Debian Patches

Status for wpa/2:2.9.0-21+deb11u1

Patch Description Author Forwarded Bugs Origin Last update
01_use_pkg-config_for_pcsc-lite_module.patch Use pkg-config for libpcsclite linkage flags
At least in debian, we can rely on pkg-config being available and
returning more accurate ldflags.
Reinhard Tartler <siretart@tauware.de> no 2009-02-02
02_dbus_group_policy.patch Add D-Bus group policy
Debian does not use pam_console but uses group membership
to control access to D-Bus. Activating both options in the conf file
makes it work on Debian and Ubuntu.
Michael Biebl <biebl@debian.org> no debian 2007-03-08
06_wpa_gui_menu_exec_path.patch Use full executable path into wpa_gui.desktop
Debian specific patch to desktop menu entry, so that we may exec
wpa_gui which being in /usr/sbin may not be in the PATH
Kel Modderman <kel@otaku42.de> no 2008-09-25
07_dbus_service_syslog.patch Tweak D-Bus/systemd service activation configuration files:
* log wpa_supplicant messages to syslog
* activate control socket interface so that wpa_cli can be used by D-Bus
activated wpa_supplicant daemon
Kel Modderman <kel@otaku42.de> no 2012-04-21
12_wpa_gui_knotify_support.patch Use KDE's KNotify when running under KDE Raphael Geissert <geissert@debian.org> no debian 2011-03-08
networkd-driver-fallback.patch wpasupplicant: configure driver fallback for networkd Stefan Lippers-Hollmann <s.l-h@gmx.de> no 2020-11-30
wpa_supplicant_fix-dependency-odering-when-invoked-with-dbus.patch wpa_supplicant: Fix dependency odering when invoked with DBus
Make sure that DBus isn't shut down before wpa_supplicant, as that would
also bring down wireless links which are still holding open NFS shares.

Debian bug: https://bugs.debian.org/785579
systemd upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=89847
Stefan Lippers-Hollmann <s.l-h@gmx.de> no 2020-11-30
allow-tlsv1.patch Enable TLSv1.0 by default
OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2.
Some older networks may support for TLSv1.0 and less secure cyphers.
Andrej Shadura <andrewsh@debian.org> no 2018-12-15
disable-eapol-werror.patch Disable -Werror for eapol_test
This may make sense for the upstream, but we just want to build
the tool to be useful to our users; dealing with build errors due
to issues normally manifesting themselves as warnings is burdening
for Debian and its downstreams.
Andrej Shadura <andrew.shadura@collabora.co.uk> no 2021-02-12
wpa_service_ignore-on-isolate.patch Add IgnoreOnIsolate=yes to keep wpa-supplicant running while systemctl isolate
> Add IgnoreOnIsolate=yes so that when switching "runlevels" in
> oem-config will not kill off wpa and cause wireless to be
> unavailable on first boot. (LP: #1576024)

Also happens when running systemctl isolate default.target:

> NM should be detecting that wpasupplicant is not running and start
> it -- this should already have been working by way of wpasupplicant
> being dbus-activated.
[...]
> It seems to me like IgnoreOnIsolate for wpasupplicant would be the
> right thing to do, or to figure out why it isn't being properly
> started when NM tries to use it.
Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> no 2017-03-13
2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch AP: Silently ignore management frame from unexpected source address
Do not process any received Management frames with unexpected/invalid SA
so that we do not add any state for unexpected STA addresses or end up
sending out frames to unexpected destination. This prevents unexpected
sequences where an unprotected frame might end up causing the AP to send
out a response to another device and that other device processing the
unexpected response.

In particular, this prevents some potential denial of service cases
where the unexpected response frame from the AP might result in a
connected station dropping its association.
Jouni Malinen <j@w1.fi> no 2019-08-29
2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to other networks

The UPnP Device Architecture 2.0 specification errata ("UDA errata
16-04-2020.docx") addresses a problem with notifications being allowed
to go out to other domains by disallowing such cases. Do such filtering
for the notification callback URLs to avoid undesired connections to
external networks based on subscriptions that any device in the local
network could request when WPS support for external registrars is
enabled (the upnp_iface parameter in hostapd configuration).
Jouni Malinen <jouni@codeaurora.org> no 2020-06-03
2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL path

