Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

wpa_supplicant-gui-2.10-150500.1.3 RPM for x86_64

From OpenSuSE Leap 15.5 for x86_64

Name: wpa_supplicant-gui Distribution: SUSE Linux Enterprise 15
Version: 2.10 Vendor: SUSE LLC <https://www.suse.com/>
Release: 150500.1.3 Build date: Wed May 3 22:29:52 2023
Group: Unspecified Build host: sheep20
Size: 662934 Source RPM: wpa_supplicant-2.10-150500.1.3.src.rpm
Packager: https://www.suse.com/
Url: https://w1.fi/wpa_supplicant
Summary: WPA supplicant graphical front-end
This package contains a graphical front-end to wpa_supplicant, an
implementation of the WPA Supplicant component.

Provides

Requires

License

BSD-3-Clause AND GPL-2.0-or-later

Changelog

* Tue Dec 27 2022 cfamullaconrad@suse.com
  - update to 2.10.0: jsc#PED-2904
    * SAE changes
    - improved protection against side channel attacks
      [https://w1.fi/security/2022-1/]
    - added support for the hash-to-element mechanism (sae_pwe=1 or
      sae_pwe=2); this is currently disabled by default, but will likely
      get enabled by default in the future
    - fixed PMKSA caching with OKC
    - added support for SAE-PK
    * EAP-pwd changes
    - improved protection against side channel attacks
      [https://w1.fi/security/2022-1/]
    * fixed P2P provision discovery processing of a specially constructed
      invalid frame
      [https://w1.fi/security/2021-1/]
    * fixed P2P group information processing of a specially constructed
      invalid frame
      [https://w1.fi/security/2020-2/]
    * fixed PMF disconnection protection bypass in AP mode
      [https://w1.fi/security/2019-7/]
    * added support for using OpenSSL 3.0
    * increased the maximum number of EAP message exchanges (mainly to
      support cases with very large certificates)
    * fixed various issues in experimental support for EAP-TEAP peer
    * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
    * a number of MKA/MACsec fixes and extensions
    * added support for SAE (WPA3-Personal) AP mode configuration
    * added P2P support for EDMG (IEEE 802.11ay) channels
    * fixed EAP-FAST peer with TLS GCM/CCM ciphers
    * improved throughput estimation and BSS selection
    * dropped support for libnl 1.1
    * added support for nl80211 control port for EAPOL frame TX/RX
    * fixed OWE key derivation with groups 20 and 21; this breaks backwards
      compatibility for these groups while the default group 19 remains
      backwards compatible
    * added support for Beacon protection
    * added support for Extended Key ID for pairwise keys
    * removed WEP support from the default build (CONFIG_WEP=y can be used
      to enable it, if really needed)
    * added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
    * added support for Transition Disable mechanism to allow the AP to
      automatically disable transition mode to improve security
    * extended D-Bus interface
    * added support for PASN
    * added a file-based backend for external password storage to allow
      secret information to be moved away from the main configuration file
      without requiring external tools
    * added EAP-TLS peer support for TLS 1.3 (disabled by default for now)
    * added support for SCS, MSCS, DSCP policy
    * changed driver interface selection to default to automatic fallback
      to other compiled in options
    * a large number of other fixes, cleanup, and extensions
  - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch,
      CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch,
      CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch,
      CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch:
      upstream
  - drop restore-old-dbus-interface.patch, wicked has been
    switching to the new dbus interface in version 0.6.66
  - config:
    * re-enable CONFIG_WEP
    * enable QCA vendor extensions to nl80211
    * enable support for Automatic Channel Selection
    * enable OCV, security feature that prevents MITM
      multi-channel attacks
    * enable QCA vendor extensions to nl80211
    * enable EAP-EKE
    * Support HT overrides
    * TLS v1.1 and TLS v1.2
    * Fast Session Transfer (FST)
    * Automatic Channel Selection
    * Multi Band Operation
    * Fast Initial Link Setup
    * Mesh Networking (IEEE 802.11s)
  - Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch
    (bsc#1201219)
  - Move the dbus-1 system.d file to /usr (bsc#1200342)
  - Added hardening to systemd service(s) (bsc#1181400). Modified:
    * wpa_supplicant.service
  - drop wpa_supplicant-getrandom.patch : glibc has been updated
    so the getrandom() wrapper is now there
  - Sync wpa_supplicant.spec with Factory
* Tue May 17 2022 cfamullaconrad@suse.com
  - Enable WPA3-Enterprise (SuiteB-192) support.
