE-2019-13377
-- Marc Deslauriers <email address hidden> Tue, 13 Aug 2019 14:07:43 -0400
-
wpa (2:2.6-15ubuntu2.3) bionic-security; urgency=medium
* SECURITY UPDATE: EAP-pwd DoS via unexpected fragment
- debian/patches/CVE-2019-11555-1.patch: fix reassembly buffer handling
in src/eap_server/eap_server_pwd.c.
- debian/patches/CVE-2019-11555-2.patch: fix reassembly buffer handling
in src/eap_peer/eap_pwd.c.
- CVE-2019-11555
-- Marc Deslauriers <email address hidden> Wed, 01 May 2019 09:58:51 -0400
-
wpa (2:2.6-15ubuntu2.2) bionic-security; urgency=medium
* SECURITY UPDATE: Multiple security issues
- debian/patches/VU-871675/*.patch: backported upstream patches.
- CVE-2019-9495
- CVE-2019-9497
- CVE-2019-9498
- CVE-2019-9499
-- Marc Deslauriers <email address hidden> Mon, 08 Apr 2019 14:19:24 -0400
-
wpa (2:2.6-15ubuntu2.1) bionic-security; urgency=medium
* SECURITY UPDATE: Expose sensitive information
- debian/patches/CVE-2018-14526.patch: fix in src/rsn_supp/wpa.c.
- CVE-2018-14526
-- <email address hidden> (Leonidas S. Barbosa) Thu, 09 Aug 2018 11:34:33 -0300
-
wpa (2:2.6-15ubuntu2) bionic; urgency=high
* No change rebuild against openssl1.1.
-- Dimitri John Ledkov <email address hidden> Mon, 05 Feb 2018 16:55:53 +0000
-
wpa (2:2.6-15ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/wpa_service_ignore-on-isolate.patch: add
IgnoreOnIsolate=yes so that when switching "runlevels" in oem-config
will not kill off wpa and cause wireless to be unavailable on first
boot.
- debian/patches/session-ticket.patch: disable the TLS Session Ticket
extension to fix auth with 802.1x PEAP on some hardware.
- debian/patches/android_hal_fw_path_change.patch: add a DBus method
for requesting a firmware change when working with the Android HAL;
this is used to set a device in P2P or AP mode; conditional to
CONFIG_ANDROID_HAL being enabled.
- debian/config/wpasupplicant/linux: enable CONFIG_ANDROID_HAL.
- debian/control: Build-Depends on android-headers to get the required
wifi headers for the HAL support.
- debian/patches/dbus-available-sta.patch: Make the list of connected
stations available on DBus for hotspot mode; along with some of the
station properties, such as rx/tx packets, bytes, capabilities, etc.
* Updated debian/patches/dbus-available-sta.patch for new getter API
and refreshed other patches.
wpa (2:2.6-15) unstable; urgency=medium
* Update debian/control:
- Update Maintainer field to point to $<email address hidden>
- Update Vcs-* fields to point to salsa.d.o
- Drop no longer active uploaders.
wpa (2:2.6-14) unstable; urgency=medium
* Replace the PEM fix patch by Lukasz Siudut with an upstream patch.
Thanks to David Benjamin <email address hidden>.
* Apply patches from Beniamino Galvani:
- Fix race condition in detecting MAC address change
- Update MAC address when driver detects a change
* Disable WNM to resolve a compatibility issue with wl.
Thanks to YOSHINO Yoshihito <email address hidden>.
Hopefully really closes: #833507.
wpa (2:2.6-13) unstable; urgency=medium
* Fix a typo in functions.sh (Closes: #883659).
wpa (2:2.6-12) unstable; urgency=medium
* Add wl to the blacklist for MAC randomisation. (Closes: #833507)
* Blacklist an out-of-tree driver for Realtek RTL8188EU too.
wpa (2:2.6-11) unstable; urgency=medium
* Unbreak EAP-TLS.
Thanks to Dmitry Borodaenko <email address hidden>
wpa (2:2.6-10) unstable; urgency=medium
* Mask hostapd every time it has no valid configuration.
wpa (2:2.6-9) unstable; urgency=medium
* Tell NetworkManager to not touch MAC addresses on unsupported drivers.
Hopefully, this will fix #849077.
wpa (2:2.6-8) unstable; urgency=medium
* Revert "Build wpa_supplicant with interface matching support."
(Closes: #882716).
* Drop override_dh_builddeb.
* Use dh 10.
* Prevent hostapd from failing on the package install when there
isn't a valid configuration file yet (Closes: #882740):
- Don't enable hostapd.service by default.
- Mask hostapd.service on the first install.
wpa (2:2.6-7) unstable; urgency=medium
* Upload to unstable.
* Optional AP side workaround for key reinstallation attacks (LP: #1730399).
wpa (2:2.6-6) experimental; urgency=medium
[ Reiner Herrmann ]
* Port wpa_gui to Qt5 (Closes: #875233).
[ Andrew Shadura ]
* Add a service file for hostapd.
* Build wpa_supplicant with interface matching support (Closes: #879208).
