ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-01-01 11:36:49 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
088bb1e12e
openwrt/package/network/services/hostapd/patches
History
Rany Hany e4625c37c4 hostapd: fix SAE H2E security vulnerability 
This patch backports fixes for a security vulnerability impacting the
hostapd implementation of SAE H2E.

As upgrading hostapd would require more testing, the second mitigation
step which involves backporting several patches was adopted as outlined
in the official advisory[1].

An explanation of the impact of the vulnerability is provided from the
advisory[1]:

This vulnerability allows the attacker to downgrade the negotiated group
to another enabled group if both the AP and STA have enabled SAE H2E and
multiple groups. It should be noted that the H2E option is not enabled
by default and the attack is not applicable to the default option, i.e.,
hunting-and-pecking, since it does not have any downgrade protection for
group negotiation. In addition, the default configuration for enabled
SAE groups in hostapd is to enable only a single group, so the
vulnerability is not applicable unless hostapd has been explicitly
configured to enable more groups for SAE.

[1]: https://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt

Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/16043
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit db7f70fe61)
2024-08-02 23:18:03 +02:00
..
001-wolfssl-init-RNG-with-ECC-key.patch hostapd: update to 2022-07-29 2022-09-20 01:15:36 +02:00
010-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch hostapd: update to 2023-06-22 2023-07-20 08:04:11 +02:00
011-mesh-use-deterministic-channel-on-channel-switch.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
021-fix-sta-add-after-previous-connection.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
022-hostapd-fix-use-of-uninitialized-stack-variables.patch hostapd: update to 2023-06-22 2023-07-20 08:04:11 +02:00
023-ndisc_snoop-call-dl_list_del-before-freeing-ipv6-add.patch hostapd: fix a segfault on sta disconnect with proxy arp enabled 2021-07-28 05:55:11 +02:00
030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
040-mesh-allow-processing-authentication-frames-in-block.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
050-build_fix.patch hostapd: update to 2023-03-29 2023-04-22 23:18:15 +02:00
060-nl80211-fix-crash-when-adding-an-interface-fails.patch hostapd: fix crash on interface setup failure 2024-07-08 21:13:25 +02:00
110-mbedtls-TLS-crypto-option-initial-port.patch hostapd: update to 2023-03-29 2023-04-22 23:18:15 +02:00
120-mbedtls-fips186_2_prf.patch hostapd: update to 2023-03-29 2023-04-22 23:18:15 +02:00
130-mbedtls-annotate-with-TEST_FAIL-for-hwsim-tests.patch hostapd: add mbedtls variant 2022-12-19 12:27:35 +00:00
135-mbedtls-fix-owe-association.patch hostapd: fix OWE association with mbedtls 2023-10-31 21:15:57 +01:00
140-tests-Makefile-make-run-tests-with-CONFIG_TLS.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
150-add-NULL-checks-encountered-during-tests-hwsim.patch hostapd: update to 2023-03-29 2023-04-22 23:18:15 +02:00
160-dpp_pkex-EC-point-mul-w-value-prime.patch hostapd: update to 2023-03-29 2023-04-22 23:18:15 +02:00
170-hostapd-update-cfs0-and-cfs1-for-160MHz.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
180-driver_nl80211-fix-setting-QoS-map-on-secondary-BSSs.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
181-driver_nl80211-update-drv-ifindex-on-removing-the-fi.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
182-nl80211-move-nl80211_put_freq_params-call-outside-of.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
183-hostapd-cancel-channel_list_update_timeout-in-hostap.patch hostapd: fix a crash when disabling an interface during channel list update 2023-09-20 14:11:53 +02:00
200-multicall.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
300-noscan.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
301-mesh-noscan.patch hostapd: permit 40MHz in 802.1s only also for 2.4GHz g/n with noscan 2023-11-09 16:10:26 +01:00
310-rescan_immediately.patch hostapd: refresh patches 2023-11-09 16:10:27 +01:00
320-optional_rfkill.patch hostapd: update to version 2021-05-21 2021-05-26 11:48:14 +02:00
330-nl80211_fix_set_freq.patch hostapd: update to 2023-06-22 2023-07-20 08:04:11 +02:00
341-mesh-ctrl-iface-channel-switch.patch hostapd: update to 2023-03-29 2023-04-22 23:18:15 +02:00
350-nl80211_del_beacon_bss.patch hostapd: update to 2023-06-22 2023-07-20 08:04:11 +02:00
380-disable_ctrl_iface_mib.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
381-hostapd_cli_UNKNOWN-COMMAND.patch hostapd: update to 2023-03-29 2023-04-22 23:18:15 +02:00
390-wpa_ie_cap_workaround.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
400-wps_single_auth_enc_type.patch hostapd: update to 2022-07-29 2022-09-20 01:15:36 +02:00
410-limit_debug_messages.patch hostapd: update to 2023-03-29 2023-04-22 23:18:15 +02:00
420-indicate-features.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
430-hostapd_cli_ifdef.patch hostapd: update to 2023-03-29 2023-04-22 23:18:15 +02:00
431-wpa_cli_ifdef.patch hostapd: unconditionally enable ap/mesh for wpa-cli 2020-01-28 14:38:43 +01:00
460-wpa_supplicant-add-new-config-params-to-be-used-with.patch hostapd: refresh patches 2023-11-09 16:10:27 +01:00
463-add-mcast_rate-to-11s.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
464-fix-mesh-obss-check.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
465-hostapd-config-support-random-BSS-color.patch hostapd: add fix for dealing with VHT 160 MHz via ext nss bw 2023-08-15 16:44:58 +02:00
470-survey_data_fallback.patch hostapd: update to 2023-03-29 2023-04-22 23:18:15 +02:00
500-lto-jobserver-support.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
590-rrm-wnm-statistics.patch hostapd: update to 2023-06-22 2023-07-20 08:04:11 +02:00
599-wpa_supplicant-fix-warnings.patch hostapd: declare struct wpa_bss early 2019-09-19 23:43:27 +02:00
600-ubus_support.patch hostapd: refresh patches 2023-11-09 16:10:27 +01:00
601-ucode_support.patch hostapd: refresh patches 2023-11-09 16:10:27 +01:00
610-hostapd_cli_ujail_permission.patch hostapd: allow hostapd under ujail to communicate with hostapd_cli 2021-11-23 18:53:31 +00:00
701-reload_config_inline.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
710-vlan_no_bridge.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
711-wds_bridge_force.patch hostapd: add fix for dealing with VHT 160 MHz via ext nss bw 2023-08-15 16:44:58 +02:00
720-iface_max_num_sta.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
730-ft_iface.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
740-snoop_iface.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
750-qos_map_set_without_interworking.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
751-qos_map_ignore_when_unsupported.patch hostapd: update to 2023-06-22 2023-07-20 08:04:11 +02:00
760-dynamic_own_ip.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
761-shared_das_port.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
762-AP-don-t-ignore-probe-requests-with-invalid-DSSS-par.patch hostapd: don't ignore probe-requests with invalid DSSS params 2024-06-30 22:31:51 +02:00
770-radius_server.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
800-SAE-Check-for-invalid-Rejected-Groups-element-length.patch hostapd: fix SAE H2E security vulnerability 2024-08-02 23:18:03 +02:00
801-SAE-Check-for-invalid-Rejected-Groups-element-length.patch hostapd: fix SAE H2E security vulnerability 2024-08-02 23:18:03 +02:00
802-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch hostapd: fix SAE H2E security vulnerability 2024-08-02 23:18:03 +02:00
990-ctrl-make-WNM_AP-functions-dependant-on-CONFIG_AP.patch hostapd: backport from master, including ucode based reload support 2023-09-18 16:52:25 +02:00
991-Fix-OpenWrt-13156.patch hostapd: use phy name for hostapd interfaces instead of first-bss ifname 2023-09-19 11:57:18 +02:00
992-nl80211-add-extra-ies-only-if-allowed-by-driver.patch hostapd: fix broken WPS on broadcom-wl and ath11k 2023-11-02 14:44:48 +00:00
993-2023-10-28-ACS-Fix-typo-in-bw_40-frequency-array.patch hostapd: ACS: Fix typo in bw_40 frequency array 2024-01-19 00:20:14 +01:00