* Thu Feb 10 2022 cfamullaconrad@suse.com
  - Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch,
    CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch
    SAE/EAP-pwd side-channel attack update 2
    (CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)
* Tue Apr 06 2021 cfamullaconrad@suse.com
  - Add CVE-2021-30004.patch -- forging attacks may occur because
    AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c
    (bsc#1184348)
* Wed Mar 03 2021 cfamullaconrad@suse.com
  - Fix systemd device ready dependencies in wpa_supplicant@.service file.
    (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)
* Sat Feb 27 2021 cfamullaconrad@suse.com
  - Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability
    (bsc#1182805)
* Thu Feb 04 2021 cfamullaconrad@suse.com
  - Add CVE-2021-0326.patch -- P2P group information processing vulnerability
    (bsc#1181777)
* Tue Oct 06 2020 sp1ritCS@protonmail.com
  - Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size
    (https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)
* Tue Sep 22 2020 cfamullaconrad@suse.com
  - Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build
* Tue Sep 22 2020 songchuan.kang@suse.com
  - Enable SAE support(jsc#SLE-14992).
* Thu Apr 23 2020 cfamullaconrad@suse.com
  - Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass
    (bsc#1150934)
* Fri Apr 17 2020 bwiedemann@suse.com
  - Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920)
  - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)
* Thu Mar 26 2020 cfamullaconrad@suse.com
  - With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)
* Thu Mar 26 2020 ilya@ilya.pp.ua
  - Change wpa_supplicant.service to ensure wpa_supplicant gets started before
    network. Fix WLAN config on boot with wicked. (boo#1166933)
* Fri Feb 28 2020 tchvatal@suse.com
  - Adjust the service to start after network.target wrt bsc#1165266
* Mon Nov 04 2019 tchvatal@suse.com
  - Update to 2.9 release:
    * SAE changes
    - disable use of groups using Brainpool curves
    - improved protection against side channel attacks
      [https://w1.fi/security/2019-6/]
    * EAP-pwd changes
    - disable use of groups using Brainpool curves
    - allow the set of groups to be configured (eap_pwd_groups)
    - improved protection against side channel attacks
      [https://w1.fi/security/2019-6/]
    * fixed FT-EAP initial mobility domain association using PMKSA caching
      (disabled by default for backwards compatibility; can be enabled
      with ft_eap_pmksa_caching=1)
    * fixed a regression in OpenSSL 1.1+ engine loading
    * added validation of RSNE in (Re)Association Response frames
    * fixed DPP bootstrapping URI parser of channel list
    * extended EAP-SIM/AKA fast re-authentication to allow use with FILS
    * extended ca_cert_blob to support PEM format
    * improved robustness of P2P Action frame scheduling
    * added support for EAP-SIM/AKA using anonymous@realm identity
    * fixed Hotspot 2.0 credential selection based on roaming consortium
      to ignore credentials without a specific EAP method
    * added experimental support for EAP-TEAP peer (RFC 7170)
    * added experimental support for EAP-TLS peer with TLS v1.3
    * fixed a regression in WMM parameter configuration for a TDLS peer
    * fixed a regression in operation with drivers that offload 802.1X
      4-way handshake
    * fixed an ECDH operation corner case with OpenSSL
    * SAE changes
    - added support for SAE Password Identifier
    - changed default configuration to enable only groups 19, 20, 21
      (i.e., disable groups 25 and 26) and disable all unsuitable groups
      completely based on REVmd changes
    - do not regenerate PWE unnecessarily when the AP uses the
      anti-clogging token mechanisms
    - fixed some association cases where both SAE and FT-SAE were enabled
      on both the station and the selected AP
    - started to prefer FT-SAE over SAE AKM if both are enabled
    - started to prefer FT-SAE over FT-PSK if both are enabled
    - fixed FT-SAE when SAE PMKSA caching is used
    - reject use of unsuitable groups based on new implementation guidance
      in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
      groups with prime >= 256)
    - minimize timing and memory use differences in PWE derivation
      [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868)
    * EAP-pwd changes
    - minimize timing and memory use differences in PWE derivation
      [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870)
    - verify server scalar/element
      [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498,
      CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644)
    - fix message reassembly issue with unexpected fragment
      [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640)
    - enforce rand,mask generation rules more strictly
    - fix a memory leak in PWE derivation
    - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
      27)
    - SAE/EAP-pwd side-channel attack update
      [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443)
    * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
    * Hotspot 2.0 changes
    - do not indicate release number that is higher than the one
      AP supports
    - added support for release number 3
    - enable PMF automatically for network profiles created from
      credentials
    * fixed OWE network profile saving
    * fixed DPP network profile saving
    * added support for RSN operating channel validation
      (CONFIG_OCV=y and network profile parameter ocv=1)
    * added Multi-AP backhaul STA support
    * fixed build with LibreSSL
    * number of MKA/MACsec fixes and extensions
    * extended domain_match and domain_suffix_match to allow list of values
    * fixed dNSName matching in domain_match and domain_suffix_match when
