[ubuntu/bionic-proposed] wpa 2:2.4-1.1ubuntu1 (Accepted)
Marc Deslauriers
marc.deslauriers at ubuntu.com
Fri Nov 10 13:44:17 UTC 2017
wpa (2:2.4-1.1ubuntu1) bionic; urgency=medium
* Merge with Debian unstable; remaining changes:
- debian/patches/wpa_service_ignore-on-isolate.patch: add
IgnoreOnIsolate=yes so that when switching "runlevels" in oem-config
will not kill off wpa and cause wireless to be unavailable on first
boot.
- debian/patches/session-ticket.patch: disable the TLS Session Ticket
extension to fix auth with 802.1x PEAP on some hardware.
- debian/patches/android_hal_fw_path_change.patch: add a DBus method
for requesting a firmware change when working with the Android HAL;
this is used to set a device in P2P or AP mode; conditional to
CONFIG_ANDROID_HAL being enabled.
- debian/config/wpasupplicant/linux: enable CONFIG_ANDROID_HAL.
- debian/control: Build-Depends on android-headers to get the required
wifi headers for the HAL support.
- debian/patches/dbus-available-sta.patch: Make the list of connected
stations available on DBus for hotspot mode; along with some of the
station properties, such as rx/tx packets, bytes, capabilities, etc.
wpa (2:2.4-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix multiple issues in WPA protocol (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
- hostapd: Avoid key reinstallation in FT handshake
- Prevent reinstallation of an already in-use group key
- Extend protection of GTK/IGTK reinstallation of
- Fix TK configuration to the driver in EAPOL-Key 3/4
- Prevent installation of an all-zero TK
- Fix PTK rekeying to generate a new ANonce
- TDLS: Reject TPK-TK reconfiguration
- WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode
- WNM: Ignore WNM-Sleep Mode Response without pending
- FT: Do not allow multiple Reassociation Response frames
- TDLS: Ignore incoming TDLS Setup Response retries
wpa (2:2.4-1) unstable; urgency=medium
[ Vincent Danjean ]
* Build with libssl1.0-dev (Closes: #828601).
* Add an upstream patch to fix hostapd in SMPS mode (Closes: #854719).
[ Andrew Shadura ]
* Don't install debian/system-sleep/wpasupplicant (originally introduced
to fix LP: #1422143), it doesn't improve the state of the things,
introduces regressions in some cases, and at all isn't supposed to
work with how wpa-supplicant is started these days (Closes: #835648).
* Bump the epoch to 2:, so that we can set the upstream version to
what we really mean. It also has to be higher than 2.6 in unstable
and 1:2.6 (what hostapd binary package in unstable has).
* Drop the binary package epoch override.
wpa (2.5-2+v2.4-3) unstable; urgency=medium
[ Helmut Grohne ]
* Address FTCBFS: Set PKG_CONFIG (Closes: #836074).
[ Andrew Shadura ]
* Don't run wpa_cli suspend/resume if /run/wpa_supplicant isn't around
(Closes: #835648).
wpa (2.5-2+v2.4-2) unstable; urgency=medium
* Apply patches from upstream to unbreak dedicated P2P Device support
(closes: #833402).
* Reapply an accidentally lost patch to fix pkcs11 OpenSSL engine
initialisation (Closes: #827253).
* Retroactively redact the last changelog entry to represent the actual
upload more accurately.
wpa (2.5-2+v2.4-1) unstable; urgency=medium
[ Ricardo Salveti de Araujo ]
* debian/patches/dbus-fix-operations-for-p2p-mgmt.patch: fix operations
when P2P management interface is used (LP: #1482439)
[ Stefan Lippers-Hollmann ]
* wpasupplicant: install systemd unit (Closes: #766746).
* wpasupplicant: configure driver fallback for networkd.
* import changelogs from the security queues.
* move previous patch for CVE-2015-1863 into a new subdirectory,
debian/patches/2015-1/.
* replace the Debian specific patch "wpasupplicant: fix systemd unit
dependencies" with a backport of its official upstream change "systemd:
Order wpa_supplicant before network.target".
* fix dependency odering when invoked with DBus, by making sure that DBus
isn't shut down before wpa_supplicant, as that would also bring down
wireless links which are still holding open NFS shares. Thanks to Facundo
Gaich <facugaich at gmail.com> and Michael Biebl <biebl at debian.org>
(Closes: #785579).
