Change logs for wpa source package in Sid

  • wpa (2:2.7+git20190128+0c1e29f-5) unstable; urgency=high
    
      * Fix security issue 2019-5:
        - EAP-pwd message reassembly issue with unexpected fragment
          (Closes: #927463, no CVE assigned).
    
     -- Andrej Shadura <email address hidden>  Fri, 26 Apr 2019 14:55:52 +0200
  • wpa (2:2.7+git20190128+0c1e29f-4) unstable; urgency=high
    
      * Apply security fixes (Closes: #926801):
        - CVE-2019-9494: SAE cache attack against ECC groups (VU#871675)
        - CVE-2019-9495: EAP-pwd cache attack against ECC groups
        - CVE-2019-9496: SAE confirm missing state validation
        - CVE-2019-9497: EAP-pwd server not checking for reflection attack
        - CVE-2019-9498: EAP-pwd server missing commit validation for scalar/element
        - CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element
    
        For more details, see:
        - https://w1.fi/security/2019-1/
        - https://w1.fi/security/2019-2/
        - https://w1.fi/security/2019-3/
        - https://w1.fi/security/2019-4/
    
     -- Andrej Shadura <email address hidden>  Wed, 10 Apr 2019 19:00:22 +0200
  • wpa (2:2.7+git20190128+0c1e29f-3) unstable; urgency=medium
    
      * Print the warning and exit after sourcing /lib/lsb/init-functions
        (Closes: #924666).
      * Recognise multiple configs in DAEMON_CONF and verify them all.
      * Fix ENGINE support with OpenSSL 1.1+ (Closes: #924632).
    
     -- Andrej Shadura <email address hidden>  Fri, 15 Mar 2019 17:44:51 +0100
  • wpa (2:2.7+git20190128+0c1e29f-2) unstable; urgency=medium
    
      * Apply an RFC patch to work around big endian keyidx.
        This is likely to fix #919138, but more testing is needed.
    
     -- Andrej Shadura <email address hidden>  Tue, 19 Feb 2019 19:14:56 +0100
  • wpa (2:2.7+git20190128+0c1e29f-1) unstable; urgency=medium
    
      * Upload to unstable.
      * New upstream snapshot 2.7+git20190128+0c1e29f.
      * Add Files-Excluded to debian/copyright.
      * Watch the upstream git.
      * Refresh hostapd/wpasupplicant configs, enable CONFIG_GETRANDOM
        (Closes: #914490)
    
     -- Andrej Shadura <email address hidden>  Tue, 29 Jan 2019 18:11:01 +0100
  • wpa (2:2.7-3) unstable; urgency=medium
    
      * Upload to unstable.
      * Refresh dbus-available-sta.patch from the upstream.
      * Since we use Type=forking, pass -B to hostapd (Closes: #918861).
      * Apply upstream fixes for 802.1X 4-way handshake offload.
      * Bump Standards-Version to 4.3.0.
      * Use debhelper-compat (= 12).
      * Drop dh_systemd_enable calls and overrides.
      * Move manual installs into .install as much as possible.
      * Drop ancient preinst scripts.
      * Add Pre-Depends to hostapd.
      * Display a warning if DAEMON_CONF is not /etc/hostapd/hostapd.conf.
      * Default to /etc/hostapd/hostapd.conf.
      * Update README.Debian in hostapd.
    
     -- Andrej Shadura <email address hidden>  Fri, 11 Jan 2019 00:17:14 +0100
  • wpa (2:2.6-21) unstable; urgency=medium
    
      * Fix a typo in the patch.
    
     -- Andrej Shadura <email address hidden>  Sat, 15 Dec 2018 17:38:19 +0100
  • wpa (2:2.6-19) unstable; urgency=medium
    
      [ Ondřej Nový ]
      * d/copyright: Use https protocol in Format field
      * d/changelog: Remove trailing whitespaces
    
      [ Andrej Shadura ]
      * Re-enable TLSv1.0 and security level 1 for wpasupplicant.
        (Closes: #907518, #911297).
      * Modernise debian/rules.
    