      using wolfSSL
    * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
      are enabled
    * extended nl80211 Connect and external authentication to support
      SAE, FT-SAE, FT-EAP-SHA384
    * fixed KEK2 derivation for FILS+FT
    * extended client_cert file to allow loading of a chain of PEM
      encoded certificates
    * extended beacon reporting functionality
    * extended D-Bus interface with number of new properties
    * fixed a regression in FT-over-DS with mac80211-based drivers
    * OpenSSL: allow systemwide policies to be overridden
    * extended driver flags indication for separate 802.1X and PSK
      4-way handshake offload capability
    * added support for random P2P Device/Interface Address use
    * extended PEAP to derive EMSK to enable use with ERP/FILS
    * extended WPS to allow SAE configuration to be added automatically
      for PSK (wps_cred_add_sae=1)
    * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
    * extended domain_match and domain_suffix_match to allow list of values
    * added a RSN workaround for misbehaving PMF APs that advertise
      IGTK/BIP KeyID using incorrect byte order
    * fixed PTK rekeying with FILS and FT
    * fixed WPA packet number reuse with replayed messages and key
      reinstallation
      [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078,
      CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
      CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
    * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant
      [https://w1.fi/security/2018-1/] (CVE-2018-14526)
    * added support for FILS (IEEE 802.11ai) shared key authentication
    * added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
      and transition mode defined by WFA)
    * added support for DPP (Wi-Fi Device Provisioning Protocol)
    * added support for RSA 3k key case with Suite B 192-bit level
    * fixed Suite B PMKSA caching not to update PMKID during each 4-way
      handshake
    * fixed EAP-pwd pre-processing with PasswordHashHash
    * added EAP-pwd client support for salted passwords
    * fixed a regression in TDLS prohibited bit validation
    * started to use estimated throughput to avoid undesired signal
      strength based roaming decision
    * MACsec/MKA:
    - new macsec_linux driver interface support for the Linux
      kernel macsec module
    - number of fixes and extensions
    * added support for external persistent storage of PMKSA cache
      (PMKSA_GET/PMKSA_ADD control interface commands; and
      MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case)
    * fixed mesh channel configuration pri/sec switch case
    * added support for beacon report
    * large number of other fixes, cleanup, and extensions
    * added support for randomizing local address for GAS queries
      (gas_rand_mac_addr parameter)
    * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel
    * added option for using random WPS UUID (auto_uuid=1)
    * added SHA256-hash support for OCSP certificate matching
    * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure
    * fixed a regression in RSN pre-authentication candidate selection
    * added option to configure allowed group management cipher suites
      (group_mgmt network profile parameter)
    * removed all PeerKey functionality
    * fixed nl80211 AP and mesh mode configuration regression with
      Linux 4.15 and newer
    * added ap_isolate configuration option for AP mode
    * added support for nl80211 to offload 4-way handshake into the driver
    * added support for using wolfSSL cryptographic library
    * SAE
    - added support for configuring SAE password separately of the
      WPA2 PSK/passphrase
    - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
      for SAE;
      note: this is not backwards compatible, i.e., both the AP and
      station side implementations will need to be update at the same
      time to maintain interoperability
    - added support for Password Identifier
    - fixed FT-SAE PMKID matching
    * Hotspot 2.0
    - added support for fetching of Operator Icon Metadata ANQP-element
    - added support for Roaming Consortium Selection element
    - added support for Terms and Conditions
    - added support for OSEN connection in a shared RSN BSS
    - added support for fetching Venue URL information
    * added support for using OpenSSL 1.1.1
    * FT
    - disabled PMKSA caching with FT since it is not fully functional
    - added support for SHA384 based AKM
    - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128,
      BIP-GMAC-256 in addition to previously supported BIP-CMAC-128
    - fixed additional IE inclusion in Reassociation Request frame when
      using FT protocol
  - Drop merged patches:
    * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
    * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
    * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
    * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
    * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
    * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
    * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
    * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
    * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
    * wpa_supplicant-bnc-1099835-fix-private-key-password.patch
    * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch
    * wpa_supplicant-log-file-permission.patch
    * wpa_supplicant-log-file-cloexec.patch
    * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch
    * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch
  - Rebase patches:
    * wpa_supplicant-getrandom.patch
* Mon Jul 29 2019 ilya@ilya.pp.ua
  - Refresh spec-file via spec-cleaner and manual optimizations.
