Update Info

openSUSE-2022-152


Recommended update for hostapd


Type: recommended
Severity: moderate
Issued: 2022-05-27
Description:
This update for hostapd fixes the following issues:

Adjust config:

* Enable SAE
* Enable DPP
* Enable wired driver
* Enable Airtime policy support
* Enable Fast Initial Link Setup (FILS) (IEEE 802.11ai)

Update to version 2.10

* SAE changes
  - improved protection against side channel attacks
    [https://w1.fi/security/2022-1/]
  - added option send SAE Confirm immediately (sae_config_immediate=1)
    after SAE Commit
  - added support for the hash-to-element mechanism (sae_pwe=1 or
    sae_pwe=2)
  - fixed PMKSA caching with OKC
  - added support for SAE-PK
* EAP-pwd changes
  - improved protection against side channel attacks
    [https://w1.fi/security/2022-1/]
* fixed WPS UPnP SUBSCRIBE handling of invalid operations
  [https://w1.fi/security/2020-1/]
* fixed PMF disconnection protection bypass
  [https://w1.fi/security/2019-7/]
* added support for using OpenSSL 3.0
* fixed various issues in experimental support for EAP-TEAP server
* added configuration (max_auth_rounds, max_auth_rounds_short) to
  increase the maximum number of EAP message exchanges (mainly to
  support cases with very large certificates) for the EAP server
* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
* extended HE (IEEE 802.11ax) support, including 6 GHz support
* removed obsolete IAPP functionality
* fixed EAP-FAST server with TLS GCM/CCM ciphers
* dropped support for libnl 1.1
* added support for nl80211 control port for EAPOL frame TX/RX
* fixed OWE key derivation with groups 20 and 21; this breaks backwards
  compatibility for these groups while the default group 19 remains
  backwards compatible; owe_ptk_workaround=1 can be used to enabled a
  a workaround for the group 20/21 backwards compatibility
* added support for Beacon protection
* added support for Extended Key ID for pairwise keys
* removed WEP support from the default build (CONFIG_WEP=y can be used
  to enable it, if really needed)
* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
* added support for Transition Disable mechanism to allow the AP to
  automatically disable transition mode to improve security
* added support for PASN
* added EAP-TLS server support for TLS 1.3 (disabled by default for now)
* a large number of other fixes, cleanup, and extensions

- Fix AppArmor profile -- allow access to /etc/ssl/openssl.cnf (boo#1192959)
- Added hardening to systemd service(s) (boo#1181400). 


              

Packages


  • hostapd-2.10-bp153.3.3.1