     -- Andrej Shadura <email address hidden>  Sat, 15 Dec 2018 15:21:08 +0100
  • wpa (2:2.6-18) unstable; urgency=high
    
      * Fix NL80211_ATTR_SMPS_MODE encoding (Closes: #903952)
      * SECURITY UPDATE:
        - CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data
          (Closes: #905739)
    
     -- Andrej Shadura <email address hidden>  Wed, 08 Aug 2018 22:50:11 +0200
  • wpa (2:2.6-17) unstable; urgency=medium
    
      * Fix get-orig-source so that it can produce pre-release snapshots.
      * Remove dbus changes to StaAuthorized/StaDeauthorized after discussions
        with the upstream.
    
     -- Andrej Shadura <email address hidden>  Fri, 08 Jun 2018 14:30:54 +0200
  • wpa (2:2.6-16) unstable; urgency=medium
    
      * Fix README.Debian: MyNetWork, not NETBEER (Closes: #791333).
      * Restart hostapd on a failure after 2s.
      * Add a template for per-interface hostapd services (Closes: #889508).
      * Merge a patch from Ubuntu:
        - debian/patches/dbus-available-sta.patch: Make the list of connected
          stations available on DBus for hotspot mode; along with some of the
          station properties, such as rx/tx packets, bytes, capabilities, etc.
    
     -- Andrej Shadura <email address hidden>  Mon, 07 May 2018 15:32:41 +0200
  • wpa (2:2.6-15) unstable; urgency=medium
    
      * Update debian/control:
        - Update Maintainer field to point to $<email address hidden>
        - Update Vcs-* fields to point to salsa.d.o
        - Drop no longer active uploaders.
    
     -- Andrew Shadura <email address hidden>  Thu, 28 Dec 2017 11:26:28 +0100
  • wpa (2:2.6-14) unstable; urgency=medium
    
      * Replace the PEM fix patch by Lukasz Siudut with an upstream patch.
        Thanks to David Benjamin <email address hidden>.
      * Apply patches from Beniamino Galvani:
        - Fix race condition in detecting MAC address change
        - Update MAC address when driver detects a change
      * Disable WNM to resolve a compatibility issue with wl.
        Thanks to YOSHINO Yoshihito <email address hidden>.
        Hopefully really closes: #833507.
    
     -- Andrew Shadura <email address hidden>  Thu, 28 Dec 2017 09:51:29 +0100
  • wpa (2:2.6-13) unstable; urgency=medium
    
      * Fix a typo in functions.sh (Closes: #883659).
    
     -- Andrew Shadura <email address hidden>  Thu, 07 Dec 2017 18:24:27 +0100
  • wpa (2:2.6-12) unstable; urgency=medium
    
      * Add wl to the blacklist for MAC randomisation. (Closes: #833507)
      * Blacklist an out-of-tree driver for Realtek RTL8188EU too.
    
     -- Andrew Shadura <email address hidden>  Tue, 05 Dec 2017 12:32:27 +0100
  • wpa (2:2.6-11) unstable; urgency=medium
    
      * Unbreak EAP-TLS.
        Thanks to Dmitry Borodaenko <email address hidden>
    
     -- Andrew Shadura <email address hidden>  Thu, 30 Nov 2017 11:21:43 +0100
  • wpa (2:2.6-10) unstable; urgency=medium
    
      * Mask hostapd every time it has no valid configuration.
    
     -- Andrew Shadura <email address hidden>  Tue, 28 Nov 2017 12:28:13 +0100
  • wpa (2:2.6-8) unstable; urgency=medium
    
      * Revert "Build wpa_supplicant with interface matching support."
        (Closes: #882716).
      * Drop override_dh_builddeb.
      * Use dh 10.
      * Prevent hostapd from failing on the package install when there
        isn't a valid configuration file yet (Closes: #882740):
        - Don't enable hostapd.service by default.
        - Mask hostapd.service on the first install.
    
     -- Andrew Shadura <email address hidden>  Sun, 26 Nov 2017 19:38:57 +0000
  • wpa (2:2.6-7) unstable; urgency=medium
    
      * Upload to unstable.
      * Optional AP side workaround for key reinstallation attacks (LP: #1730399).
    