    * Change URL and Source0 to actual project homepage.
    * Remove macro %{?systemd_requires} and rm (not needed).
    * Add %autopatch macro.
    * Add %make_build macro.
  - Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1).
  - Changed service-files for start after network (systemd-networkd).
* Fri Nov 02 2018 ilya@ilya.pp.ua
  - Refresh spec-file: add %license tag.
* Tue Oct 16 2018 kbabioch@suse.com
  - Renamed patches:
    - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch
    - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch
  - wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag
  - Enabled timestamps in log files (bsc#1080798)
* Mon Oct 15 2018 ro@suse.de
  - compile eapol_test binary to allow testing via radius proxy and server
    (note: this does not match CONFIG_EAPOL_TEST which sets -Werror
    and activates an assert call inside the code of wpa_supplicant)
    (bsc#1111873), (fate#326725)
  - add patch to fix wrong operator precedence in ieee802_11.c
    wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch
  - add patch to avoid redefinition of __bitwise macro
    wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch
* Fri Oct 12 2018 kbabioch@suse.com
  - Added wpa-supplicant-log-file-permission.patch: Fixes the default file
    permissions of the debug log file to more sane values, i.e. it is no longer
    world-readable (bsc#1098854).
  - Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with
    O_CLOEXEC, which will prevent file descriptor leaking to child processes
    (bsc#1098854).
* Thu Oct 11 2018 kbabioch@suse.com
  - Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch:
    Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).
* Fri Sep 21 2018 kbabioch@suse.com
  - Enabled PWD as EAP method. This allows for password-based authentication,
    which is easier to setup than most of the other methods, and is used by the
    Eduroam network (bsc#1109209).
* Fri Jul 20 2018 ro@suse.de
  - add two patches from upstream to fix reading private key
    passwords from the configuration file (bsc#1099835)
    - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384
      wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch
    - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f
      wpa_supplicant-bnc-1099835-fix-private-key-password.patch
* Mon Oct 16 2017 meissner@suse.com
  - Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088):
    - rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
    - rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
    - rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
    - rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
    - rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
    - rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
    - rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
    - rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
* Fri Apr 21 2017 obs@botter.cc
  - fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match
    eloop_signal_handler type (needed to build eapol_test via config)
* Fri Dec 23 2016 dwaas@suse.com
  - Added .service files that accept interfaces as %i arguments so it's possible
    to call the daemon with:
    "systemctl start wpa_supplicant@$INTERFACE_NAME.service"
    (like openvpn for example)
* Thu Oct 06 2016 meissner@suse.com
  - updated to 2.6 / 2016-10-02
    * fixed WNM Sleep Mode processing when PMF is not enabled
      [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254)
    * fixed EAP-pwd last fragment validation
      [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115)
    * fixed EAP-pwd unexpected Confirm message processing
      [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115)
    * fixed WPS configuration update vulnerability with malformed passphrase
      [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172)
    * fixed configuration update vulnerability with malformed parameters set
      over the local control interface
      [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175)
    * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case
    * extended channel switch support for P2P GO
    * started to throttle control interface event message bursts to avoid
      issues with monitor sockets running out of buffer space
    * mesh mode fixes/improvements
    - generate proper AID for peer
    - enable WMM by default
    - add VHT support
    - fix PMKID derivation
    - improve robustness on various exchanges
    - fix peer link counting in reconnect case
    - improve mesh joining behavior
    - allow DTIM period to be configured
    - allow HT to be disabled (disable_ht=1)
    - add MESH_PEER_ADD and MESH_PEER_REMOVE commands
    - add support for PMKSA caching
    - add minimal support for SAE group negotiation
    - allow pairwise/group cipher to be configured in the network profile
    - use ieee80211w profile parameter to enable/disable PMF and derive
      a separate TX IGTK if PMF is enabled instead of using MGTK
      incorrectly
    - fix AEK and MTK derivation
    - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close
    - note: these changes are not fully backwards compatible for secure
      (RSN) mesh network
    * fixed PMKID derivation with SAE
    * added support for requesting and fetching arbitrary ANQP-elements
