Package Release Info


Update Info: Base Release
Available in Package Hub : 15 SP3





Change Logs

Version: 2.10-bp153.3.3.1
* Fri Mar 11 2022 Clemens Famulla-Conrad <>
- Adjust config
  * Enable SAE
  * Enable DPP
  * Enable wired driver
  * Enable Airtime policy support
  * Enable Fast Initial Link Setup (FILS) (IEEE 802.11ai)
* Mon Jan 17 2022 Michael Ströder <>
- Removed obsolete patches:
  * CVE-2019-16275.patch
  * CVE-2020-12695.patch
  * CVE-2021-30004.patch
- Update to version 2.10
  * SAE changes
  - improved protection against side channel attacks
  - added option send SAE Confirm immediately (sae_config_immediate=1)
    after SAE Commit
  - added support for the hash-to-element mechanism (sae_pwe=1 or
  - fixed PMKSA caching with OKC
  - added support for SAE-PK
  * EAP-pwd changes
  - improved protection against side channel attacks
  * fixed WPS UPnP SUBSCRIBE handling of invalid operations
  * fixed PMF disconnection protection bypass
  * added support for using OpenSSL 3.0
  * fixed various issues in experimental support for EAP-TEAP server
  * added configuration (max_auth_rounds, max_auth_rounds_short) to
    increase the maximum number of EAP message exchanges (mainly to
    support cases with very large certificates) for the EAP server
  * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
  * extended HE (IEEE 802.11ax) support, including 6 GHz support
  * removed obsolete IAPP functionality
  * fixed EAP-FAST server with TLS GCM/CCM ciphers
  * dropped support for libnl 1.1
  * added support for nl80211 control port for EAPOL frame TX/RX
  * fixed OWE key derivation with groups 20 and 21; this breaks backwards
    compatibility for these groups while the default group 19 remains
    backwards compatible; owe_ptk_workaround=1 can be used to enabled a
    a workaround for the group 20/21 backwards compatibility
  * added support for Beacon protection
  * added support for Extended Key ID for pairwise keys
  * removed WEP support from the default build (CONFIG_WEP=y can be used
    to enable it, if really needed)
  * added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
  * added support for Transition Disable mechanism to allow the AP to
    automatically disable transition mode to improve security
  * added support for PASN
  * added EAP-TLS server support for TLS 1.3 (disabled by default for now)
  * a large number of other fixes, cleanup, and extensions
* Fri Nov 26 2021 Clemens Famulla-Conrad <>
- Fix AppArmor profile -- allow access to /etc/ssl/openssl.cnf
* Fri Oct 15 2021 Johannes Segitz <>
- Added hardening to systemd service(s) (bsc#1181400). Modified:
  * hostapd.service
* Wed Jul 14 2021 Michael Ströder <>
- fixed AppArmor profile
Version: 2.6-bp150.2.4
* Wed Oct 18 2017
- Fix KRACK attacks (bsc#1063479, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088):
  * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
  * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
  * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
  * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
  * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
  * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
  * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
  * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
* Sun Oct 02 2016
- update to upstream release 2.6
  * fixed EAP-pwd last fragment validation
    [] (CVE-2015-5314)
  * fixed WPS configuration update vulnerability with malformed passphrase
    [] (CVE-2016-4476)
  * extended channel switch support for VHT bandwidth changes
  * added support for configuring new ANQP-elements with
    anqp_elem=<InfoID>:<hexdump of payload>
  * fixed Suite B 192-bit AKM to use proper PMK length
    (note: this makes old releases incompatible with the fixed behavior)
  * added no_probe_resp_if_max_sta=1 parameter to disable Probe Response
    frame sending for not-associated STAs if max_num_sta limit has been
  * added option (-S as command line argument) to request all interfaces
    to be started at the same time
  * modified rts_threshold and fragm_threshold configuration parameters
    to allow -1 to be used to disable RTS/fragmentation
  * EAP-pwd: added support for Brainpool Elliptic Curves
    (with OpenSSL 1.0.2 and newer)