     -- Andrew Shadura <email address hidden>  Fri, 24 Nov 2017 16:29:25 +0000
  • wpa (2:2.4-1.1) unstable; urgency=high
    
      * Non-maintainer upload by the Security Team.
      * Fix multiple issues in WPA protocol (CVE-2017-13077, CVE-2017-13078,
        CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
        CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
        - hostapd: Avoid key reinstallation in FT handshake
        - Prevent reinstallation of an already in-use group key
        - Extend protection of GTK/IGTK reinstallation of
        - Fix TK configuration to the driver in EAPOL-Key 3/4
        - Prevent installation of an all-zero TK
        - Fix PTK rekeying to generate a new ANonce
        - TDLS: Reject TPK-TK reconfiguration
        - WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode
        - WNM: Ignore WNM-Sleep Mode Response without pending
        - FT: Do not allow multiple Reassociation Response frames
        - TDLS: Ignore incoming TDLS Setup Response retries
    
     -- Yves-Alexis Perez <email address hidden>  Mon, 16 Oct 2017 10:28:41 +0200
  • wpa (2:2.4-1+deb9u2) stretch; urgency=high
    
      * SECURITY UPDATE:
        - CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data
          (Closes: #905739)
    
     -- Andrej Shadura <email address hidden>  Thu, 09 Aug 2018 09:23:49 +0200
  • wpa (2:2.4-1+deb9u1) stretch-security; urgency=high
    
      * Non-maintainer upload by the Security Team.
      * Fix multiple issues in WPA protocol (CVE-2017-13077, CVE-2017-13078,
        CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
        CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
        - hostapd: Avoid key reinstallation in FT handshake
        - Prevent reinstallation of an already in-use group key
        - Extend protection of GTK/IGTK reinstallation of
        - Fix TK configuration to the driver in EAPOL-Key 3/4
        - Prevent installation of an all-zero TK
        - Fix PTK rekeying to generate a new ANonce
        - TDLS: Reject TPK-TK reconfiguration
        - WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode
        - WNM: Ignore WNM-Sleep Mode Response without pending
        - FT: Do not allow multiple Reassociation Response frames
        - TDLS: Ignore incoming TDLS Setup Response retries
    
     -- Yves-Alexis Perez <email address hidden>  Sat, 14 Oct 2017 14:18:32 +0200
  • wpa (2:2.4-1) unstable; urgency=medium
    
      [ Vincent Danjean ]
      * Build with libssl1.0-dev (Closes: #828601).
      * Add an upstream patch to fix hostapd in SMPS mode (Closes: #854719).
    
      [ Andrew Shadura ]
      * Don't install debian/system-sleep/wpasupplicant (originally introduced
        to fix LP: #1422143), it doesn't improve the state of the things,
        introduces regressions in some cases, and at all isn't supposed to
        work with how wpa-supplicant is started these days (Closes: #835648).
      * Bump the epoch to 2:, so that we can set the upstream version to
        what we really mean. It also has to be higher than 2.6 in unstable
        and 1:2.6 (what hostapd binary package in unstable has).
      * Drop the binary package epoch override.
    
     -- Andrew Shadura <email address hidden>  Mon, 20 Feb 2017 11:55:11 +0100
  • wpa (2.6-3) unstable; urgency=medium
    
      * Cherry-pick the following patches from the upstream:
        - WPS: Force BSSID for WPS provisioning step connection
        - Check for NULL qsort() base pointers
        - Always propagate scan results to all interfaces
        - wpa_supplicant: Restore permanent MAC address on reassociation
        - nl80211: Update channel information after channel switch notification
        - Extend ieee80211_freq_to_channel_ext() to cover channels 52-64
        - Use estimated throughput to avoid signal based roaming decision
        - Use random MAC address for scanning only in non-connected state
    
     -- Andrew Shadura <email address hidden>  Thu, 26 Jan 2017 17:53:41 +0100
  • wpa (2.6-2) unstable; urgency=medium
    
      * Upload to unstable.
      * Restore the patch descriptions.
      * Don't install debian/system-sleep/wpasupplicant (originally introduced
        to fix LP: #1422143), it doesn't improve the state of the things,
        introduces regressions in some cases, and at all isn't supposed to
        work with how wpa-supplicant is started these days.
    
     -- Andrew Shadura <email address hidden>  Tue, 20 Dec 2016 21:50:26 +0100
  • wpa (2.5-2+v2.4-3) unstable; urgency=medium
    
      [ Helmut Grohne ]
      * Address FTCBFS: Set PKG_CONFIG (Closes: #836074).
    
      [ Andrew Shadura ]
      * Don't run wpa_cli suspend/resume if /run/wpa_supplicant isn't around
        (Closes: #835648).
    