      without internal support in wpa_supplicant for the specific element
      (anqp[265]=<hexdump> in "BSS <BSSID>" command output)
    * P2P
    - filter control characters in group client device names to be
      consistent with other P2P peer cases
    - support VHT 80+80 MHz and 160 MHz
    - indicate group completion in P2P Client role after data association
      instead of already after the WPS provisioning step
    - improve group-join operation to use SSID, if known, to filter BSS
      entries
    - added optional ssid=<hexdump> argument to P2P_CONNECT for join case
    - added P2P_GROUP_MEMBER command to fetch client interface address
    * P2PS
    - fix follow-on PD Response behavior
    - fix PD Response generation for unknown peer
    - fix persistent group reporting
    - add channel policy to PD Request
    - add group SSID to the P2PS-PROV-DONE event
    - allow "P2P_CONNECT <addr> p2ps" to be used without specifying the
      default PIN
    * BoringSSL
    - support for OCSP stapling
    - support building of h20-osu-client
    * D-Bus
    - add ExpectDisconnect()
    - add global config parameters as properties
    - add SaveConfig()
    - add VendorElemAdd(), VendorElemGet(), VendorElemRem()
    * fixed Suite B 192-bit AKM to use proper PMK length
      (note: this makes old releases incompatible with the fixed behavior)
    * improved PMF behavior for cases where the AP and STA has different
      configuration by not trying to connect in some corner cases where the
      connection cannot succeed
    * added option to reopen debug log (e.g., to rotate the file) upon
      receipt of SIGHUP signal
    * EAP-pwd: added support for Brainpool Elliptic Curves
      (with OpenSSL 1.0.2 and newer)
    * fixed EAPOL reauthentication after FT protocol run
    * fixed FTIE generation for 4-way handshake after FT protocol run
    * extended INTERFACE_ADD command to allow certain type (sta/ap)
      interface to be created
    * fixed and improved various FST operations
    * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh
    * fixed SIGNAL_POLL in IBSS and mesh cases
    * added an option to abort an ongoing scan (used to speed up connection
      and can also be done with the new ABORT_SCAN command)
    * TLS client
    - do not verify CA certificates when ca_cert is not specified
    - support validating server certificate hash
    - support SHA384 and SHA512 hashes
    - add signature_algorithms extension into ClientHello
    - support TLS v1.2 signature algorithm with SHA384 and SHA512
    - support server certificate probing
    - allow specific TLS versions to be disabled with phase2 parameter
    - support extKeyUsage
    - support PKCS #5 v2.0 PBES2
    - support PKCS #5 with PKCS #12 style key decryption
    - minimal support for PKCS #12
    - support OCSP stapling (including ocsp_multi)
    * OpenSSL
    - support OpenSSL 1.1 API changes
    - drop support for OpenSSL 0.9.8
    - drop support for OpenSSL 1.0.0
    * added support for multiple schedule scan plans (sched_scan_plans)
    * added support for external server certificate chain validation
      (tls_ext_cert_check=1 in the network profile phase1 parameter)
    * made phase2 parser more strict about correct use of auth=<val> and
      autheap=<val> values
    * improved GAS offchannel operations with comeback request
    * added SIGNAL_MONITOR command to request signal strength monitoring
      events
    * added command for retrieving HS 2.0 icons with in-memory storage
      (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and
      RX-HS20-ICON event)
    * enabled ACS support for AP mode operations with wpa_supplicant
    * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server
      ("Invalid Compound_MAC in cryptobinding TLV")
    * EAP-TTLS: fixed success after fragmented final Phase 2 message
    * VHT: added interoperability workaround for 80+80 and 160 MHz channels
    * WNM: workaround for broken AP operating class behavior
    * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE)
    * nl80211:
    - add support for full station state operations
    - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled
    - add NL80211_ATTR_PREV_BSSID with Connect command
    - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use
      unencrypted EAPOL frames
    * added initial MBO support; number of extensions to WNM BSS Transition
      Management
    * added support for PBSS/PCP and P2P on 60 GHz
    * Interworking: add credential realm to EAP-TLS identity
    * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set
    * HS 2.0: add support for configuring frame filters
    * added POLL_STA command to check connectivity in AP mode
    * added initial functionality for location related operations
    * started to ignore pmf=1/2 parameter for non-RSN networks
    * added wps_disabled=1 network profile parameter to allow AP mode to
      be started without enabling WPS
    * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED
      events
    * improved Public Action frame addressing
    - add gas_address3 configuration parameter to control Address 3
      behavior
    * number of small fixes
  - wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509
    certificates from remote radius server in debug mode in WPA-EAP.