* import NMU changelogs and integrate NMU changes.
* Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to Salvatore
Bonaccorso <carnil at debian.org> (Closes: #823411):
- WPS: Reject a Credential with invalid passphrase
- Reject psk parameter set with invalid passphrase character
- Remove newlines from wpa_supplicant config network output
- Reject SET_CRED commands with newline characters in the string values
- Reject SET commands with newline characters in the string values
* use --buildsystem=qmake_qt4 (available since dh 8.9.1) for debhelper
(Closes: #823171).
* fix clean target, by splitting the find call into individual searches.
* building wpa in a current unstable chroot using debhelper >= 9.20151219
will introduce automatic dbgsym packages, thereby indirectly providing
the requested debug packages for stretch and upwards (Closes: #729934).
Don't add a versioned build-dependency in order to avoid unnecessary
complications with backports.
* change Vcs-Browser location to prefer https, but keep the unsecure tag for
Vcs-Svn, as there is no option allowing to pull from the svn+ssh://
location without an alioth account, this only makes lintian partially happy
in regards to vcs-field-uses-insecure-uri.
* debian/*: fix spelling errors noticed by lintian.
* drop the obsolete Debian menu entry for wpa_gui, according to the tech-ctte
decision on #741573.
* fix debian/get-orig-source for wpa 2.6~.
* add debian/watch file for the custom tarball generation.
[ Paul Donohue ]
* debian/ifupdown/functions.sh: Fix handling for "wpa-roam". Call ifquery
instead of directly parsing /run/*/ifstate files to work with current
ifupdown. (Closes: #545766, LP: #1545363)
[ Martin Pitt ]
* Add debian/system-sleep/wpasupplicant: Call wpa_cli suspend/resume
before/after suspend, like the pm-utils hook. In some cases this brings
back missing Wifi connection after resuming. (LP: #1422143)
[ Andrew Shadura ]
* Backout 2.5 release, switch to 2.4 (see #833507 for details).
* New upstream release (Closes: #806889).
* Refresh patches, drop patches applied upstream.
* Update Vcs-* to point to Git.
wpa (2.3-2.4) unstable; urgency=medium
* Non-maintainer upload.
* Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to
Salvatore Bonaccorso <carnil at debian.org> (Closes: #823411):
- WPS: Reject a Credential with invalid passphrase
- Reject psk parameter set with invalid passphrase character
- Remove newlines from wpa_supplicant config network output
- Reject SET_CRED commands with newline characters in the string values
- Reject SET commands with newline characters in the string values
* Refresh patches to apply cleanly.
wpa (2.3-2.3) unstable; urgency=high
* Non-maintainer upload.
* Add patch to address CVE-2015-5310.
CVE-2015-5310: wpa_supplicant unauthorized WNM Sleep Mode GTK control.
(Closes: #804707)
* Add patches to address CVE-2015-5314 and CVE-2015-5315.
CVE-2015-5314: hostapd: EAP-pwd missing last fragment length validation.
CVE-2015-5315: wpa_supplicant: EAP-pwd missing last fragment length
validation. (Closes: #804708)
* Add patch to address CVE-2015-5316.
CVE-2015-5316: EAP-pwd peer error path failure on unexpected Confirm
message. (Closes: #804710)
wpa (2.3-2.2) unstable; urgency=high
* Non-maintainer upload.
* Add patch to address CVE-2015-4141.
CVE-2015-4141: WPS UPnP vulnerability with HTTP chunked transfer
encoding. (Closes: #787372)
* Add patch to address CVE-2015-4142.
CVE-2015-4142: Integer underflow in AP mode WMM Action frame processing.
(Closes: #787373)
* Add patches to address CVE-2015-414{3,4,5,6}
CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146: EAP-pwd missing
payload length validation. (Closes: #787371)
* Add patch to address 2015-5 vulnerability.
NFC: Fix payload length validation in NDEF record parser (Closes: #795740)
* Thanks to Julian Wollrath <jwollrath at web.de> for the initial debdiff
provided in #787371.
wpa (2.3-2.1) unstable; urgency=medium
* Non-maintainer upload.