     -- Andrew Shadura <email address hidden>  Wed, 14 Sep 2016 11:11:01 +0200
  • wpa (2.5-2+v2.4-2) unstable; urgency=medium
    
      * Apply patches from upstream to unbreak dedicated P2P Device support
        (closes: #833402).
      * Reapply an accidentally lost patch to fix pkcs11 OpenSSL engine
        initialisation (Closes: #827253).
      * Retroactively redact the last changelog entry to represent the actual
        upload more accurately.
    
     -- Andrew Shadura <email address hidden>  Tue, 09 Aug 2016 20:11:27 +0200
  • wpa (2.5-2+v2.4-1) unstable; urgency=medium
    
      [ Ricardo Salveti de Araujo ]
      * debian/patches/dbus-fix-operations-for-p2p-mgmt.patch: fix operations
        when P2P management interface is used (LP: #1482439)
    
      [ Stefan Lippers-Hollmann ]
      * wpasupplicant: install systemd unit (Closes: #766746).
      * wpasupplicant: configure driver fallback for networkd.
      * import changelogs from the security queues.
      * move previous patch for CVE-2015-1863 into a new subdirectory,
        debian/patches/2015-1/.
      * replace the Debian specific patch "wpasupplicant: fix systemd unit
        dependencies" with a backport of its official upstream change "systemd:
        Order wpa_supplicant before network.target".
      * fix dependency odering when invoked with DBus, by making sure that DBus
        isn't shut down before wpa_supplicant, as that would also bring down
        wireless links which are still holding open NFS shares. Thanks to Facundo
        Gaich <email address hidden> and Michael Biebl <email address hidden>
        (Closes: #785579).
      * import NMU changelogs and integrate NMU changes.
      * Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to Salvatore
        Bonaccorso <email address hidden> (Closes: #823411):
        - WPS: Reject a Credential with invalid passphrase
        - Reject psk parameter set with invalid passphrase character
        - Remove newlines from wpa_supplicant config network output
        - Reject SET_CRED commands with newline characters in the string values
        - Reject SET commands with newline characters in the string values
      * use --buildsystem=qmake_qt4 (available since dh 8.9.1) for debhelper
        (Closes: #823171).
      * fix clean target, by splitting the find call into individual searches.
      * building wpa in a current unstable chroot using debhelper >= 9.20151219
        will introduce automatic dbgsym packages, thereby indirectly providing
        the requested debug packages for stretch and upwards (Closes: #729934).
        Don't add a versioned build-dependency in order to avoid unnecessary
        complications with backports.
      * change Vcs-Browser location to prefer https, but keep the unsecure tag for
        Vcs-Svn, as there is no option allowing to pull from the svn+ssh:// 
        location without an alioth account, this only makes lintian partially happy
        in regards to vcs-field-uses-insecure-uri.
      * debian/*: fix spelling errors noticed by lintian.
      * drop the obsolete Debian menu entry for wpa_gui, according to the tech-ctte
        decision on #741573.
      * fix debian/get-orig-source for wpa 2.6~.
      * add debian/watch file for the custom tarball generation.
    
      [ Paul Donohue ]
      * debian/ifupdown/functions.sh: Fix handling for "wpa-roam". Call ifquery
        instead of directly parsing /run/*/ifstate files to work with current
        ifupdown. (Closes: #545766, LP: #1545363)
    
      [ Martin Pitt ]
      * Add debian/system-sleep/wpasupplicant: Call wpa_cli suspend/resume
        before/after suspend, like the pm-utils hook. In some cases this brings
        back missing Wifi connection after resuming. (LP: #1422143)
    
      [ Andrew Shadura ]
      * New upstream release (Closes: #806889).
      * Refresh patches, drop patches applied upstream.
      * Fix pkcs11 OpenSSL engine initialisation (Closes: #827253).
      * Update Vcs-* to point to Git.
    
     -- Andrew Shadura <email address hidden>  Fri, 05 Aug 2016 20:45:14 +0200
  • wpa (2.5-2) unstable; urgency=medium
    
      * Apply patches from upstream to unbreak dedicated P2P Device support
        (hopefully closes: #833402).
    