* Wed Jul 20 2016 tchvatal@suse.com
  - Remove support for <12.3 as we are unresolvable there anyway
  - Use qt5 on 13.2 if someone pulls this package in
  - Convert to pkgconfig dependencies over the devel pkgs
  - Use the %qmake5 macro to build the qt5 gui
* Wed Mar 23 2016 lnussel@suse.de
  - add After=dbus.service to prevent too early shutdown (bnc#963652)
* Fri Feb 26 2016 crrodriguez@opensuse.org
  - Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination
    with CONFIG_DBUS=yes.
* Sat Feb 20 2016 crrodriguez@opensuse.org
  - spec: Compile the GUI against QT5 in 13.2 and later.
* Thu Feb 18 2016 crrodriguez@opensuse.org
  - Previous update did not include version 2.5 tarball
    or changed the version number in spec, only the changelog
    and removed patches.
  - config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable·
    random number generator by using /dev/urandom, no need to
    keep an internal random number pool which draws entropy from
    /dev/random.
  - config: prefer using epoll(7) instead of select(2)
    by setting CONFIG_ELOOP_EPOLL=y
  - wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2)
    system call to collect entropy. if it is not present disable
    buffering when reading /dev/urandom, otherwise each os_get_random()
    call will request BUFSIZ of entropy instead of the few needed bytes.
* Wed Feb 17 2016 lnussel@suse.de
  - add aliases for both provided dbus names to avoid systemd stopping the
    service when switching runlevels (boo#966535)
* Thu Feb 04 2016 michael@stroeder.com
  - removed obsolete security patches:
    * 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
    * 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
    * 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
    * 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
    * wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch
    * 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
    * 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
    * 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
    * 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
  - Update to upstream release 2.5
    * fixed P2P validation of SSID element length before copying it
      [http://w1.fi/security/2015-1/] (CVE-2015-1863)
    * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding
      [http://w1.fi/security/2015-2/] (CVE-2015-4141)
    * fixed WMM Action frame parser (AP mode)
      [http://w1.fi/security/2015-3/] (CVE-2015-4142)
    * fixed EAP-pwd peer missing payload length validation
      [http://w1.fi/security/2015-4/]
      (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)
    * fixed validation of WPS and P2P NFC NDEF record payload length
      [http://w1.fi/security/2015-5/] (CVE-2015-8041)
    * nl80211:
    - added VHT configuration for IBSS
    - fixed vendor command handling to check OUI properly
    - allow driver-based roaming to change ESS
    * added AVG_BEACON_RSSI to SIGNAL_POLL output
    * wpa_cli: added tab completion for number of commands
    * removed unmaintained and not yet completed SChannel/CryptoAPI support
    * modified Extended Capabilities element use in Probe Request frames to
      include all cases if any of the values are non-zero
    * added support for dynamically creating/removing a virtual interface
      with interface_add/interface_remove
    * added support for hashed password (NtHash) in EAP-pwd peer
    * added support for memory-only PSK/passphrase (mem_only_psk=1 and
      CTRL-REQ/RSP-PSK_PASSPHRASE)
    * P2P
    - optimize scan frequencies list when re-joining a persistent group
    - fixed number of sequences with nl80211 P2P Device interface
    - added operating class 125 for P2P use cases (this allows 5 GHz
      channels 161 and 169 to be used if they are enabled in the current
      regulatory domain)
    - number of fixes to P2PS functionality
    - do not allow 40 MHz co-ex PRI/SEC switch to force MCC
    - extended support for preferred channel listing
    * D-Bus:
    - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface
    - fixed PresenceRequest to use group interface
    - added new signals: FindStopped, WPS pbc-overlap,
      GroupFormationFailure, WPS timeout, InvitationReceived
    - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient
    - added manufacturer info
    * added EAP-EKE peer support for deriving Session-Id
    * added wps_priority configuration parameter to set the default priority
      for all network profiles added by WPS
    * added support to request a scan with specific SSIDs with the SCAN
      command (optional "ssid <hexdump>" arguments)
    * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2
    * fixed SAE group selection in an error case
    * modified SAE routines to be more robust and PWE generation to be
      stronger against timing attacks
    * added support for Brainpool Elliptic Curves with SAE