  * fixed EAPOL reauthentication after FT protocol run
  * fixed FTIE generation for 4-way handshake after FT protocol run
  * fixed and improved various FST operations
  * TLS server
  - support SHA384 and SHA512 hashes
  - support TLS v1.2 signature algorithm with SHA384 and SHA512
  - support PKCS #5 v2.0 PBES2
  - support PKCS #5 with PKCS #12 style key decryption
  - minimal support for PKCS #12
  - support OCSP stapling (including ocsp_multi)
  * added support for OpenSSL 1.1 API changes
  - drop support for OpenSSL 0.9.8
  - drop support for OpenSSL 1.0.0
  * EAP-PEAP: support fast-connect crypto binding
  - fix Called-Station-Id to not escape SSID
  - add Event-Timestamp to all Accounting-Request packets
  - add Acct-Session-Id to Accounting-On/Off
  - add Acct-Multi-Session-Id  ton Access-Request packets
  - add Service-Type (= Frames)
  - allow server to provide PSK instead of passphrase for WPA-PSK
    Tunnel_password case
  - update full message for interim accounting updates
  - add Acct-Delay-Time into Accounting messages
  - add require_message_authenticator configuration option to require
    CoA/Disconnect-Request packets to be authenticated
  * started to postpone WNM-Notification frame sending by 100 ms so that
    the STA has some more time to configure the key before this frame is
    received after the 4-way handshake
  * VHT: added interoperability workaround for 80+80 and 160 MHz channels
  * extended VLAN support (per-STA vif, etc.)
  * fixed PMKID derivation with SAE
  * nl80211
  - added support for full station state operations
  - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use
    unencrypted EAPOL frames
  * added initial MBO support; number of extensions to WNM BSS Transition
  * added initial functionality for location related operations
  * added assocresp_elements parameter to allow vendor specific elements
    to be added into (Re)Association Response frames
  * improved Public Action frame addressing
  - use Address 3 = wildcard BSSID in GAS response if a query from an
    unassociated STA used that address
  - fix TX status processing for Address 3 = wildcard BSSID
  - add gas_address3 configuration parameter to control Address 3
  * added command line parameter -i to override interface parameter in
  * added command completion support to hostapd_cli
  * added passive client taxonomy determination (CONFIG_TAXONOMY=y
    compile option and "SIGNATURE <addr>" control interface command)
  * number of small fixes
- renamed hostapd-2.5-defconfig.patch to hostapd-2.6-defconfig.patch
* Sun Oct 18 2015
- update to upstream release 2.5
- removed 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
  (CVE-2015-1863) because it's fixed in upstream release 2.5
- rebased hostapd-2.4-defconfig.patch -> hostapd-2.5-defconfig.patch
  ChangeLog for hostapd since 2.4:
  2015-09-27 - v2.5
  * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding
  [] (CVE-2015-4141 bsc#930077)
  * fixed WMM Action frame parser
  [] (CVE-2015-4142 bsc#930078)
  * fixed EAP-pwd server missing payload length validation
  (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, bsc#930079)
  * fixed validation of WPS and P2P NFC NDEF record payload length
  * nl80211:
  - fixed vendor command handling to check OUI properly
  * fixed hlr_auc_gw build with OpenSSL
  * hlr_auc_gw: allow Milenage RES length to be reduced
  * disable HT for a station that does not support WMM/QoS
  * added support for hashed password (NtHash) in EAP-pwd server
  * fixed and extended dynamic VLAN cases
  * added EAP-EKE server support for deriving Session-Id
  * set Acct-Session-Id to a random value to make it more likely to be
  unique even if the device does not have a proper clock
  * added more 2.4 GHz channels for 20/40 MHz HT co-ex scan
  * modified SAE routines to be more robust and PWE generation to be
  stronger against timing attacks
  * added support for Brainpool Elliptic Curves with SAE
  * increases maximum value accepted for cwmin/cwmax
  * added support for CCMP-256 and GCMP-256 as group ciphers with FT
  * added Fast Session Transfer (FST) module
  * removed optional fields from RSNE when using FT with PMF
  (workaround for interoperability issues with iOS 8.4)