* Import four patches from upstream git (wpasupplicant_band_selection_*.patch),
manually unfuzzed, to improve 2.4/5 GHz band selection. (Closes: #795722)
Date: Fri, 10 Nov 2017 08:20:13 -0500
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/wpa/2:2.4-1.1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 10 Nov 2017 08:20:13 -0500
Source: wpa
Binary: hostapd wpagui wpasupplicant wpasupplicant-udeb
Architecture: source
Version: 2:2.4-1.1ubuntu1
Distribution: bionic
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description:
hostapd - IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator
wpagui - graphical user interface for wpa_supplicant
wpasupplicant - client support for WPA and WPA2 (IEEE 802.11i)
wpasupplicant-udeb - Client support for WPA and WPA2 (IEEE 802.11i) (udeb)
Closes: 545766 729934 766746 785579 787371 787372 787373 795722 795740 804707 804708 804710 806889 823171 823411 827253 828601 833402 835648 836074 854719
Launchpad-Bugs-Fixed: 1422143 1482439 1545363
Changes:
wpa (2:2.4-1.1ubuntu1) bionic; urgency=medium
.
* Merge with Debian unstable; remaining changes:
- debian/patches/wpa_service_ignore-on-isolate.patch: add
IgnoreOnIsolate=yes so that when switching "runlevels" in oem-config
will not kill off wpa and cause wireless to be unavailable on first
boot.
- debian/patches/session-ticket.patch: disable the TLS Session Ticket
extension to fix auth with 802.1x PEAP on some hardware.
- debian/patches/android_hal_fw_path_change.patch: add a DBus method
for requesting a firmware change when working with the Android HAL;
this is used to set a device in P2P or AP mode; conditional to
CONFIG_ANDROID_HAL being enabled.
- debian/config/wpasupplicant/linux: enable CONFIG_ANDROID_HAL.
- debian/control: Build-Depends on android-headers to get the required
wifi headers for the HAL support.
- debian/patches/dbus-available-sta.patch: Make the list of connected
stations available on DBus for hotspot mode; along with some of the
station properties, such as rx/tx packets, bytes, capabilities, etc.
.
wpa (2:2.4-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix multiple issues in WPA protocol (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
- hostapd: Avoid key reinstallation in FT handshake
- Prevent reinstallation of an already in-use group key
- Extend protection of GTK/IGTK reinstallation of
- Fix TK configuration to the driver in EAPOL-Key 3/4
- Prevent installation of an all-zero TK
- Fix PTK rekeying to generate a new ANonce
- TDLS: Reject TPK-TK reconfiguration
- WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode
- WNM: Ignore WNM-Sleep Mode Response without pending
- FT: Do not allow multiple Reassociation Response frames
- TDLS: Ignore incoming TDLS Setup Response retries
.
wpa (2:2.4-1) unstable; urgency=medium
.
[ Vincent Danjean ]
* Build with libssl1.0-dev (Closes: #828601).
* Add an upstream patch to fix hostapd in SMPS mode (Closes: #854719).
.
[ Andrew Shadura ]
* Don't install debian/system-sleep/wpasupplicant (originally introduced
to fix LP: #1422143), it doesn't improve the state of the things,
introduces regressions in some cases, and at all isn't supposed to
work with how wpa-supplicant is started these days (Closes: #835648).
* Bump the epoch to 2:, so that we can set the upstream version to
what we really mean. It also has to be higher than 2.6 in unstable
and 1:2.6 (what hostapd binary package in unstable has).
* Drop the binary package epoch override.
.
wpa (2.5-2+v2.4-3) unstable; urgency=medium
.
[ Helmut Grohne ]
* Address FTCBFS: Set PKG_CONFIG (Closes: #836074).
.
[ Andrew Shadura ]
* Don't run wpa_cli suspend/resume if /run/wpa_supplicant isn't around
(Closes: #835648).
.
wpa (2.5-2+v2.4-2) unstable; urgency=medium
.
* Apply patches from upstream to unbreak dedicated P2P Device support
(closes: #833402).
* Reapply an accidentally lost patch to fix pkcs11 OpenSSL engine
initialisation (Closes: #827253).
* Retroactively redact the last changelog entry to represent the actual
upload more accurately.
.
wpa (2.5-2+v2.4-1) unstable; urgency=medium
.
[ Ricardo Salveti de Araujo ]
* debian/patches/dbus-fix-operations-for-p2p-mgmt.patch: fix operations
when P2P management interface is used (LP: #1482439)
.
[ Stefan Lippers-Hollmann ]
* wpasupplicant: install systemd unit (Closes: #766746).
* wpasupplicant: configure driver fallback for networkd.