    * added support for CCMP-256 and GCMP-256 as group ciphers with FT
    * fixed BSS selection based on estimated throughput
    * added option to disable TLSv1.0 with OpenSSL
      (phase1="tls_disable_tlsv1_0=1")
    * added Fast Session Transfer (FST) module
    * fixed OpenSSL PKCS#12 extra certificate handling
    * fixed key derivation for Suite B 192-bit AKM (this breaks
      compatibility with the earlier version)
    * added RSN IE to Mesh Peering Open/Confirm frames
    * number of small fixes
* Thu May 07 2015 ro@suse.de
  - added patch for bnc#930077 CVE-2015-4141
    0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
  - added patch for bnc#930078 CVE-2015-4142
    0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
  - added patches for bnc#930079 CVE-2015-4143
    0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
    0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
    0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
    0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
    0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
* Fri May 01 2015 zaitor@opensuse.org
  - Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch
    Fix Segmentation fault in wpa_supplicant. Patch taken from
    upstream master git (arch#44740).
* Thu Apr 23 2015 crrodriguez@opensuse.org
  - 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
    Fix CVE-2015-1863, memcpy overflow.
  - wpa_supplicant-alloc_size.patch: annotate two wrappers
    with attribute alloc_size, which may help warning us of
    bugs such as the above.
* Fri Apr 10 2015 stefan.bruens@rwth-aachen.de
  - Delete wpa_priv and eapol_test man pages, these are disabled in config
  - Move wpa_gui man page to gui package
* Thu Apr 02 2015 stefan.bruens@rwth-aachen.de
  - Update to 2.4
    * allow OpenSSL cipher configuration to be set for internal EAP server
      (openssl_ciphers parameter)
    * fixed number of small issues based on hwsim test case failures and
      static analyzer reports
    * P2P:
    - add new=<0/1> flag to P2P-DEVICE-FOUND events
    - add passive channels in invitation response from P2P Client
    - enable nl80211 P2P_DEVICE support by default
    - fix regresssion in disallow_freq preventing search on social
      channels
    - fix regressions in P2P SD query processing
    - try to re-invite with social operating channel if no common channels
      in invitation
    - allow cross connection on parent interface (this fixes number of
      use cases with nl80211)
    - add support for P2P services (P2PS)
    - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to
      be configured
    * increase postponing of EAPOL-Start by one second with AP/GO that
      supports WPS 2.0 (this makes it less likely to trigger extra roundtrip
      of identity frames)
    * add support for PMKSA caching with SAE
    * add support for control mesh BSS (IEEE 802.11s) operations
    * fixed number of issues with D-Bus P2P commands
    * fixed regression in ap_scan=2 special case for WPS
    * fixed macsec_validate configuration
    * add a workaround for incorrectly behaving APs that try to use
      EAPOL-Key descriptor version 3 when the station supports PMF even if
      PMF is not enabled on the AP
    * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior
      of disabling these can be configured to work around issues with broken
      servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1"
    * add support for Suite B (128-bit and 192-bit level) key management and
      cipher suites
    * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS)
    * improved BSS Transition Management processing
    * add support for neighbor report
    * add support for link measurement
    * fixed expiration of BSS entry with all-zeros BSSID
    * add optional LAST_ID=x argument to LIST_NETWORK to allow all
      configured networks to be listed even with huge number of network
      profiles
    * add support for EAP Re-Authentication Protocol (ERP)
    * fixed EAP-IKEv2 fragmentation reassembly
    * improved PKCS#11 configuration for OpenSSL
    * set stdout to be line-buffered
    * add TDLS channel switch configuration
    * add support for MAC address randomization in scans with nl80211
    * enable HT for IBSS if supported by the driver
    * add BSSID black and white lists (bssid_blacklist, bssid_whitelist)
    * add support for domain_suffix_match with GnuTLS
    * add OCSP stapling client support with GnuTLS
    * include peer certificate in EAP events even without a separate probe
      operation; old behavior can be restored with cert_in_cb=0
    * add peer ceritficate alt subject name to EAP events
      (CTRL-EVENT-EAP-PEER-ALT)
    * add domain_match network profile parameter (similar to
      domain_suffix_match, but full match is required)
    * enable AP/GO mode HT Tx STBC automatically based on driver support