  * added EAP server support for TLS session resumption
  * fixed key derivation for Suite B 192-bit AKM (this breaks
  compatibility with the earlier version)
  * added mechanism to track unconnected stations and do minimal band
  * number of small fixes
* Thu Apr 23 2015
- update version 2.4
- added 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
  for CVE-2015-1863
- updated URLs
- require pkg-config and libnl3-devel during build
- replaced hostapd-2.3-defconfig.patch by hostapd-2.4-defconfig.patch
  ChangeLog for hostapd since 2.3:
  2015-03-15 - v2.4
  * allow OpenSSL cipher configuration to be set for internal EAP server
    (openssl_ciphers parameter)
  * fixed number of small issues based on hwsim test case failures and
    static analyzer reports
  * fixed Accounting-Request to not include duplicated Acct-Session-Id
  * add support for Acct-Multi-Session-Id in RADIUS Accounting messages
  * add support for PMKSA caching with SAE
  * add support for generating BSS Load element (bss_load_update_period)
  * fixed channel switch from VHT to HT
  * add INTERFACE-ENABLED and INTERFACE-DISABLED ctrl_iface events
  * add support for learning STA IPv4/IPv6 addresses and configuring
    ProxyARP support
  * dropped support for the madwifi driver interface
  * add support for Suite B (128-bit and 192-bit level) key management and
    cipher suites
  * fixed a regression with driver=wired
  * extend EAPOL-Key msg 1/4 retry workaround for changing SNonce
  * add BSS_TM_REQ ctrl_iface command to send BSS Transition Management
    Request frames and BSS-TM-RESP event to indicate response to such
  * add support for EAP Re-Authentication Protocol (ERP)
  * fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled
  * fixed a regression in HT 20/40 coex Action frame parsing
  * set stdout to be line-buffered
  * add support for vendor specific VHT extension to enable 256 QAM rates
    (VHT-MCS 8 and 9) on 2.4 GHz band
  - extend Disconnect-Request processing to allow matching of multiple
  - support Acct-Multi-Session-Id as an identifier
  - allow PMKSA cache entry to be removed without association
  * expire hostapd STA entry if kernel does not have a matching entry
  * allow chanlist to be used to specify a subset of channels for ACS
  * improve ACS behavior on 2.4 GHz band and allow channel bias to be
    configured with acs_chan_bias parameter
  * do not reply to a Probe Request frame that includes DSS Parameter Set
    element in which the channel does not match the current operating
  * add UPDATE_BEACON ctrl_iface command; this can be used to force Beacon
    frame contents to be updated and to start beaconing on an interface
    that used start_disabled=1
  * fixed some RADIUS server failover cases
* Mon Jan 05 2015
- update version 2.3
- removed patch hostapd-2.1-be-host_to_le.patch because it
  seems obsolete
- hostapd-2.1-defconfig.patch rediffed and renamed to hostapd-2.3-defconfig.patch
  ChangeLog for hostapd since 2.1:
  2014-10-09 - v2.3
  * fixed number of minor issues identified in static analyzer warnings
  * fixed DFS and channel switch operation for multi-BSS cases
  * started to use constant time comparison for various password and hash
  values to reduce possibility of any externally measurable timing
  * extended explicit clearing of freed memory and expired keys to avoid
  keeping private data in memory longer than necessary
  * added support for number of new RADIUS attributes from RFC 7268
  (Mobility-Domain-Id, WLAN-HESSID, WLAN-Pairwise-Cipher,
  WLAN-Group-Cipher, WLAN-AKM-Suite, WLAN-Group-Mgmt-Pairwise-Cipher)
  * fixed GET_CONFIG wpa_pairwise_cipher value
  * added code to clear bridge FDB entry on station disconnection
  * fixed PMKSA cache timeout from Session-Timeout for WPA/WPA2 cases
  * fixed OKC PMKSA cache entry fetch to avoid a possible infinite loop
  in case the first entry does not match
  * fixed hostapd_cli action script execution to use more robust mechanism
  2014-06-04 - v2.2
  * fixed SAE confirm-before-commit validation to avoid a potential
  segmentation fault in an unexpected message sequence that could be
  triggered remotely
  * extended VHT support
  - Operating Mode Notification
  - Power Constraint element (local_pwr_constraint)