[ Benedikt Wildenhain (BO) ]
* Install wpa_supplicant-wired@.service (Closes: #871488).
[ Jan-Benedict Glaw ]
* Consider all ifupdown configuration, not only /etc/network/interfaces
(Closes: #853293).
wpa (2:2.6-5) experimental; urgency=medium
[ Yves-Alexis Perez ]
* Fix multiple issues in WPA protocol (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
- hostapd: Avoid key reinstallation in FT handshake
- Prevent reinstallation of an already in-use group key
- Extend protection of GTK/IGTK reinstallation of
- Fix TK configuration to the driver in EAPOL-Key 3/4
- Prevent installation of an all-zero TK
- Fix PTK rekeying to generate a new ANonce
- TDLS: Reject TPK-TK reconfiguration
- WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode
- WNM: Ignore WNM-Sleep Mode Response without pending
- FT: Do not allow multiple Reassociation Response frames
- TDLS: Ignore incoming TDLS Setup Response retries
wpa (2:2.6-4) experimental; urgency=medium
* Upload to experimental.
* Bump the epoch to 2:, as the upload to unstable had to bump epoch.
-- Julian Andres Klode <email address hidden> Thu, 18 Jan 2018 19:47:17 +0100
-
wpa (2:2.4-1.1ubuntu1) bionic; urgency=medium
* Merge with Debian unstable; remaining changes:
- debian/patches/wpa_service_ignore-on-isolate.patch: add
IgnoreOnIsolate=yes so that when switching "runlevels" in oem-config
will not kill off wpa and cause wireless to be unavailable on first
boot.
- debian/patches/session-ticket.patch: disable the TLS Session Ticket
extension to fix auth with 802.1x PEAP on some hardware.
- debian/patches/android_hal_fw_path_change.patch: add a DBus method
for requesting a firmware change when working with the Android HAL;
this is used to set a device in P2P or AP mode; conditional to
CONFIG_ANDROID_HAL being enabled.
- debian/config/wpasupplicant/linux: enable CONFIG_ANDROID_HAL.
- debian/control: Build-Depends on android-headers to get the required
wifi headers for the HAL support.
- debian/patches/dbus-available-sta.patch: Make the list of connected
stations available on DBus for hotspot mode; along with some of the
station properties, such as rx/tx packets, bytes, capabilities, etc.
wpa (2:2.4-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix multiple issues in WPA protocol (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
- hostapd: Avoid key reinstallation in FT handshake
- Prevent reinstallation of an already in-use group key
- Extend protection of GTK/IGTK reinstallation of
- Fix TK configuration to the driver in EAPOL-Key 3/4
- Prevent installation of an all-zero TK
- Fix PTK rekeying to generate a new ANonce
- TDLS: Reject TPK-TK reconfiguration
- WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode
- WNM: Ignore WNM-Sleep Mode Response without pending
- FT: Do not allow multiple Reassociation Response frames
- TDLS: Ignore incoming TDLS Setup Response retries
wpa (2:2.4-1) unstable; urgency=medium
[ Vincent Danjean ]
* Build with libssl1.0-dev (Closes: #828601).
* Add an upstream patch to fix hostapd in SMPS mode (Closes: #854719).
[ Andrew Shadura ]
* Don't install debian/system-sleep/wpasupplicant (originally introduced
to fix LP: #1422143), it doesn't improve the state of the things,
introduces regressions in some cases, and at all isn't supposed to
work with how wpa-supplicant is started these days (Closes: #835648).
* Bump the epoch to 2:, so that we can set the upstream version to
what we really mean. It also has to be higher than 2.6 in unstable
and 1:2.6 (what hostapd binary package in unstable has).
* Drop the binary package epoch override.
wpa (2.5-2+v2.4-3) unstable; urgency=medium
[ Helmut Grohne ]
* Address FTCBFS: Set PKG_CONFIG (Closes: #836074).
[ Andrew Shadura ]
* Don't run wpa_cli suspend/resume if /run/wpa_supplicant isn't around
(Closes: #835648).
wpa (2.5-2+v2.4-2) unstable; urgency=medium
* Apply patches from upstream to unbreak dedicated P2P Device support
(closes: #833402).
* Reapply an accidentally lost patch to fix pkcs11 OpenSSL engine
initialisation (Closes: #827253).
* Retroactively redact the last changelog entry to represent the actual
upload more accurately.
wpa (2.5-2+v2.4-1) unstable; urgency=medium
[ Ricardo Salveti de Araujo ]
* debian/patches/dbus-fix-operations-for-p2p-mgmt.patch: fix operations
when P2P management interface is used (LP: #1482439)
[ Stefan Lippers-Hollmann ]
* wpasupplicant: install systemd unit (Closes: #766746).
* wpasupplicant: configure driver fallback for networkd.
* import changelogs from the security queues.
* move previous patch for CVE-2015-1863 into a new subdirectory,
debian/patches/2015-1/.
* replace the Debian specific patch "wpasupplicant: fix systemd unit
dependencies" with a backport of its official upstream change "systemd:
Order wpa_supplicant before network.target".