More than about 700 character URL ended up overflowing the wpabuf used
for building the event notification and this resulted in the wpabuf
buffer overflow checks terminating the hostapd process. Fix this by
allocating the buffer to be large enough to contain the full URL path.
However, since that around 700 character limit has been the practical
limit for more than ten years, start explicitly enforcing that as the
limit or the callback URLs since any longer ones had not worked before
and there is no need to enable them now either.
Jouni Malinen <jouni@codeaurora.org> no 2020-06-03
upstream-fixes/0003-check-for-ft-support.patch Check for FT support when selecting FT suites
A driver supports FT if it either supports SME or the
NL80211_CMD_UPDATE_FT_IES command. When selecting AKM suites,
wpa_supplicant currently doesn't take into account whether or not either
of those conditions are met. This can cause association failures, e.g.,
when an AP supports both WPA-EAP and FT-EAP but the driver doesn't
support FT (wpa_supplicant will decide to do FT-EAP since it is unaware
the driver doesn't support it). This change allows an FT suite to be
selected only when the driver also supports FT.
Matthew Wang <matthewmwang@chromium.org> no 2020-02-03
upstream-fixes/0004-fix-VERSION_STR-printf-calls.patch Fix VERSION_STR printf() calls in case the postfix strings include %
Do not use VERSION_STR directly as the format string to printf() since
it is possible for that string to contain '%'.
Didier Raboud <odyx@debian.org> no 2020-02-16
2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more properly

While it is appropriate to try to retransmit the event to another
callback URL on a failure to initiate the HTTP client connection, there
is no point in trying the exact same operation multiple times in a row.
Replve the event_retry() calls with event_addr_failure() for these cases
to avoid busy loops trying to repeat the same failing operation.

These potential busy loops would go through eloop callbacks, so the
process is not completely stuck on handling them, but unnecessary CPU
would be used to process the continues retries that will keep failing
for the same reason.
Jouni Malinen <jouni@codeaurora.org> no 2020-06-04
upstream-fixes/0001-wpa_supplicant-Do-not-try-to-detect-PSK-mismatch-dur.patch wpa_supplicant: Do not try to detect PSK mismatch during PTK rekeying

When a PTK rekey fails it can't be caused by a PSK mismatch. Report a
possible PSK mismatch only during the initial 4-way handshake to avoid
incorrect reports.
Alexander Wetzel <alexander@wetzel-home.de> no 2019-12-20
upstream-fixes/0005-common-Provide-the-BIT-macro-locally.patch common: Provide the BIT() macro locally
wpa_ctrl.h can be installed separately with libwpa_client, so
utils/common.h won’t be available to its users.
Andrej Shadura <andrew.shadura@collabora.co.uk> no 2020-02-25
upstream-fixes/0002-trace-handle-binutils-bfd.h-breakage.patch trace: handle binutils bfd.h breakage
Some things in bfd.h that we use were renamed, and in the
case of bfd_get_section_vma() a parameter was dropped.
Work around this.
Johannes Berg <johannes@sipsolutions.net> no 2020-01-15
upstream-fixes/0006-nl80211-fix-RTM-NEW-DELLINK-IFLA_IFNAME.patch nl80211: Fix RTM NEW/DELLINK IFLA_IFNAME copy for maximum ifname length

If the kernel rtm_newlink or rtm_dellink send the maximum length of
ifname (IFNAMSIZ), the event handlers in
wpa_driver_nl80211_event_rtm_addlink() and
wpa_driver_nl80211_event_rtm_dellink() did not copy the IFLA_IFNAME
value. Because the RTA_PAYLOAD (IFLA_IFNAME) length already includes the
NULL termination, that equals the IFNAMSIZ.

Fix the condition when IFNAME reach maximum size.
Ouden <Ouden.Biz@gmail.com> no 2020-03-18
upstream-fixes/0007-Move-deauthentication-at-AP-start-to-be-after-beacon.patch Move deauthentication at AP start to be after beacon configuration
This allows nl80211-based drivers to get the frame out. The old earlier
location resulted in the driver operation getting rejected before the
kernel was not ready to transmit the frame in the BSS context of the AP
interface that has not yet been started.