     -- Andrew Shadura <email address hidden>  Thu, 04 Aug 2016 11:17:37 +0300
  • wpa (2.5-1) unstable; urgency=medium
    
      [ Stefan Lippers-Hollmann ]
      * wpasupplicant: install systemd unit (Closes: #766746).
      * wpasupplicant: configure driver fallback for networkd.
      * import changelogs from the security queues.
      * move previous patch for CVE-2015-1863 into a new subdirectory,
        debian/patches/2015-1/.
      * fix dependency ordering when invoked with DBus, by making sure that DBus
        isn't shut down before wpa_supplicant, as that would also bring down
        wireless links which are still holding open NFS shares. Thanks to Facundo
        Gaich <email address hidden> and Michael Biebl <email address hidden>
        (Closes: #785579).
      * import NMU changelogs and integrate NMU changes.
      * Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to Salvatore
        Bonaccorso <email address hidden> (Closes: #823411):
        - WPS: Reject a Credential with invalid passphrase
        - Reject psk parameter set with invalid passphrase character
        - Remove newlines from wpa_supplicant config network output
        - Reject SET_CRED commands with newline characters in the string values
        - Reject SET commands with newline characters in the string values
      * use --buildsystem=qmake_qt4 (available since dh 8.9.1) for debhelper
        (Closes: #823171).
      * fix clean target, by splitting the find call into individual searches.
      * building wpa in a current unstable chroot using debhelper >= 9.20151219
        will introduce automatic dbgsym packages, thereby indirectly providing
        the requested debug packages for stretch and upwards (Closes: #729934).
        Don't add a versioned build-dependency in order to avoid unnecessary
        complications with backports.
      * change Vcs-Browser location to prefer https
      * debian/*: fix spelling errors noticed by lintian.
      * drop the obsolete Debian menu entry for wpa_gui, according to the tech-ctte
        decision on #741573.
      * fix debian/get-orig-source for wpa 2.6~.
      * add debian/watch file for the custom tarball generation.
    
      [ Paul Donohue ]
      * debian/ifupdown/functions.sh: Fix handling for "wpa-roam". Call ifquery
        instead of directly parsing /run/*/ifstate files to work with current
        ifupdown. (Closes: #545766, LP: #1545363)
    
      [ Martin Pitt ]
      * Add debian/system-sleep/wpasupplicant: Call wpa_cli suspend/resume
        before/after suspend, like the pm-utils hook. In some cases this brings
        back missing Wifi connection after resuming. (LP: #1422143)
    
      [ Andrew Shadura ]
      * New upstream release (Closes: #806889).
      * Refresh patches, drop patches applied upstream.
      * Fix pkcs11 OpenSSL engine initialisation (Closes: #827253).
      * Update Vcs-* to point to Git.
    
     -- Andrew Shadura <email address hidden>  Sun, 31 Jul 2016 18:05:59 +0300
  • wpa (2.3-2.4) unstable; urgency=medium
    
      * Non-maintainer upload.
      * Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to
        Salvatore Bonaccorso <email address hidden> (Closes: #823411):
        - WPS: Reject a Credential with invalid passphrase
        - Reject psk parameter set with invalid passphrase character
        - Remove newlines from wpa_supplicant config network output
        - Reject SET_CRED commands with newline characters in the string values
        - Reject SET commands with newline characters in the string values
      * Refresh patches to apply cleanly.
    
     -- Andrew Shadura <email address hidden>  Thu, 21 Jul 2016 09:01:51 +0200
  • wpa (2.3-2.3) unstable; urgency=high
    
      * Non-maintainer upload.
      * Add patch to address CVE-2015-5310.
        CVE-2015-5310: wpa_supplicant unauthorized WNM Sleep Mode GTK control.
        (Closes: #804707)
      * Add patches to address CVE-2015-5314 and CVE-2015-5315.
        CVE-2015-5314: hostapd: EAP-pwd missing last fragment length validation.
        CVE-2015-5315: wpa_supplicant: EAP-pwd missing last fragment length
        validation. (Closes: #804708)
      * Add patch to address CVE-2015-5316.
        CVE-2015-5316: EAP-pwd peer error path failure on unexpected Confirm
        message. (Closes: #804710)
    
     -- Salvatore Bonaccorso <email address hidden>  Thu, 12 Nov 2015 20:54:12 +0100
  • wpa (2.3-2.2) unstable; urgency=high
    