  - Spectrum management capability (spectrum_mgmt_required=1)
  - fix VHT80 segment picking in ACS
  - fix vht_capab 'Maximum A-MPDU Length Exponent' handling
  - fix VHT20
  * fixed HT40 co-ex scan for some pri/sec channel switches
  * extended HT40 co-ex support to allow dynamic channel width changes
  during the lifetime of the BSS
  * fixed HT40 co-ex support to check for overlapping 20 MHz BSS
  * fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding;
  this fixes password with include UTF-8 characters that use
  three-byte encoding EAP methods that use NtPasswordHash
  * reverted TLS certificate validation step change in v2.1 that rejected
  any AAA server certificate with id-kp-clientAuth even if
  id-kp-serverAuth EKU was included
  * fixed STA validation step for WPS ER commands to prevent a potential
  crash if an ER sends an unexpected PutWLANResponse to a station that
  is disassociated, but not fully removed
  * enforce full EAP authentication after RADIUS Disconnect-Request by
  removing the PMKSA cache entry
  * added support for NAS-IP-Address, NAS-identifier, and NAS-IPv6-Address
  in RADIUS Disconnect-Request
  * added mechanism for removing addresses for MAC ACLs by prefixing an
  entry with "-"
  * Interworking/Hotspot 2.0 enhancements
  - support Hotspot 2.0 Release 2
  * OSEN network for online signup connection
  * subscription remediation (based on RADIUS server request or
  control interface HS20_WNM_NOTIF for testing purposes)
  * Hotspot 2.0 release number indication in WFA RADIUS VSA
  * deauthentication request (based on RADIUS server request or
  control interface WNM_DEAUTH_REQ for testing purposes)
  * Session Info URL RADIUS AVP to trigger ESS Disassociation Imminent
  * hs20_icon config parameter to configure icon files for OSU
  * osu_* config parameters for OSU Providers list
  - do not use Interworking filtering rules on Probe Request if
  Interworking is disabled to avoid interop issues
  * added/fixed nl80211 functionality
  - AP interface teardown optimization
  - support vendor specific driver command
  (VENDOR <vendor id> <sub command id> [<hex formatted data>])
  * fixed PMF protection of Deauthentication frame when this is triggered
  by session timeout
  * internal TLS implementation enhancements/fixes
  - add SHA256-based cipher suites
  - add DHE-RSA cipher suites
  - fix X.509 validation of PKCS#1 signature to check for extra data
  * RADIUS server functionality
  - add minimal RADIUS accounting server support (hostapd-as-server);
  this is mainly to enable testing coverage with hwsim scripts
  - allow authentication log to be written into SQLite databse
  - added option for TLS protocol testing of an EAP peer by simulating
  various misbehaviors/known attacks
  - MAC ACL support for testing purposes
  * fixed PTK derivation for CCMP-256 and GCMP-256
  * extended WPS per-station PSK to support ER case
  * added option to configure the management group cipher
  (group_mgmt_cipher=AES-128-CMAC (default), BIP-GMAC-128, BIP-GMAC-256,
  * fixed AP mode default TXOP Limit values for AC_VI and AC_VO (these
  were rounded incorrectly)
  * added support for postponing FT response in case PMK-R1 needs to be
  pulled from R0KH
  * added option to advertise 40 MHz intolerant HT capability with
  * remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled
  whenever CONFIG_WPS=y is set
  * EAP-pwd fixes
  - fix possible segmentation fault on EAP method deinit if an invalid
  group is negotiated
  * fixed RADIUS client retransmit/failover behavior
  - there was a potential ctash due to freed memory being accessed
  - failover to a backup server mechanism did not work properly
  * fixed a possible crash on double DISABLE command when multiple BSSes
  are enabled
  * fixed a memory leak in SAE random number generation
  * fixed GTK rekeying when the station uses FT protocol
  * fixed off-by-one bounds checking in printf_encode()
  - this could result in deinial of service in some EAP server cases
  * various bug fixes
* Tue May 27 2014
- Update hostapd-2.1-defconfig.patch and spec file
  to build with libnl3 instead of libnl1
* Wed Apr 16 2014
- update version 2.1
  * see for details.
- change hostapd.diff to hostapd-2.1-defconfig.patch
- remove patch: hostapd-tmp.diff, no longer needed.