    * add ANQP-QUERY-DONE event to provide information on ANQP parsing
      status
    * allow passive scanning to be forced with passive_scan=1
    * add a workaround for Linux packet socket behavior when interface is in
      bridge
    * increase 5 GHz band preference in BSS selection (estimate SNR, if info
      not available from driver; estimate maximum throughput based on common
      HT/VHT/specific TX rate support)
    * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to
      implement Interworking network selection behavior in upper layers
      software components
    * add optional reassoc_same_bss_optim=1 (disabled by default)
      optimization to avoid unnecessary Authentication frame exchange
    * extend TDLS frame padding workaround to cover all packets
    * allow wpa_supplicant to recover nl80211 functionality if the cfg80211
      module gets removed and reloaded without restarting wpa_supplicant
    * allow hostapd DFS implementation to be used in wpa_supplicant AP mode
* Sat Oct 18 2014 stefan.bruens@rwth-aachen.de
  - Update to 2.3
    * fixed number of minor issues identified in static analyzer warnings
    * fixed wfd_dev_info to be more careful and not read beyond the buffer
      when parsing invalid information for P2P-DEVICE-FOUND
    * extended P2P and GAS query operations to support drivers that have
      maximum remain-on-channel time below 1000 ms (500 ms is the current
      minimum supported value)
    * added p2p_search_delay parameter to make the default p2p_find delay
      configurable
    * improved P2P operating channel selection for various multi-channel
      concurrency cases
    * fixed some TDLS failure cases to clean up driver state
    * fixed dynamic interface addition cases with nl80211 to avoid adding
      ifindex values to incorrect interface to skip foreign interface events
      properly
    * added TDLS workaround for some APs that may add extra data to the
      end of a short frame
    * fixed EAP-AKA' message parser with multiple AT_KDF attributes
    * added configuration option (p2p_passphrase_len) to allow longer
      passphrases to be generated for P2P groups
    * fixed IBSS channel configuration in some corner cases
    * improved HT/VHT/QoS parameter setup for TDLS
    * modified D-Bus interface for P2P peers/groups
    * started to use constant time comparison for various password and hash
      values to reduce possibility of any externally measurable timing
      differences
    * extended explicit clearing of freed memory and expired keys to avoid
      keeping private data in memory longer than necessary
    * added optional scan_id parameter to the SCAN command to allow manual
      scan requests for active scans for specific configured SSIDs
    * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value
    * added option to set Hotspot 2.0 Rel 2 update_identifier in network
      configuration to support external configuration
    * modified Android PNO functionality to send Probe Request frames only
      for hidden SSIDs (based on scan_ssid=1)
    * added generic mechanism for adding vendor elements into frames at
      runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE)
    * added fields to show unrecognized vendor elements in P2P_PEER
    * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that
      MS-CHAP2-Success is required to be present regardless of
      eap_workaround configuration
    * modified EAP fast session resumption to allow results to be used only
      with the same network block that generated them
    * extended freq_list configuration to apply for sched_scan as well as
      normal scan
    * modified WPS to merge mixed-WPA/WPA2 credentials from a single session
    * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is
      removed from a bridge
    * fixed number of small P2P issues to make negotiations more robust in
      corner cases
    * added experimental support for using temporary, random local MAC
      address (mac_addr and preassoc_mac_addr parameters); this is disabled
      by default (i.e., previous behavior of using permanent address is
      maintained if configuration is not changed)
    * added D-Bus interface for setting/clearing WFD IEs
    * fixed TDLS AID configuration for VHT
    * modified -m<conf> configuration file to be used only for the P2P
      non-netdev management device and do not load this for the default
      station interface or load the station interface configuration for
      the P2P management interface
    * fixed external MAC address changes while wpa_supplicant is running
    * started to enable HT (if supported by the driver) for IBSS
    * fixed wpa_cli action script execution to use more robust mechanism
      (CVE-2014-3686)

Files

/usr/sbin/wpa_gui
/usr/share/man/man8/wpa_gui.8.gz


Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Jul 9 18:11:13 2024