      * Non-maintainer upload.
      * Add patch to address CVE-2015-4141.
        CVE-2015-4141: WPS UPnP vulnerability with HTTP chunked transfer
        encoding. (Closes: #787372)
      * Add patch to address CVE-2015-4142.
        CVE-2015-4142: Integer underflow in AP mode WMM Action frame processing.
        (Closes: #787373)
      * Add patches to address CVE-2015-414{3,4,5,6}
        CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146: EAP-pwd missing
        payload length validation. (Closes: #787371)
      * Add patch to address 2015-5 vulnerability.
        NFC: Fix payload length validation in NDEF record parser (Closes: #795740)
      * Thanks to Julian Wollrath <email address hidden> for the initial debdiff
        provided in #787371.
    
     -- Salvatore Bonaccorso <email address hidden>  Sat, 31 Oct 2015 14:13:50 +0100
  • wpa (2.3-2.1) unstable; urgency=medium
    
      * Non-maintainer upload.
      * Import four patches from upstream git (wpasupplicant_band_selection_*.patch),
        manually unfuzzed, to improve 2.4/5 GHz band selection. (Closes: #795722)
    
     -- Steinar H. Gunderson <email address hidden>  Sun, 30 Aug 2015 14:47:56 +0200
  • wpa (2.3-2) unstable; urgency=high
    
    
      * remove Kel Modderman from Uploaders as per his request, many thanks for
        all past efforts Kel.
      * fix systemd unit dependencies for wpasupplicant, it needs to be started
        before the network target (Closes: 780552), many thanks to Michael Biebl
        <email address hidden> for reporting and suggesting the patch.
      * hostapd: avoid segfault with driver=wired, by merging upstream commit
        e9b783d58c23a7bb50b2f25bce7157f1f3b5d58b "Fix hostapd operation without
        hw_mode driver data."
      * import "P2P: Validate SSID element length before copying it
        (CVE-2015-1863)" from upstream (Closes: #783148).
    
     -- Stefan Lippers-Hollmann <email address hidden>  Thu, 23 Apr 2015 05:02:21 +0200
  • wpa (2.3-1+deb8u4) jessie; urgency=medium
    
      * Non-maintainer upload.
      * Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to
        Salvatore Bonaccorso <email address hidden> (Closes: #823411):
        - WPS: Reject a Credential with invalid passphrase
        - Reject psk parameter set with invalid passphrase character
        - Remove newlines from wpa_supplicant config network output
        - Reject SET_CRED commands with newline characters in the string values
        - Reject SET commands with newline characters in the string values
      * Refresh patches to apply cleanly.
    
     -- Andrew Shadura <email address hidden>  Thu, 21 Jul 2016 09:01:51 +0200
  • wpa (2.3-1+deb8u3) jessie-security; urgency=high
    
      * Non-maintainer upload by the Security Team.
      * Add CVE-2015-5314.patch patch.
        CVE-2015-5314: hostapd: EAP-pwd missing last fragment length validation.
      * Add CVE-2015-5315.patch patch.
        CVE-2015-5315: wpa_supplicant: EAP-pwd missing last fragment length
        validation.
      * Add CVE-2015-5316.patch patch.
        CVE-2015-5316: EAP-pwd peer error path failure on unexpected Confirm
        message.
    
     -- Salvatore Bonaccorso <email address hidden>  Sat, 07 Nov 2015 16:05:23 +0100
  • wpa (2.3-1+deb8u1) jessie-security; urgency=high
    
      * import "P2P: Validate SSID element length before copying it
        (CVE-2015-1863)" from upstream (Closes: #783148).
    
     -- Stefan Lippers-Hollmann <email address hidden>  Thu, 23 Apr 2015 19:32:29 +0200
  • wpa (2.3-1) unstable; urgency=medium
    
    
      * New upstream release:
        - fixed by the new upstream version:
          + wpa: arbitrary command execution via action scripts (Closes: #765352).
            wpasupplicant: fixed wpa_cli action script execution to use more
            robust mechanism (CVE-2014-3686).
            hostapd: fixed hostapd_cli action script execution to use more robust
            mechanism (CVE-2014-3686).
          + wpasupplicant: MAC addressing changing broken after updating to 2.2-1
            (Closes: #763775).
          + drop ap_config_c_fix-typo-for-capabilities, applied upstream.
        - backport "Include ieee802_11_common.c in wpa_supplicant build
          unconditionally" from HEAD, to fix a newly introduced FTBS on, at least,
          kfreebsd.
      * bump standards version to 3.9.6, no changes necessary.
    