* Wed Oct 02 2013
- fix host_to_le32 undefined on BigEndian architectures
* Thu Apr 18 2013
- Do not package /etc/init.d
- Do not install init file since package contains a service file and
  is only build for Factory
- Cleanup spec file
- Use /run instead of /var/run
* Wed Apr 17 2013
- license update: GPL-2.0 or BSD-3-Clause
  README makes it clear that this is a dual license - i.e. choice of either
* Tue Apr 09 2013
- update to version 2.0
- fix corrected file name hostapd.dif to hostapd.diff
- in default config includes all features (IEEE 802.11w, Hotspot 2.0, IEEE 802.11ac, WPS, etc.)
* Tue Nov 06 2012
- Add Native systemd units
* Tue May 15 2012
- update to version 1.0
- respin hostapd.dif to fit the new defconfig
- change the file permission of the config files with passwords
  to 600 (bnc#740964)
* Wed Oct 12 2011
- update to version 0.7.3
- don't use /tmp for dump file in default config
- verbose build
- fix build for older distros
- enable driver 'none' for radius only mode
- add init script
* Fri Sep 30 2011
- cross-build fix: use %__cc macro
* Fri Sep 16 2011
- Select libnl-1_1-devel
* Sun Oct 31 2010
- Use %_smp_mflags
* Wed Jun 09 2010
- udpated to release 0.6.10
- updated hostapd.dif
- git-commit-eb1f744.diff:
  * Move DTIM period configuration into Beacon set operation; fixes
    "Could not set DTIM period for kernel driver; wlan0: Unable to
    setup interface.rmdir[ctrl_interface]: No such file or
    directory" error when using "nl80211" driver
* Tue Sep 23 2008
- drop buildreq for madwifi (dropped package)
* Mon Sep 22 2008
- updae to version 0.5.10, changes:
  * fixed EAP-SIM and EAP-AKA message parser to validate attribute
    lengths properly to avoid potential crash caused by invalid messages
  * fixed Reassociation Response callback processing when using internal
    MLME (driver_{hostap,devicescape,test}.c)
  * fixed EAP-SIM/AKA realm processing to allow decorated usernames to
    be used
  * added a workaround for EAP-SIM/AKA peers that include incorrect null
    termination in the username
  * fixed EAP-SIM Start response processing for fast reauthentication
  * copy optional Proxy-State attributes into RADIUS response when acting
    as a RADIUS authentication server
- update to version 0.5.9, changes:
  * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
    draft (draft-ietf-emu-eap-gpsk-07.txt)
  * fixed debugging code not to use potentially unaligned read to fetch
    IPv4 addresses
Version: 2.6-bp150.3.3.1
* Fri Oct 19 2018 Karol Babioch <>
- Added rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
  Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).
Version: 2.9-bp150.15.1
* Thu Sep 05 2019 Michael Ströder <>
- Update to version 2.9
  * SAE changes
  - disable use of groups using Brainpool curves
  - improved protection against side channel attacks
  * EAP-pwd changes
  - disable use of groups using Brainpool curves
  - improved protection against side channel attacks
  * fixed FT-EAP initial mobility domain association using PMKSA caching
  * added configuration of airtime policy
  * fixed FILS to and RSNE into (Re)Association Response frames
  * fixed DPP bootstrapping URI parser of channel list
  * added support for regulatory WMM limitation (for ETSI)
  * added support for MACsec Key Agreement using IEEE 802.1X/PSK
  * added experimental support for EAP-TEAP server (RFC 7170)
  * added experimental support for EAP-TLS server with TLS v1.3
  * added support for two server certificates/keys (RSA/ECC)
  * added AKMSuiteSelector into "STA <addr>" control interface data to
    determine with AKM was used for an association
  * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and
    fast reauthentication use to be disabled
  * fixed an ECDH operation corner case with OpenSSL
* Wed Apr 24 2019 Michael Ströder <>
- Update to version 2.8
  * SAE changes
  - added support for SAE Password Identifier
  - changed default configuration to enable only group 19
    (i.e., disable groups 20, 21, 25, 26 from default configuration) and
    disable all unsuitable groups completely based on REVmd changes
  - improved anti-clogging token mechanism and SAE authentication
    frame processing during heavy CPU load; this mitigates some issues
    with potential DoS attacks trying to flood an AP with large number
    of SAE messages
  - added Finite Cyclic Group field in status code 77 responses
  - reject use of unsuitable groups based on new implementation guidance
    in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
    groups with prime >= 256)
  - minimize timing and memory use differences in PWE derivation
    [] (CVE-2019-9494)
  - fixed confirm message validation in error cases
    [] (CVE-2019-9496)
  * EAP-pwd changes
