openSUSE-SU-2017:2896-1

Описание

This update for hostapd fixes the following issues:

• Fix KRACK attacks on the AP side (boo#1063479, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088):

Hostap was updated to upstream release 2.6

• fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5314)
• fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476)
• extended channel switch support for VHT bandwidth changes
• added support for configuring new ANQP-elements with anqp_elem=:
• fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior)
• added no_probe_resp_if_max_sta=1 parameter to disable Probe Response frame sending for not-associated STAs if max_num_sta limit has been reached
• added option (-S as command line argument) to request all interfaces to be started at the same time
• modified rts_threshold and fragm_threshold configuration parameters to allow -1 to be used to disable RTS/fragmentation
• EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer)
• fixed EAPOL reauthentication after FT protocol run
• fixed FTIE generation for 4-way handshake after FT protocol run
• fixed and improved various FST operations
• TLS server
  • support SHA384 and SHA512 hashes
  • support TLS v1.2 signature algorithm with SHA384 and SHA512
  • support PKCS #5 v2.0 PBES2
  • support PKCS #5 with PKCS #12 style key decryption
  • minimal support for PKCS #12
  • support OCSP stapling (including ocsp_multi)
• added support for OpenSSL 1.1 API changes
  • drop support for OpenSSL 0.9.8
  • drop support for OpenSSL 1.0.0
• EAP-PEAP: support fast-connect crypto binding
• RADIUS
  • fix Called-Station-Id to not escape SSID
  • add Event-Timestamp to all Accounting-Request packets
  • add Acct-Session-Id to Accounting-On/Off
  • add Acct-Multi-Session-Id ton Access-Request packets
  • add Service-Type (= Frames)
  • allow server to provide PSK instead of passphrase for WPA-PSK Tunnel_password case
  • update full message for interim accounting updates
  • add Acct-Delay-Time into Accounting messages
  • add require_message_authenticator configuration option to require CoA/Disconnect-Request packets to be authenticated
• started to postpone WNM-Notification frame sending by 100 ms so that the STA has some more time to configure the key before this frame is received after the 4-way handshake
• VHT: added interoperability workaround for 80+80 and 160 MHz channels
• extended VLAN support (per-STA vif, etc.)
• fixed PMKID derivation with SAE
• nl80211
  • added support for full station state operations
  • fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames
• added initial MBO support; number of extensions to WNM BSS Transition Management
• added initial functionality for location related operations
• added assocresp_elements parameter to allow vendor specific elements to be added into (Re)Association Response frames
• improved Public Action frame addressing
  • use Address 3 = wildcard BSSID in GAS response if a query from an unassociated STA used that address
  • fix TX status processing for Address 3 = wildcard BSSID
  • add gas_address3 configuration parameter to control Address 3 behavior
• added command line parameter -i to override interface parameter in hostapd.conf
• added command completion support to hostapd_cli
• added passive client taxonomy determination (CONFIG_TAXONOMY=y compile option and 'SIGNATURE ' control interface command)
• number of small fixes

hostapd was updated to upstream release 2.5

• (CVE-2015-1863) is fixed in upstream release 2.5

• fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141 boo#930077)

• fixed WMM Action frame parser [http://w1.fi/security/2015-3/] (CVE-2015-4142 boo#930078)

• fixed EAP-pwd server missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, boo#930079)

• fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/]

• nl80211:

  • fixed vendor command handling to check OUI properly

• fixed hlr_auc_gw build with OpenSSL

• hlr_auc_gw: allow Milenage RES length to be reduced

• disable HT for a station that does not support WMM/QoS

• added support for hashed password (NtHash) in EAP-pwd server

• fixed and extended dynamic VLAN cases

• added EAP-EKE server support for deriving Session-Id

• set Acct-Session-Id to a random value to make it more likely to be unique even if the device does not have a proper clock

• added more 2.4 GHz channels for 20/40 MHz HT co-ex scan

• modified SAE routines to be more robust and PWE generation to be stronger against timing attacks

• added support for Brainpool Elliptic Curves with SAE

• increases maximum value accepted for cwmin/cwmax

• added support for CCMP-256 and GCMP-256 as group ciphers with FT

• added Fast Session Transfer (FST) module

• removed optional fields from RSNE when using FT with PMF (workaround for interoperability issues with iOS 8.4)

• added EAP server support for TLS session resumption

• fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version)

• added mechanism to track unconnected stations and do minimal band steering

• number of small fixes