While getting this broadcast Deauthentication frame transmitted at the
BSS start is not critical, it is one more chance of getting any
previously associated station notified of their previous association not
being valid anymore had they missed previous notifications in cases
where the AP is stopped and restarted.
Jouni Malinen <j@w1.fi> no 2020-05-16
upstream-fixes/0008-Ignore-Management-frames-while-AP-interface-is-not-f.patch Ignore Management frames while AP interface is not fully enabled
It is possible for drivers to report received Management frames while AP
is going through initial setup (e.g., during ACS or DFS CAC). hostapd
and the driver is not yet ready for actually sending out responses to
such frames at this point and as such, it is better to explicitly ignore
such received frames rather than try to process them and have the
response (e.g., a Probe Response frame) getting dropped by the driver as
an invalid or getting out with some incorrect information.
Jouni Malinen <j@w1.fi> no 2020-05-16
upstream-fixes/0009-D-Bus-Increase-introspection-buffer-size.patch D-Bus: Increase introspection buffer size
It was apparently possible to hit the 20000 octet limit in some cases,
so increase the limit to avoid process termination due to insufficient
room for preparing a response to Introspect calls.
Jouni Malinen <j@w1.fi> no 2020-05-16
upstream-fixes/0010-P2P-Limit-P2P_DEVICE-name-to-appropriate-ifname-size.patch P2P: Limit P2P_DEVICE name to appropriate ifname size
Otherwise the WPA_IF_P2P_DEVICE cannot be created if the base ifname is
long enough. As this is not a netdev device, it is acceptable if the
name is not completely unique. As such, simply insert a NUL byte at the
appropriate place.
Benjamin Berg <bberg@redhat.com> no 2020-08-25
upstream-fixes/0011-dbus-Move-roam-metrics-to-the-correct-interface.patch dbus: Move roam metrics to the correct interface
These properties were in the wpas_dbus_bss_properties array when they
should have been in the wpas_dbus_interface_properties array. Move them
to the right place. This is the logical location for these properties
and it matches both the other parts of the implementation (e.g., being
in enum wpas_dbus_prop, not in enum wpas_dbus_bss_prop) and what
was originally documented for the interface in dbus.doxygen.
Matthew Wang <matthewmwang@chromium.org> no 2019-10-11
upstream-fixes/0012-nl80211-Unbreak-mode-processing-due-to-presence-of-S.patch nl80211: Unbreak mode processing due to presence of S1G band
If kernel advertises a band with channels < 2.4 GHz
hostapd/wpa_supplicant gets confused and assumes this is an IEEE
802.11b, corrupting the real IEEE 802.11b band info.
Thomas Pedersen <thomas@adapt-ip.com> no 2020-08-27
upstream-fixes/0013-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch D-Bus: Allow changing an interface bridge via D-Bus
D-Bus clients can call CreateInterface() once and use the resulting
Interface object to connect multiple times to different networks.

However, if the network interface gets added to a bridge, clients
currently have to remove the Interface object and create a new one.

Improve this by supporting the change of the BridgeIfname property of
an existing Interface object.
Beniamino Galvani <bgalvani@redhat.com> no 2020-09-30
upstream-fixes/0014-WPS-Use-helper-variables-to-clean-up-code.patch WPS: Use helper variables to clean up code
This is in preparation of larger changes in hostapd_update_wps() to keep
the commits more readable.
Raphaël Mélotte <raphael.melotte@mind.be> no 2021-02-04
upstream-fixes/0015-WPS-Reconfigure-credentials-on-hostapd-config-reload.patch WPS: Reconfigure credentials on hostapd config reload
When new credentials are configured and hostapd is reconfigured using
SIGHUP (or RELOAD on the ctrl_iface), also update the WPS credentials.

Before these changes, when WPS is triggered the Registar always serves
the credentials that were configured when hostapd started.
Raphaël Mélotte <raphael.melotte@mind.be> no 2021-02-04
upstream-fixes/0016-hostapd-Fix-error-message-for-radius_accept_attr-config-option.patch hostapd: Fix error message for radius_accept_attr config option
Error message contained wrong config option.
Pali Rohár <pali@kernel.org> no 2020-10-10
2020-2/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch P2P: Fix copying of secondary device types for P2P group client
Parsing and copying of WPS secondary device types list was verifying
that the contents is not too long for the internal maximum in the case
of WPS messages, but similar validation was missing from the case of P2P
group information which encodes this information in a different
attribute. This could result in writing beyond the memory area assigned
for these entries and corrupting memory within an instance of struct
p2p_device. This could result in invalid operations and unexpected
behavior when trying to free pointers from that corrupted memory.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
Jouni Malinen <jouni@codeaurora.org> no debian https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e 2020-11-09
2021-1/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch [PATCH] P2P: Fix a corner case in peer addition based on PD Request
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.

Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.
Jouni Malinen <jouni@codeaurora.org> no 2020-12-08
0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch CVE-2023-52160 PEAP client: Update Phase 2 authentication requirements

The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.

Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.

Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
* 0 = do not require Phase 2 authentication
* 1 = require Phase 2 authentication when client certificate
(private_key/client_cert) is no used and TLS session resumption was
not used (default)
* 2 = require Phase 2 authentication in all cases
Jouni Malinen <j@w1.fi> yes debian upstream https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c 2023-07-08

All known versions for source package 'wpa'

Links