Package: hostapd Version: 2:2.10-12+deb12u2 Severity: normal X-Debbugs-Cc: t...@security.debian.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Upstream recently produced release 2.11, as per <https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog>: ChangeLog for wpa_supplicant 2024-07-20 - v2.11 * Wi-Fi Easy Connect - add support for DPP release 3 - allow Configurator parameters to be provided during config exchange * MACsec - add support for GCM-AES-256 cipher suite - remove incorrect EAP Session-Id length constraint - add hardware offload support for additional drivers * HE/IEEE 802.11ax/Wi-Fi 6 - support BSS color updates - various fixes * EHT/IEEE 802.11be/Wi-Fi 7 - add preliminary support * support OpenSSL 3.0 API changes * improve EAP-TLS support for TLSv1.3 * EAP-SIM/AKA: support IMSI privacy * improve mitigation against DoS attacks when PMF is used * improve 4-way handshake operations - discard unencrypted EAPOL frames in additional cases - use Secure=1 in message 2 during PTK rekeying * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases to avoid interoperability issues * support new SAE AKM suites with variable length keys * support new AKM for 802.1X/EAP with SHA384 * improve cross-AKM roaming with driver-based SME/BSS selection * PASN - extend support for secure ranging - allow PASN implementation to be used with external programs for Wi-Fi Aware * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) - this is based on additional details being added in the IEEE 802.11 standard - the new implementation is not backwards compatible, but PMKSA caching with FT-EAP was, and still is, disabled by default * support a pregenerated MAC (mac_addr=3) as an alternative mechanism for using per-network random MAC addresses * EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1) to improve security for still unfortunately common invalid configurations that do not set ca_cert * extend SCS support for QoS Characteristics * extend MSCS support * support unsynchronized service discovery (USD) * add support for explicit SSID protection in 4-way handshake (a mitigation for CVE-2023-52424; disabled by default for now, can be enabled with ssid_protection=1) - in addition, verify SSID after key setup when beacon protection is used * fix SAE H2E rejected groups validation to avoid downgrade attacks * a large number of other fixes, cleanup, and extensions 2022-01-16 - v2.10 - -- System Information: Debian Release: 12.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-23-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fi_FI.utf8, LC_CTYPE=fi_FI.utf8 (charmap=UTF-8), LANGUAGE=fi:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages hostapd depends on: ii init-system-helpers 1.65.2 ii libc6 2.36-9+deb12u7 ii libnl-3-200 3.7.0-0.2+b1 ii libnl-genl-3-200 3.7.0-0.2+b1 ii libnl-route-3-200 3.7.0-0.2+b1 ii libssl3 3.0.13-1~deb12u1 hostapd recommends no packages. hostapd suggests no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAmbA/T8ACgkQrh+Cd8S0 17YQVg//XqMLT4aNKoAYX8gCasy1N1jslOKSj3DXEwGpGLDdNbb4O+j0pG3tDBl0 BYgdWDeUA75gDlTWCziinxag91Gmft5+t6yv1airdaU1+LKzIfUFJeJs6rGH4hJ5 qefwW3g9fs45k179ECoeYNl8RBPzdObLMEVfzYghFzYIiY4KJyo4bR7ZQrQzAfb2 oizoBajNaoXWhHLxMv8h8RXc2jq4YvHvFa+ZHjPuEBqaMdhyfNmibkcPeHJVQyal mAPha6eEZgzWcUYcb262Y2oPq73hvCteUejhWdk+Cir7eTNKvsOCXDaPcmrzeq13 VdL5TOaX7mSj++eLCnZMhUMlsuzjXjnvOFZfEzDeoK1iGxc0V10pP2t71TnJfeU4 DwHPa+UyahEleXIEbYWSoG6yrp7SUOiyzAerJCKj41bNUP28FuA2Lpt9QtHmngsY l7dMv5QlH3qH0Ofv0Yse6iNMpI23kYk0bEiVKibnL26wFhWDKWNTcxiFW45ah3be NnP5DELCYgoTVoXpzxde3sdEk+nBwXRfiGatkSvmXkRcfdy/3F46EuIyM8zYN2WK 0Uh+ZucuZauqbM8/fiZYy+M61PVK8T5bYlKqhdBSumOnT4eIr7F210MsPuIl//u0 7m00u35iyE8//vGUDC7r0V+jP5u4QdQGAXh9yJ4piaSRTrOPjSo= =bVWi -----END PGP SIGNATURE-----