* fix dependency odering when invoked with DBus, by making sure that DBus
isn't shut down before wpa_supplicant, as that would also bring down
wireless links which are still holding open NFS shares. Thanks to Facundo
Gaich <email address hidden> and Michael Biebl <email address hidden>
(Closes: #785579).
* import NMU changelogs and integrate NMU changes.
* Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to Salvatore
Bonaccorso <email address hidden> (Closes: #823411):
- WPS: Reject a Credential with invalid passphrase
- Reject psk parameter set with invalid passphrase character
- Remove newlines from wpa_supplicant config network output
- Reject SET_CRED commands with newline characters in the string values
- Reject SET commands with newline characters in the string values
* use --buildsystem=qmake_qt4 (available since dh 8.9.1) for debhelper
(Closes: #823171).
* fix clean target, by splitting the find call into individual searches.
* building wpa in a current unstable chroot using debhelper >= 9.20151219
will introduce automatic dbgsym packages, thereby indirectly providing
the requested debug packages for stretch and upwards (Closes: #729934).
Don't add a versioned build-dependency in order to avoid unnecessary
complications with backports.
* change Vcs-Browser location to prefer https, but keep the unsecure tag for
Vcs-Svn, as there is no option allowing to pull from the svn+ssh://
location without an alioth account, this only makes lintian partially happy
in regards to vcs-field-uses-insecure-uri.
* debian/*: fix spelling errors noticed by lintian.
* drop the obsolete Debian menu entry for wpa_gui, according to the tech-ctte
decision on #741573.
* fix debian/get-orig-source for wpa 2.6~.
* add debian/watch file for the custom tarball generation.
[ Paul Donohue ]
* debian/ifupdown/functions.sh: Fix handling for "wpa-roam". Call ifquery
instead of directly parsing /run/*/ifstate files to work with current
ifupdown. (Closes: #545766, LP: #1545363)
[ Martin Pitt ]
* Add debian/system-sleep/wpasupplicant: Call wpa_cli suspend/resume
before/after suspend, like the pm-utils hook. In some cases this brings
back missing Wifi connection after resuming. (LP: #1422143)
[ Andrew Shadura ]
* Backout 2.5 release, switch to 2.4 (see #833507 for details).
* New upstream release (Closes: #806889).
* Refresh patches, drop patches applied upstream.
* Update Vcs-* to point to Git.
wpa (2.3-2.4) unstable; urgency=medium
* Non-maintainer upload.
* Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to
Salvatore Bonaccorso <email address hidden> (Closes: #823411):
- WPS: Reject a Credential with invalid passphrase
- Reject psk parameter set with invalid passphrase character
- Remove newlines from wpa_supplicant config network output
- Reject SET_CRED commands with newline characters in the string values
- Reject SET commands with newline characters in the string values
* Refresh patches to apply cleanly.
wpa (2.3-2.3) unstable; urgency=high
* Non-maintainer upload.
* Add patch to address CVE-2015-5310.
CVE-2015-5310: wpa_supplicant unauthorized WNM Sleep Mode GTK control.
(Closes: #804707)
* Add patches to address CVE-2015-5314 and CVE-2015-5315.
CVE-2015-5314: hostapd: EAP-pwd missing last fragment length validation.
CVE-2015-5315: wpa_supplicant: EAP-pwd missing last fragment length
validation. (Closes: #804708)
* Add patch to address CVE-2015-5316.
CVE-2015-5316: EAP-pwd peer error path failure on unexpected Confirm
message. (Closes: #804710)
wpa (2.3-2.2) unstable; urgency=high
* Non-maintainer upload.
* Add patch to address CVE-2015-4141.
CVE-2015-4141: WPS UPnP vulnerability with HTTP chunked transfer
encoding. (Closes: #787372)
* Add patch to address CVE-2015-4142.
CVE-2015-4142: Integer underflow in AP mode WMM Action frame processing.
(Closes: #787373)
* Add patches to address CVE-2015-414{3,4,5,6}
CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146: EAP-pwd missing
payload length validation. (Closes: #787371)
* Add patch to address 2015-5 vulnerability.
NFC: Fix payload length validation in NDEF record parser (Closes: #795740)
* Thanks to Julian Wollrath <email address hidden> for the initial debdiff
provided in #787371.
wpa (2.3-2.1) unstable; urgency=medium
* Non-maintainer upload.
* Import four patches from upstream git (wpasupplicant_band_selection_*.patch),
manually unfuzzed, to improve 2.4/5 GHz band selection. (Closes: #795722)
-- Marc Deslauriers <email address hidden> Fri, 10 Nov 2017 08:20:13 -0500
-
wpa (2.4-0ubuntu10) artful; urgency=medium
* SECURITY UPDATE: Multiple issues in WPA protocol
- debian/patches/2017-1/*.patch: Add patches from Debian stretch
- CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087,
CVE-2017-13088
* SECURITY UPDATE: Denial of service issues
- debian/patches/2016-1/*.patch: Add patches from Debian stretch
- CVE-2016-4476
- CVE-2016-4477
-- Marc Deslauriers <email address hidden> Mon, 16 Oct 2017 07:41:21 -0400