  - minimize timing and memory use differences in PWE derivation
    [] (CVE-2019-9495)
  - verify peer scalar/element
    [] (CVE-2019-9497 and CVE-2019-9498)
  - fix message reassembly issue with unexpected fragment
  - enforce rand,mask generation rules more strictly
  - fix a memory leak in PWE derivation
  - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
  * Hotspot 2.0 changes
  - added support for release number 3
  - reject release 2 or newer association without PMF
  * added support for RSN operating channel validation
    (CONFIG_OCV=y and configuration parameter ocv=1)
  * added Multi-AP protocol support
  * added FTM responder configuration
  * fixed build with LibreSSL
  * added FT/RRB workaround for short Ethernet frame padding
  * fixed KEK2 derivation for FILS+FT
  * added RSSI-based association rejection from OCE
  * extended beacon reporting functionality
  * VLAN changes
  - allow local VLAN management with remote RADIUS authentication
  - add WPA/WPA2 passphrase/PSK -based VLAN assignment
  * OpenSSL: allow systemwide policies to be overridden
  * extended PEAP to derive EMSK to enable use with ERP/FILS
  * extended WPS to allow SAE configuration to be added automatically
    for PSK (wps_cred_add_sae=1)
  * fixed FT and SA Query Action frame with AP-MLME-in-driver cases
  * OWE: allow Diffie-Hellman Parameter element to be included with DPP
    in preparation for DPP protocol extension
  * RADIUS server: started to accept ERP keyName-NAI as user identity
    automatically without matching EAP database entry
  * fixed PTK rekeying with FILS and FT
  * SAE changes
  - added support for SAE Password Identifier
  - changed default configuration to enable only groups 19, 20, 21
    (i.e., disable groups 25 and 26) and disable all unsuitable groups
    completely based on REVmd changes
  - do not regenerate PWE unnecessarily when the AP uses the
    anti-clogging token mechanisms
  - fixed some association cases where both SAE and FT-SAE were enabled
    on both the station and the selected AP
  - started to prefer FT-SAE over SAE AKM if both are enabled
  - started to prefer FT-SAE over FT-PSK if both are enabled
  - fixed FT-SAE when SAE PMKSA caching is used
  - reject use of unsuitable groups based on new implementation guidance
    in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
    groups with prime >= 256)
  - minimize timing and memory use differences in PWE derivation
    [] (CVE-2019-9494)
  * EAP-pwd changes
  - minimize timing and memory use differences in PWE derivation
    [] (CVE-2019-9495)
  - verify server scalar/element
    [] (CVE-2019-9499)
  - fix message reassembly issue with unexpected fragment
  - enforce rand,mask generation rules more strictly
  - fix a memory leak in PWE derivation
  - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
  * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
  * Hotspot 2.0 changes
  - do not indicate release number that is higher than the one
    AP supports
  - added support for release number 3
  - enable PMF automatically for network profiles created from
  * fixed OWE network profile saving
  * fixed DPP network profile saving
  * added support for RSN operating channel validation
    (CONFIG_OCV=y and network profile parameter ocv=1)
  * added Multi-AP backhaul STA support
  * fixed build with LibreSSL
  * number of MKA/MACsec fixes and extensions
  * extended domain_match and domain_suffix_match to allow list of values
  * fixed dNSName matching in domain_match and domain_suffix_match when
    using wolfSSL
  * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
    are enabled
  * extended nl80211 Connect and external authentication to support
  * fixed KEK2 derivation for FILS+FT
  * extended client_cert file to allow loading of a chain of PEM
    encoded certificates
  * extended beacon reporting functionality
  * extended D-Bus interface with number of new properties
  * fixed a regression in FT-over-DS with mac80211-based drivers
  * OpenSSL: allow systemwide policies to be overridden
  * extended driver flags indication for separate 802.1X and PSK
    4-way handshake offload capability
  * added support for random P2P Device/Interface Address use
  * extended PEAP to derive EMSK to enable use with ERP/FILS
  * extended WPS to allow SAE configuration to be added automatically
    for PSK (wps_cred_add_sae=1)
  * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
  * extended domain_match and domain_suffix_match to allow list of values
  * added a RSN workaround for misbehaving PMF APs that advertise
    IGTK/BIP KeyID using incorrect byte order
  * fixed PTK rekeying with FILS and FT
* Fri Dec 28 2018 Jan Engelhardt <>
- Use noun phrase in summary.
