From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] wpa-supplicant: Update to version 2.11 Date: Fri, 17 Jan 2025 18:08:38 +0100 Message-ID: <20250117170838.1376068-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4738599070658176760==" List-Id: --===============4738599070658176760== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - Update from version 2.10 to 2.11 - Update of rootfile not required - Changelog 2.11 * Wi-Fi Easy Connect - add support for DPP release 3 - allow Configurator parameters to be provided during config exchange * MACsec - add support for GCM-AES-256 cipher suite - remove incorrect EAP Session-Id length constraint - add hardware offload support for additional drivers * HE/IEEE 802.11ax/Wi-Fi 6 - support BSS color updates - various fixes * EHT/IEEE 802.11be/Wi-Fi 7 - add preliminary support * support OpenSSL 3.0 API changes * improve EAP-TLS support for TLSv1.3 * EAP-SIM/AKA: support IMSI privacy * improve mitigation against DoS attacks when PMF is used * improve 4-way handshake operations - discard unencrypted EAPOL frames in additional cases - use Secure=3D1 in message 2 during PTK rekeying * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases to avoid interoperability issues * support new SAE AKM suites with variable length keys * support new AKM for 802.1X/EAP with SHA384 * improve cross-AKM roaming with driver-based SME/BSS selection * PASN - extend support for secure ranging - allow PASN implementation to be used with external programs for Wi-Fi Aware * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) - this is based on additional details being added in the IEEE 802.11 standard - the new implementation is not backwards compatible, but PMKSA caching with FT-EAP was, and still is, disabled by default * support a pregenerated MAC (mac_addr=3D3) as an alternative mechanism for using per-network random MAC addresses * EAP-PEAP: require Phase 2 authentication by default (phase2_auth=3D1) to improve security for still unfortunately common invalid configurations that do not set ca_cert * extend SCS support for QoS Characteristics * extend MSCS support * support unsynchronized service discovery (USD) * add support for explicit SSID protection in 4-way handshake (a mitigation for CVE-2023-52424; disabled by default for now, can be enabled with ssid_protection=3D1) - in addition, verify SSID after key setup when beacon protection is used * fix SAE H2E rejected groups validation to avoid downgrade attacks * a large number of other fixes, cleanup, and extensions Signed-off-by: Adolf Belka --- lfs/wpa_supplicant | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/wpa_supplicant b/lfs/wpa_supplicant index f3c12992d..38a147619 100644 --- a/lfs/wpa_supplicant +++ b/lfs/wpa_supplicant @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2022 IPFire Team = # +# Copyright (C) 2007-2025 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 2.10 +VER =3D 2.11 =20 THISAPP =3D wpa_supplicant-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -41,7 +41,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_BLAKE2 =3D 7f6045e5dcf24f7ccf1ea75c99541f9d68fadaea858a6ca11a95c9= 97de14e33b3aa89138e748664579b5a4ea493d247cf6613da3c5fae49a4dbb5cd58dace752 +$(DL_FILE)_BLAKE2 =3D 71bd0d11cd31eb5bc6beb51caf0f1399856ea188f316d2330053a2= d8c81869057811e9f500828e8981eabd0af38f30a18a3ae584d744005c78681c82fa910abf =20 install : $(TARGET) =20 --=20 2.48.1 --===============4738599070658176760==--