     -- Stefan Lippers-Hollmann <email address hidden>  Tue, 14 Oct 2014 21:29:37 +0200
  • wpa (2.2-1) unstable; urgency=medium
    
    
      * New upstream release:
        - import suggested changes from Gerald Turner <email address hidden> (see
          #718651 for details).
          + disable ACS for hostapd on kfreebsd-any (FTBS).
        - fixed by the new upstream version:
          + wpa_supplicant: OpenSSL: tls_connection_handshake - Failed to read
          (Closes: #561081).
          + wpasupplicant: new upstream release 2.2 (Closes: #718651).
          + wpasupplicant: -s option not documented in man page (Closes: #608135).
        - refresh patches:
          + drop 13_human_readable_signal.patch, applied upstream.
          + drop hostapd_fix-WDS-VLAN-bridge-handling.patch, applied upstream.
          + drop fix-spelling-s-algorith-algorithm.patch, applied upstream.
        - adapt build configs for hostapd/ wpa_supplicant 2.2:
          + sync with updated upstream defconfigs.
          + keep Hotspot 2.0 support disabled for the time being.
          + hostapd: keep sqlite3 support disabled for the time being.
        - update debian/copyright manually, the wpa v2 branch was relicensed from
          (BSD-3-clause || GPL-2) to BSD-3-clause only (for the most part). This
          doesn't change the licensing state as the BSD-3-clause license is 
          compatible with GPL-2.
      * drop pre-wheezy /lib/init/rw/sendsigs.omit.d/ migration support, invert the
        versioned initscripts dependency to a versioned breaks relation.
      * migrate from /var/run/ to /run/.
      * adapt get-orig-source for wpa 2.2.
      * drop version qualifiers for libnl3 build dependencies, as they're
        fullfilled by wheezy.
      * drop version qualifiers for the lsb-base build dependency, as they're
        fullfilled by squeeze.
      * shorten short description for hostapd.
      * sort debian/control entries.
      * make lintian happy (invalid-short-name-in-dep5-copyright bsd) and call it
        BSD-3-clause.
      * enable DEBUG_SYSLOG and set DEBUG_SYSLOG_FACILITY=LOG_DAEMON, as requested
        by Cyril Brulebois <email address hidden> to improve logging options for d-i and
        netcfg (Closes: #761922).
      * fix various typos around "existence", thanks to A. Costa <email address hidden>,
        (Closes: #683636).
      * ap_config.c: fix typo for "capabilities".
      * remove no longer required lintian override (spelling-error-in-binary for
        the).
    
     -- Stefan Lippers-Hollmann <email address hidden>  Wed, 17 Sep 2014 04:52:36 +0200
  • wpa (1.1-1) unstable; urgency=medium
    
