Debian Patches
Status for wpa/2:2.9.0-21+deb11u2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch | CVE-2023-52160 PEAP client: Update Phase 2 authentication requirements The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. Allow Phase 2 authentication behavior to be configured with a new phase1 configuration parameter option: 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS tunnel) behavior for PEAP: * 0 = do not require Phase 2 authentication * 1 = require Phase 2 authentication when client certificate (private_key/client_cert) is no used and TLS session resumption was not used (default) * 2 = require Phase 2 authentication in all cases |
Jouni Malinen <j@w1.fi> | yes | debian upstream | https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c | 2023-07-08 |
| 01_use_pkg-config_for_pcsc-lite_module.patch | Use pkg-config for libpcsclite linkage flags At least in debian, we can rely on pkg-config being available and returning more accurate ldflags. |
Reinhard Tartler <siretart@tauware.de> | no | 2009-02-02 | ||
| 02_dbus_group_policy.patch | Add D-Bus group policy Debian does not use pam_console but uses group membership to control access to D-Bus. Activating both options in the conf file makes it work on Debian and Ubuntu. |
Michael Biebl <biebl@debian.org> | no | debian | 2007-03-08 | |
| 06_wpa_gui_menu_exec_path.patch | Use full executable path into wpa_gui.desktop Debian specific patch to desktop menu entry, so that we may exec wpa_gui which being in /usr/sbin may not be in the PATH |
Kel Modderman <kel@otaku42.de> | no | 2008-09-25 | ||
| 07_dbus_service_syslog.patch | Tweak D-Bus/systemd service activation configuration files: * log wpa_supplicant messages to syslog * activate control socket interface so that wpa_cli can be used by D-Bus activated wpa_supplicant daemon |
Kel Modderman <kel@otaku42.de> | no | 2012-04-21 | ||
| 12_wpa_gui_knotify_support.patch | Use KDE's KNotify when running under KDE | Raphael Geissert <geissert@debian.org> | no | debian | 2011-03-08 | |
| 2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch | AP: Silently ignore management frame from unexpected source address Do not process any received Management frames with unexpected/invalid SA so that we do not add any state for unexpected STA addresses or end up sending out frames to unexpected destination. This prevents unexpected sequences where an unprotected frame might end up causing the AP to send out a response to another device and that other device processing the unexpected response. In particular, this prevents some potential denial of service cases where the unexpected response frame from the AP might result in a connected station dropping its association. |
Jouni Malinen <j@w1.fi> | no | 2019-08-29 | ||
| 2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch | [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to other networks The UPnP Device Architecture 2.0 specification errata ("UDA errata 16-04-2020.docx") addresses a problem with notifications being allowed to go out to other domains by disallowing such cases. Do such filtering for the notification callback URLs to avoid undesired connections to external networks based on subscriptions that any device in the local network could request when WPS support for external registrars is enabled (the upnp_iface parameter in hostapd configuration). |
Jouni Malinen <jouni@codeaurora.org> | no | 2020-06-03 | ||
| 2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch | [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL path More than about 700 character URL ended up overflowing the wpabuf used for building the event notification and this resulted in the wpabuf buffer overflow checks terminating the hostapd process. Fix this by allocating the buffer to be large enough to contain the full URL path. However, since that around 700 character limit has been the practical limit for more than ten years, start explicitly enforcing that as the limit or the callback URLs since any longer ones had not worked before and there is no need to enable them now either. |
Jouni Malinen <jouni@codeaurora.org> | no | 2020-06-03 | ||
| 2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch | [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more properly While it is appropriate to try to retransmit the event to another callback URL on a failure to initiate the HTTP client connection, there is no point in trying the exact same operation multiple times in a row. Replve the event_retry() calls with event_addr_failure() for these cases to avoid busy loops trying to repeat the same failing operation. These potential busy loops would go through eloop callbacks, so the process is not completely stuck on handling them, but unnecessary CPU would be used to process the continues retries that will keep failing for the same reason. |
Jouni Malinen <jouni@codeaurora.org> | no | 2020-06-04 | ||
| 2020-2/0001-P2P-Fix-copying-of-secondary-device-types-for-P2P-gr.patch | P2P: Fix copying of secondary device types for P2P group client Parsing and copying of WPS secondary device types list was verifying that the contents is not too long for the internal maximum in the case of WPS messages, but similar validation was missing from the case of P2P group information which encodes this information in a different attribute. This could result in writing beyond the memory area assigned for these entries and corrupting memory within an instance of struct p2p_device. This could result in invalid operations and unexpected behavior when trying to free pointers from that corrupted memory. Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 |
Jouni Malinen <jouni@codeaurora.org> | no | debian | https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e | 2020-11-09 |
| 2021-1/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch | [PATCH] P2P: Fix a corner case in peer addition based on PD Request p2p_add_device() may remove the oldest entry if there is no room in the peer table for a new peer. This would result in any pointer to that removed entry becoming stale. A corner case with an invalid PD Request frame could result in such a case ending up using (read+write) freed memory. This could only by triggered when the peer table has reached its maximum size and the PD Request frame is received from the P2P Device Address of the oldest remaining entry and the frame has incorrect P2P Device Address in the payload. Fix this by fetching the dev pointer again after having called p2p_add_device() so that the stale pointer cannot be used. |
Jouni Malinen <jouni@codeaurora.org> | no | 2020-12-08 | ||
| allow-tlsv1.patch | Enable TLSv1.0 by default OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2. Some older networks may support for TLSv1.0 and less secure cyphers. |
Andrej Shadura <andrewsh@debian.org> | no | 2018-12-15 | ||
| CVE-2024-5290-lib_engine_trusted_path.patch | only load libraries from trusted path | Marc Deslauriers <marc.deslauriers@canonical.com> | no | |||
| disable-eapol-werror.patch | Disable -Werror for eapol_test This may make sense for the upstream, but we just want to build the tool to be useful to our users; dealing with build errors due to issues normally manifesting themselves as warnings is burdening for Debian and its downstreams. |
Andrej Shadura <andrew.shadura@collabora.co.uk> | no | 2021-02-12 | ||
| networkd-driver-fallback.patch | wpasupplicant: configure driver fallback for networkd | Stefan Lippers-Hollmann <s.l-h@gmx.de> | no | 2020-11-30 | ||
| upstream-fixes/0001-wpa_supplicant-Do-not-try-to-detect-PSK-mismatch-dur.patch | wpa_supplicant: Do not try to detect PSK mismatch during PTK rekeying When a PTK rekey fails it can't be caused by a PSK mismatch. Report a possible PSK mismatch only during the initial 4-way handshake to avoid incorrect reports. |
Alexander Wetzel <alexander@wetzel-home.de> | no | 2019-12-20 | ||
| upstream-fixes/0002-trace-handle-binutils-bfd.h-breakage.patch | trace: handle binutils bfd.h breakage Some things in bfd.h that we use were renamed, and in the case of bfd_get_section_vma() a parameter was dropped. Work around this. |
Johannes Berg <johannes@sipsolutions.net> | no | 2020-01-15 | ||
| upstream-fixes/0003-check-for-ft-support.patch | Check for FT support when selecting FT suites A driver supports FT if it either supports SME or the NL80211_CMD_UPDATE_FT_IES command. When selecting AKM suites, wpa_supplicant currently doesn't take into account whether or not either of those conditions are met. This can cause association failures, e.g., when an AP supports both WPA-EAP and FT-EAP but the driver doesn't support FT (wpa_supplicant will decide to do FT-EAP since it is unaware the driver doesn't support it). This change allows an FT suite to be selected only when the driver also supports FT. |
Matthew Wang <matthewmwang@chromium.org> | no | 2020-02-03 | ||
| upstream-fixes/0004-fix-VERSION_STR-printf-calls.patch | Fix VERSION_STR printf() calls in case the postfix strings include % Do not use VERSION_STR directly as the format string to printf() since it is possible for that string to contain '%'. |
Didier Raboud <odyx@debian.org> | no | 2020-02-16 | ||
| upstream-fixes/0005-common-Provide-the-BIT-macro-locally.patch | common: Provide the BIT() macro locally wpa_ctrl.h can be installed separately with libwpa_client, so utils/common.h won’t be available to its users. |
Andrej Shadura <andrew.shadura@collabora.co.uk> | no | 2020-02-25 | ||
| upstream-fixes/0006-nl80211-fix-RTM-NEW-DELLINK-IFLA_IFNAME.patch | nl80211: Fix RTM NEW/DELLINK IFLA_IFNAME copy for maximum ifname length If the kernel rtm_newlink or rtm_dellink send the maximum length of ifname (IFNAMSIZ), the event handlers in wpa_driver_nl80211_event_rtm_addlink() and wpa_driver_nl80211_event_rtm_dellink() did not copy the IFLA_IFNAME value. Because the RTA_PAYLOAD (IFLA_IFNAME) length already includes the NULL termination, that equals the IFNAMSIZ. Fix the condition when IFNAME reach maximum size. |
Ouden <Ouden.Biz@gmail.com> | no | 2020-03-18 | ||
| upstream-fixes/0007-Move-deauthentication-at-AP-start-to-be-after-beacon.patch | Move deauthentication at AP start to be after beacon configuration This allows nl80211-based drivers to get the frame out. The old earlier location resulted in the driver operation getting rejected before the kernel was not ready to transmit the frame in the BSS context of the AP interface that has not yet been started. While getting this broadcast Deauthentication frame transmitted at the BSS start is not critical, it is one more chance of getting any previously associated station notified of their previous association not being valid anymore had they missed previous notifications in cases where the AP is stopped and restarted. |
Jouni Malinen <j@w1.fi> | no | 2020-05-16 | ||
| upstream-fixes/0008-Ignore-Management-frames-while-AP-interface-is-not-f.patch | Ignore Management frames while AP interface is not fully enabled It is possible for drivers to report received Management frames while AP is going through initial setup (e.g., during ACS or DFS CAC). hostapd and the driver is not yet ready for actually sending out responses to such frames at this point and as such, it is better to explicitly ignore such received frames rather than try to process them and have the response (e.g., a Probe Response frame) getting dropped by the driver as an invalid or getting out with some incorrect information. |
Jouni Malinen <j@w1.fi> | no | 2020-05-16 | ||
| upstream-fixes/0009-D-Bus-Increase-introspection-buffer-size.patch | D-Bus: Increase introspection buffer size It was apparently possible to hit the 20000 octet limit in some cases, so increase the limit to avoid process termination due to insufficient room for preparing a response to Introspect calls. |
Jouni Malinen <j@w1.fi> | no | 2020-05-16 | ||
| upstream-fixes/0010-P2P-Limit-P2P_DEVICE-name-to-appropriate-ifname-size.patch | P2P: Limit P2P_DEVICE name to appropriate ifname size Otherwise the WPA_IF_P2P_DEVICE cannot be created if the base ifname is long enough. As this is not a netdev device, it is acceptable if the name is not completely unique. As such, simply insert a NUL byte at the appropriate place. |
Benjamin Berg <bberg@redhat.com> | no | 2020-08-25 | ||
| upstream-fixes/0011-dbus-Move-roam-metrics-to-the-correct-interface.patch | dbus: Move roam metrics to the correct interface These properties were in the wpas_dbus_bss_properties array when they should have been in the wpas_dbus_interface_properties array. Move them to the right place. This is the logical location for these properties and it matches both the other parts of the implementation (e.g., being in enum wpas_dbus_prop, not in enum wpas_dbus_bss_prop) and what was originally documented for the interface in dbus.doxygen. |
Matthew Wang <matthewmwang@chromium.org> | no | 2019-10-11 | ||
| upstream-fixes/0012-nl80211-Unbreak-mode-processing-due-to-presence-of-S.patch | nl80211: Unbreak mode processing due to presence of S1G band If kernel advertises a band with channels < 2.4 GHz hostapd/wpa_supplicant gets confused and assumes this is an IEEE 802.11b, corrupting the real IEEE 802.11b band info. |
Thomas Pedersen <thomas@adapt-ip.com> | no | 2020-08-27 | ||
| upstream-fixes/0013-D-Bus-Allow-changing-an-interface-bridge-via-D-Bus.patch | D-Bus: Allow changing an interface bridge via D-Bus D-Bus clients can call CreateInterface() once and use the resulting Interface object to connect multiple times to different networks. However, if the network interface gets added to a bridge, clients currently have to remove the Interface object and create a new one. Improve this by supporting the change of the BridgeIfname property of an existing Interface object. |
Beniamino Galvani <bgalvani@redhat.com> | no | 2020-09-30 | ||
| upstream-fixes/0014-WPS-Use-helper-variables-to-clean-up-code.patch | WPS: Use helper variables to clean up code This is in preparation of larger changes in hostapd_update_wps() to keep the commits more readable. |
Raphaël Mélotte <raphael.melotte@mind.be> | no | 2021-02-04 | ||
| upstream-fixes/0015-WPS-Reconfigure-credentials-on-hostapd-config-reload.patch | WPS: Reconfigure credentials on hostapd config reload When new credentials are configured and hostapd is reconfigured using SIGHUP (or RELOAD on the ctrl_iface), also update the WPS credentials. Before these changes, when WPS is triggered the Registar always serves the credentials that were configured when hostapd started. |
Raphaël Mélotte <raphael.melotte@mind.be> | no | 2021-02-04 | ||
| upstream-fixes/0016-hostapd-Fix-error-message-for-radius_accept_attr-config-option.patch | hostapd: Fix error message for radius_accept_attr config option Error message contained wrong config option. |
Pali Rohár <pali@kernel.org> | no | 2020-10-10 | ||
| wpa_service_ignore-on-isolate.patch | Add IgnoreOnIsolate=yes to keep wpa-supplicant running while systemctl isolate > Add IgnoreOnIsolate=yes so that when switching "runlevels" in > oem-config will not kill off wpa and cause wireless to be > unavailable on first boot. (LP: #1576024) Also happens when running systemctl isolate default.target: > NM should be detecting that wpasupplicant is not running and start > it -- this should already have been working by way of wpasupplicant > being dbus-activated. [...] > It seems to me like IgnoreOnIsolate for wpasupplicant would be the > right thing to do, or to figure out why it isn't being properly > started when NM tries to use it. |
Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> | no | 2017-03-13 | ||
| wpa_supplicant_fix-dependency-odering-when-invoked-with-dbus.patch | wpa_supplicant: Fix dependency odering when invoked with DBus Make sure that DBus isn't shut down before wpa_supplicant, as that would also bring down wireless links which are still holding open NFS shares. Debian bug: https://bugs.debian.org/785579 systemd upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=89847 |
Stefan Lippers-Hollmann <s.l-h@gmx.de> | no | 2020-11-30 |
Showing 1 to 34 of 34 entries
All known versions for source package 'wpa'
- 2:2.10-24 (sid, trixie)
- 2:2.10-12+deb12u2 (bookworm, bookworm-security)
- 2:2.10-8~bpo11+2 (bullseye-backports)
- 2:2.9.0-21+deb11u2 (bullseye-security, bullseye)