* Mon Dec 17 2018 Karol Babioch <>
- Applied spec-cleaner
- Added bug reference
- Use defconfig file as template for configuration instead of patching it
  during build. This is easier to maintain in the long run. This removes the
  patch hostapd-2.6-defconfig.patch in favor of a simple config file, which is
  copied over from the source directory.
- Enabled CLI editing and history support.
* Fri Dec 07 2018
- Update to version 2.7
  * fixed WPA packet number reuse with replayed messages and key
    [] (CVE-2017-13082) (bsc#1056061)
  * added support for FILS (IEEE 802.11ai) shared key authentication
  * added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
    and transition mode defined by WFA)
  * added support for DPP (Wi-Fi Device Provisioning Protocol)
  * FT:
  - added local generation of PMK-R0/PMK-R1 for FT-PSK
  - replaced inter-AP protocol with a cleaner design that is more
    easily extensible; this breaks backward compatibility and requires
    all APs in the ESS to be updated at the same time to maintain FT
  - added support for wildcard R0KH/R1KH
  - replaced r0_key_lifetime (minutes) parameter with
    ft_r0_key_lifetime (seconds)
  - fixed wpa_psk_file use for FT-PSK
  - fixed FT-SAE PMKID matching
  - added expiration to PMK-R0 and PMK-R1 cache
  - added IEEE VLAN support (including tagged VLANs)
  - added support for SHA384 based AKM
  * SAE
  - fixed some PMKSA caching cases with SAE
  - added support for configuring SAE password separately of the
    WPA2 PSK/passphrase
  - added option to require MFP for SAE associations
  - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
    for SAE;
    note: this is not backwards compatible, i.e., both the AP and
    station side implementations will need to be update at the same
    time to maintain interoperability
  - added support for Password Identifier
  * hostapd_cli: added support for command history and completion
  * added support for requesting beacon report
  * large number of other fixes, cleanup, and extensions
  * added option to configure EAPOL-Key retry limits
    (wpa_group_update_count and wpa_pairwise_update_count)
  * removed all PeerKey functionality
  * fixed nl80211 AP mode configuration regression with Linux 4.15 and
  * added support for using wolfSSL cryptographic library
  * fixed some 20/40 MHz coexistence cases where the BSS could drop to
    20 MHz even when 40 MHz would be allowed
  * Hotspot 2.0
  - added support for setting Venue URL ANQP-element (venue_url)
  - added support for advertising Hotspot 2.0 operator icons
  - added support for Roaming Consortium Selection element
  - added support for Terms and Conditions
  - added support for OSEN connection in a shared RSN BSS
  * added support for using OpenSSL 1.1.1
  * added EAP-pwd server support for salted passwords
- Remove not longer needed patches (fixed upstream)
  * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
  * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
  * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
  * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
  * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
  * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
  * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
  * rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
- Verify source signature
Version: 2.9-bp152.2.3.1
* Tue Apr 06 2021 Clemens Famulla-Conrad <>
- Add CVE-2021-30004.patch -- forging attacks may occur because
  AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c
* Tue Feb 23 2021 Michael Ströder <>
- added AppArmor profile (source apparmor-usr.sbin.hostapd)
* Tue Sep 29 2020 Clemens Famulla-Conrad <>
- Add CVE-2020-12695.patch -- UPnP SUBSCRIBE misbehavior in hostapd WPS AP
* Thu Apr 23 2020 Clemens Famulla-Conrad <>
- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass