← Back to team overview

desktop-packages team mailing list archive

[Bug 1512520] [NEW] New upstream release wpa 2.5

 

Public bug reported:

Upstream release 2.5 has come out recently, including a number of
security bugfixes and additional channel selection and performance
improvements to 5GHz networks. Please update to it :)

Changelog:

2015-09-27 - v2.5
	* fixed P2P validation of SSID element length before copying it
	  [http://w1.fi/security/2015-1/] (CVE-2015-1863)
	* fixed WPS UPnP vulnerability with HTTP chunked transfer encoding
	  [http://w1.fi/security/2015-2/] (CVE-2015-4141)
	* fixed WMM Action frame parser (AP mode)
	  [http://w1.fi/security/2015-3/] (CVE-2015-4142)
	* fixed EAP-pwd peer missing payload length validation
	  [http://w1.fi/security/2015-4/]
	  (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)
	* fixed validation of WPS and P2P NFC NDEF record payload length
	  [http://w1.fi/security/2015-5/]
	* nl80211:
	  - added VHT configuration for IBSS
	  - fixed vendor command handling to check OUI properly
	  - allow driver-based roaming to change ESS
	* added AVG_BEACON_RSSI to SIGNAL_POLL output
	* wpa_cli: added tab completion for number of commands
	* removed unmaintained and not yet completed SChannel/CryptoAPI support
	* modified Extended Capabilities element use in Probe Request frames to
	  include all cases if any of the values are non-zero
	* added support for dynamically creating/removing a virtual interface
	  with interface_add/interface_remove
	* added support for hashed password (NtHash) in EAP-pwd peer
	* added support for memory-only PSK/passphrase (mem_only_psk=1 and
	  CTRL-REQ/RSP-PSK_PASSPHRASE)
	* P2P
	  - optimize scan frequencies list when re-joining a persistent group
	  - fixed number of sequences with nl80211 P2P Device interface
	  - added operating class 125 for P2P use cases (this allows 5 GHz
	    channels 161 and 169 to be used if they are enabled in the current
	    regulatory domain)
	  - number of fixes to P2PS functionality
	  - do not allow 40 MHz co-ex PRI/SEC switch to force MCC
	  - extended support for preferred channel listing
	* D-Bus:
	  - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface
	  - fixed PresenceRequest to use group interface
	  - added new signals: FindStopped, WPS pbc-overlap,
	    GroupFormationFailure, WPS timeout, InvitationReceived
	  - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient
	  - added manufacturer info
	* added EAP-EKE peer support for deriving Session-Id
	* added wps_priority configuration parameter to set the default priority
	  for all network profiles added by WPS
	* added support to request a scan with specific SSIDs with the SCAN
	  command (optional "ssid <hexdump>" arguments)
	* removed support for WEP40/WEP104 as a group cipher with WPA/WPA2
	* fixed SAE group selection in an error case
	* modified SAE routines to be more robust and PWE generation to be
	  stronger against timing attacks
	* added support for Brainpool Elliptic Curves with SAE
	* added support for CCMP-256 and GCMP-256 as group ciphers with FT
	* fixed BSS selection based on estimated throughput
	* added option to disable TLSv1.0 with OpenSSL
	  (phase1="tls_disable_tlsv1_0=1")
	* added Fast Session Transfer (FST) module
	* fixed OpenSSL PKCS#12 extra certificate handling
	* fixed key derivation for Suite B 192-bit AKM (this breaks
	  compatibility with the earlier version)
	* added RSN IE to Mesh Peering Open/Confirm frames
	* number of small fixes

** Affects: wpa (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to wpa in Ubuntu.
https://bugs.launchpad.net/bugs/1512520

Title:
  New upstream release wpa 2.5

Status in wpa package in Ubuntu:
  New

Bug description:
  Upstream release 2.5 has come out recently, including a number of
  security bugfixes and additional channel selection and performance
  improvements to 5GHz networks. Please update to it :)

  Changelog:

  2015-09-27 - v2.5
  	* fixed P2P validation of SSID element length before copying it
  	  [http://w1.fi/security/2015-1/] (CVE-2015-1863)
  	* fixed WPS UPnP vulnerability with HTTP chunked transfer encoding
  	  [http://w1.fi/security/2015-2/] (CVE-2015-4141)
  	* fixed WMM Action frame parser (AP mode)
  	  [http://w1.fi/security/2015-3/] (CVE-2015-4142)
  	* fixed EAP-pwd peer missing payload length validation
  	  [http://w1.fi/security/2015-4/]
  	  (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)
  	* fixed validation of WPS and P2P NFC NDEF record payload length
  	  [http://w1.fi/security/2015-5/]
  	* nl80211:
  	  - added VHT configuration for IBSS
  	  - fixed vendor command handling to check OUI properly
  	  - allow driver-based roaming to change ESS
  	* added AVG_BEACON_RSSI to SIGNAL_POLL output
  	* wpa_cli: added tab completion for number of commands
  	* removed unmaintained and not yet completed SChannel/CryptoAPI support
  	* modified Extended Capabilities element use in Probe Request frames to
  	  include all cases if any of the values are non-zero
  	* added support for dynamically creating/removing a virtual interface
  	  with interface_add/interface_remove
  	* added support for hashed password (NtHash) in EAP-pwd peer
  	* added support for memory-only PSK/passphrase (mem_only_psk=1 and
  	  CTRL-REQ/RSP-PSK_PASSPHRASE)
  	* P2P
  	  - optimize scan frequencies list when re-joining a persistent group
  	  - fixed number of sequences with nl80211 P2P Device interface
  	  - added operating class 125 for P2P use cases (this allows 5 GHz
  	    channels 161 and 169 to be used if they are enabled in the current
  	    regulatory domain)
  	  - number of fixes to P2PS functionality
  	  - do not allow 40 MHz co-ex PRI/SEC switch to force MCC
  	  - extended support for preferred channel listing
  	* D-Bus:
  	  - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface
  	  - fixed PresenceRequest to use group interface
  	  - added new signals: FindStopped, WPS pbc-overlap,
  	    GroupFormationFailure, WPS timeout, InvitationReceived
  	  - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient
  	  - added manufacturer info
  	* added EAP-EKE peer support for deriving Session-Id
  	* added wps_priority configuration parameter to set the default priority
  	  for all network profiles added by WPS
  	* added support to request a scan with specific SSIDs with the SCAN
  	  command (optional "ssid <hexdump>" arguments)
  	* removed support for WEP40/WEP104 as a group cipher with WPA/WPA2
  	* fixed SAE group selection in an error case
  	* modified SAE routines to be more robust and PWE generation to be
  	  stronger against timing attacks
  	* added support for Brainpool Elliptic Curves with SAE
  	* added support for CCMP-256 and GCMP-256 as group ciphers with FT
  	* fixed BSS selection based on estimated throughput
  	* added option to disable TLSv1.0 with OpenSSL
  	  (phase1="tls_disable_tlsv1_0=1")
  	* added Fast Session Transfer (FST) module
  	* fixed OpenSSL PKCS#12 extra certificate handling
  	* fixed key derivation for Suite B 192-bit AKM (this breaks
  	  compatibility with the earlier version)
  	* added RSN IE to Mesh Peering Open/Confirm frames
  	* number of small fixes

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1512520/+subscriptions


Follow ups