* import changelogs from the security queues.
* move previous patch for CVE-2015-1863 into a new subdirectory,
debian/patches/2015-1/.
* replace the Debian specific patch "wpasupplicant: fix systemd unit
dependencies" with a backport of its official upstream change "systemd:
Order wpa_supplicant before network.target".
* fix dependency odering when invoked with DBus, by making sure that DBus
isn't shut down before wpa_supplicant, as that would also bring down
wireless links which are still holding open NFS shares. Thanks to Facundo
Gaich <facugaich at gmail.com> and Michael Biebl <biebl at debian.org>
(Closes: #785579).
* import NMU changelogs and integrate NMU changes.
* Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to Salvatore
Bonaccorso <carnil at debian.org> (Closes: #823411):
- WPS: Reject a Credential with invalid passphrase
- Reject psk parameter set with invalid passphrase character
- Remove newlines from wpa_supplicant config network output
- Reject SET_CRED commands with newline characters in the string values
- Reject SET commands with newline characters in the string values
* use --buildsystem=qmake_qt4 (available since dh 8.9.1) for debhelper
(Closes: #823171).
* fix clean target, by splitting the find call into individual searches.
* building wpa in a current unstable chroot using debhelper >= 9.20151219
will introduce automatic dbgsym packages, thereby indirectly providing
the requested debug packages for stretch and upwards (Closes: #729934).
Don't add a versioned build-dependency in order to avoid unnecessary
complications with backports.
* change Vcs-Browser location to prefer https, but keep the unsecure tag for
Vcs-Svn, as there is no option allowing to pull from the svn+ssh://
location without an alioth account, this only makes lintian partially happy
in regards to vcs-field-uses-insecure-uri.
* debian/*: fix spelling errors noticed by lintian.
* drop the obsolete Debian menu entry for wpa_gui, according to the tech-ctte
decision on #741573.
* fix debian/get-orig-source for wpa 2.6~.
* add debian/watch file for the custom tarball generation.
.
[ Paul Donohue ]
* debian/ifupdown/functions.sh: Fix handling for "wpa-roam". Call ifquery
instead of directly parsing /run/*/ifstate files to work with current
ifupdown. (Closes: #545766, LP: #1545363)
.
[ Martin Pitt ]
* Add debian/system-sleep/wpasupplicant: Call wpa_cli suspend/resume
before/after suspend, like the pm-utils hook. In some cases this brings
back missing Wifi connection after resuming. (LP: #1422143)
.
[ Andrew Shadura ]
* Backout 2.5 release, switch to 2.4 (see #833507 for details).
* New upstream release (Closes: #806889).
* Refresh patches, drop patches applied upstream.
* Update Vcs-* to point to Git.
.
wpa (2.3-2.4) unstable; urgency=medium
.
* Non-maintainer upload.
* Add patches to address CVE-2016-4476 and CVE-2016-4477, thanks to
Salvatore Bonaccorso <carnil at debian.org> (Closes: #823411):
- WPS: Reject a Credential with invalid passphrase
- Reject psk parameter set with invalid passphrase character
- Remove newlines from wpa_supplicant config network output
- Reject SET_CRED commands with newline characters in the string values
- Reject SET commands with newline characters in the string values
* Refresh patches to apply cleanly.
.
wpa (2.3-2.3) unstable; urgency=high
.
* Non-maintainer upload.
* Add patch to address CVE-2015-5310.
CVE-2015-5310: wpa_supplicant unauthorized WNM Sleep Mode GTK control.
(Closes: #804707)
* Add patches to address CVE-2015-5314 and CVE-2015-5315.
CVE-2015-5314: hostapd: EAP-pwd missing last fragment length validation.
CVE-2015-5315: wpa_supplicant: EAP-pwd missing last fragment length
validation. (Closes: #804708)
* Add patch to address CVE-2015-5316.
CVE-2015-5316: EAP-pwd peer error path failure on unexpected Confirm
message. (Closes: #804710)
.
wpa (2.3-2.2) unstable; urgency=high
.
* Non-maintainer upload.
* Add patch to address CVE-2015-4141.
CVE-2015-4141: WPS UPnP vulnerability with HTTP chunked transfer
encoding. (Closes: #787372)
* Add patch to address CVE-2015-4142.
CVE-2015-4142: Integer underflow in AP mode WMM Action frame processing.