    
      * New upstream release:
        - drop 11_wpa_gui_ftbfs_gcc_4_7, applied upstream.
        - drop EAP-TLS-server_fix-TLS-Message-length-validation, applied upstream.
        - fixes:
          - EAP access point constantly roaming with proactive key caching
            (Closes: #711063).
      * enable IBSS RSN, thanks to Nicolas Cavallari <email address hidden>
        (Closes: #678147).
      * enable simple AP support for wpasupplicant, thanks to Patrik Flykt
        <email address hidden> (Closes: #690536).
      * use the readline6, wpa_cli doesn't link to openssl.
      * link with --as-needed.
      * compress binaries with xz.
      * debian/get-orig-source: switch to xz compressed upstream tarballs.
      * debian/get-orig-source: adapt for the post 1.x upstream branch.
      * debian/get-orig-source: support named snapshots, see debian/README.source
        for detailed syntax and semantics.
      * debian/README.source: explain fetching git snapshots by specifying their
        git hash.
      * debian/README.source: update to match current reality and apply grammar
        fixes.
      * debian/README.source: drop trailing whitespace.
      * fix hardening flags, thanks a lot to Florent Daigniere
        <email address hidden> (Closes: #725865).
      * debian/control: fold dependencies.
      * bump standards version to 3.9.5, no changes necessary.
      * reflect reality and adapt the maintainer mail address not to claim
        representing Ubuntu.
      * drop wheezy-specific comments in the configuration files.
      * glob 'wpa-password' as well and hide its debugging output, this hopefully
        closes: #728092.
      * enable EAP-FAST, openssl in Debian is now new enough (Closes: #685685).
      * update to new alioth URIs (vcs-field-not-canonical).
      * add Keywords entry for desktop files (desktop-entry-lacks-keywords-entry).
      * functions.sh: s/particuarly/particularly/, thanks to Vincent Lefevre
        <email address hidden> (Closes: #734422).
      * fix FTBS using gcc-4.8 by linking with -ldl on kfreebsd-any; the udeb
        packages don't provide EAP support and are therefore unaffected. This is
        already accounted for by the upstream Makefile, however wrongly depending
        on !CONFIG_DRIVER_BSD, while it is actually depending on the target libc
        rather than the kernel (Closes: #737465). Thanks to Cyril Brulebois
        <email address hidden> and Steven Chamberlain <email address hidden>.
      * import "hostapd: Fix WDS VLAN bridge handling" by Felix Fietkau
        <email address hidden> from upstream, thanks to Mark Hindley
        <email address hidden> (Closes: #737109).
      * drop build-conflicts with libqt3-dev as the package is no longer available
        >= lenny, thanks to Michael Biebl <email address hidden>.
      * drop pre-dependency on dpkg (>= 1.15.6~), data.tar.xz-member-without-dpkg-
        pre-depends is no longer a problem after Ubuntu lucid is EOL. Thanks to
        Michael Biebl for noticing.
      * drop build-dependency on libdbus-glib-1-dev, it is no longer required for
        dbus-binding-tool, thanks to Michael Biebl.
      * allow parallel building.
      * fix spelling s/algorith/algorithm/.
      * add lintian overrides for false positive spelling complaints.
    
     -- Stefan Lippers-Hollmann <email address hidden>  Fri, 21 Feb 2014 01:07:28 +0100
  • wpa (1.0-3.1) unstable; urgency=low
    
    
      * Non-Maintainer Upload
      * enable IBSS RSN, thanks to Nicolas Cavallari <email address hidden>
        (Closes: #678147).
    
     -- Daniel Kahn Gillmor <email address hidden>  Thu, 05 Dec 2013 13:56:15 -0500
  • wpa (1.0-3+deb7u1) wheezy-security; urgency=high
    
    
      * Apply upstream patches for CVE-2014-3686 (Closes: #765352):
        - add os_exec() helper to run external programs
        - wpa_cli: Use os_exec() for action script execution
        - hostapd_cli: Use os_exec() for action script execution
    
     -- Stefan Lippers-Hollmann <email address hidden>  Wed, 15 Oct 2014 23:32:54 +0200
  • wpa (1.0-3) unstable; urgency=high
    
    
      * ship forgotten README-P2P.
      * revert to GNU readline for wpa_cli, instead of using the internal readline
        implementation added in wpa 1~. Prefer libreadline-gplv2-dev, because libnl
        is GPL-2 (only) - switching back to the internal readline implementation is
        targeted for wheezy+1 (Closes: #677993, #678077).
      * Fix DoS via specially crafted EAP-TLS messages with longer message
        length than TLS data length (CVE-2012-4445, DSA 2557-1, Closes: #689990).
    
     -- Stefan Lippers-Hollmann <email address hidden>  Mon, 08 Oct 2012 17:48:04 +0200
  • wpa (1.0-2) unstable; urgency=low
    
    
      * Really enable hardened build flags, thanks Simon Ruderich
        <email address hidden>. (Closes: #657332)
      * Do not suppress compilation output, set V=1.
    
     -- Kel Modderman <email address hidden>  Mon, 14 May 2012 06:39:13 +1000
  • wpa (1.0-1) unstable; urgency=low
    
    
      [ Stefan Lippers-Hollmann ]
      * New upstream release, no code changes since 1.0~rc3.
      * upload to unstable, to fix FTBS with gcc-4.7.
      * update debian/README.source.
    
      [ Kel Modderman ]
      * No longer explicitly add --as-needed to LDFLAGS, it is no longer
        required since wpa_cli stopped linking to libreadline (WPA_CLI_EDIT=y).
    
     -- Kel Modderman <email address hidden>  Fri, 11 May 2012 13:58:51 +1000