(Closes: #787373)
* Add patches to address CVE-2015-414{3,4,5,6}
CVE-2015-4143 CVE-2015-4144 CVE-2015-4145 CVE-2015-4146: EAP-pwd missing
payload length validation. (Closes: #787371)
* Add patch to address 2015-5 vulnerability.
NFC: Fix payload length validation in NDEF record parser (Closes: #795740)
* Thanks to Julian Wollrath <jwollrath at web.de> for the initial debdiff
provided in #787371.
.
wpa (2.3-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Import four patches from upstream git (wpasupplicant_band_selection_*.patch),
manually unfuzzed, to improve 2.4/5 GHz band selection. (Closes: #795722)
Checksums-Sha1:
0ae1fa58ae0a0a7d885aa8b5b24058e115961991 2624 wpa_2.4-1.1ubuntu1.dsc
be9f0c01074cebe981a168eb747eab252eeff5f6 1834600 wpa_2.4.orig.tar.xz
b9fce3012bafa28bdb01bf7e45e02954daef3f8f 103460 wpa_2.4-1.1ubuntu1.debian.tar.xz
0062ab82261058c28d9558a91162cf42874a7482 10854 wpa_2.4-1.1ubuntu1_source.buildinfo
Checksums-Sha256:
26ece998f27884d4c80c85088ecb1fd4217b1da6ed227729499f626707ff9af3 2624 wpa_2.4-1.1ubuntu1.dsc
a1e4eda50796b2234a6cd2f00748bbe09f38f3f621919187289162faeb50b6b8 1834600 wpa_2.4.orig.tar.xz
05668f7d4cc9111c3760622199006e726da0bd7929340106380d7aac92853d4e 103460 wpa_2.4-1.1ubuntu1.debian.tar.xz
742cd153a34f4def6417d7c3f90e319012a7becfd337686bcb91aaf017caf974 10854 wpa_2.4-1.1ubuntu1_source.buildinfo
Files:
2d08ab6e6fda9d2e9cf903df3cd7db71 2624 net optional wpa_2.4-1.1ubuntu1.dsc
6a77b9fe6838b4fca9b92cb22e14de1d 1834600 net optional wpa_2.4.orig.tar.xz
a11314be7a2e591cd0e7151b419fcc83 103460 net optional wpa_2.4-1.1ubuntu1.debian.tar.xz
1a73f399020de98fcb77a78e93543285 10854 net optional wpa_2.4-1.1ubuntu1_source.buildinfo
Original-Maintainer: Debian wpasupplicant Maintainers <pkg-wpa-devel at lists.alioth.debian.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJaBaztAAoJEGVp2FWnRL6TLdMP/30QgoQp3vBYPh3mA6T4WeUR
ooajcOCQXO1ju8qYWa+ArZwl8pO9fX2Cy7w3tzjEqrh65PTaYgX/YBHerr1Qcyu2
YqsxpXm7LncipoFdm3TPDTJ4Tr7dS8i9AeSGQHnWL9QwCCr7IQU9x6M2TVnmeFMV
c0Elu3L3PVG4fzZcOrU4tX6s3xSWvk7flJwLjbGfvSjm91gPIT46Khkh6Ag2YGF3
437dw3EJF29b1aJ1a9VL865n3Ld+hPqGAkc7aKsvzuaVSzp/HzwDACIsmMvPBqYx
dvO/dKJGUm7qvqCWCEW4y1Xj4Zdv7cDKCcAyXkmO7WfHI+sqQ5OEsL7AyfcZuy1O
6PWBgZRvY1/wsPtuvOVDYierdm7bUyXQ82yvV/GUaIk61TB+G4ZO75myMZc0GpVu
vIqqHJQgUmASAoITCYHQfVdXoayVxRYaZ6uHLUi2gUPTH5Jh54CDZiS5qjrxVslA
UGEK7gkoM5rk3UNvzHMX/eCQZ1WFHcBPf5XRQ+0WTiEwZ2BgX7DrkmCgJmYBX4b3
EjPlM8On/Uamja30Ahz53u+FiDER1yFSgbrG8Fsj8el6XrKPi91RSJUs7yDZyzPr
v4uaKv6hEsbVQoBRQOxqqM4j3LLRkQrDMMULvTXHIVghAUlTdTT+cw5iPQaCc7Fm
uMqJpa0HrwBR89OAC4c/
=QlDw
-----END PGP SIGNATURE-----
More information about the Bionic-changes
mailing list