mirror of
git://git.openwrt.org/openwrt/openwrt.git
synced 2025-10-27 03:54:27 -04:00
db7f70fe61
This patch backports fixes for a security vulnerability impacting the hostapd implementation of SAE H2E. As upgrading hostapd would require more testing, the second mitigation step which involves backporting several patches was adopted as outlined in the official advisory[1]. An explanation of the impact of the vulnerability is provided from the advisory[1]: This vulnerability allows the attacker to downgrade the negotiated group to another enabled group if both the AP and STA have enabled SAE H2E and multiple groups. It should be noted that the H2E option is not enabled by default and the attack is not applicable to the default option, i.e., hunting-and-pecking, since it does not have any downgrade protection for group negotiation. In addition, the default configuration for enabled SAE groups in hostapd is to enable only a single group, so the vulnerability is not applicable unless hostapd has been explicitly configured to enable more groups for SAE. [1]: https://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt Signed-off-by: Rany Hany <rany_hany@riseup.net> Link: https://github.com/openwrt/openwrt/pull/16042 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> |
||
|---|---|---|
| .. | ||
| 010-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch | ||
| 011-mesh-use-deterministic-channel-on-channel-switch.patch | ||
| 021-fix-sta-add-after-previous-connection.patch | ||
| 023-ndisc_snoop-call-dl_list_del-before-freeing-ipv6-add.patch | ||
| 030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch | ||
| 040-mesh-allow-processing-authentication-frames-in-block.patch | ||
| 050-Fix-OpenWrt-13156.patch | ||
| 051-nl80211-add-extra-ies-only-if-allowed-by-driver.patch | ||
| 052-AP-add-missing-null-pointer-check-in-hostapd_free_ha.patch | ||
| 060-nl80211-fix-crash-when-adding-an-interface-fails.patch | ||
| 110-mbedtls-TLS-crypto-option-initial-port.patch | ||
| 120-mbedtls-fips186_2_prf.patch | ||
| 130-mbedtls-annotate-with-TEST_FAIL-for-hwsim-tests.patch | ||
| 135-mbedtls-fix-owe-association.patch | ||
| 140-tests-Makefile-make-run-tests-with-CONFIG_TLS.patch | ||
| 150-add-NULL-checks-encountered-during-tests-hwsim.patch | ||
| 160-dpp_pkex-EC-point-mul-w-value-prime.patch | ||
| 170-hostapd-update-cfs0-and-cfs1-for-160MHz.patch | ||
| 181-driver_nl80211-update-drv-ifindex-on-removing-the-fi.patch | ||
| 182-nl80211-move-nl80211_put_freq_params-call-outside-of.patch | ||
| 183-hostapd-cancel-channel_list_update_timeout-in-hostap.patch | ||
| 200-multicall.patch | ||
| 201-lto-jobserver-support.patch | ||
| 210-build-de-duplicate-_DIRS-before-calling-mkdir.patch | ||
| 211-ctrl-make-WNM_AP-functions-dependant-on-CONFIG_AP.patch | ||
| 212-Move-definition-of-WLAN_SUPP_RATES_MAX-to-defs.h.patch | ||
| 213-wpa_supplicant-fix-warnings.patch | ||
| 220-indicate-features.patch | ||
| 250-hostapd_cli_ifdef.patch | ||
| 251-wpa_cli_ifdef.patch | ||
| 252-disable_ctrl_iface_mib.patch | ||
| 253-qos_map_set_without_interworking.patch | ||
| 300-noscan.patch | ||
| 301-mesh-noscan.patch | ||
| 310-rescan_immediately.patch | ||
| 320-optional_rfkill.patch | ||
| 330-nl80211_fix_set_freq.patch | ||
| 341-mesh-ctrl-iface-channel-switch.patch | ||
| 350-nl80211_del_beacon_bss.patch | ||
| 381-hostapd_cli_UNKNOWN-COMMAND.patch | ||
| 400-wps_single_auth_enc_type.patch | ||
| 410-limit_debug_messages.patch | ||
| 460-wpa_supplicant-add-new-config-params-to-be-used-with.patch | ||
| 463-add-mcast_rate-to-11s.patch | ||
| 464-fix-mesh-obss-check.patch | ||
| 465-hostapd-config-support-random-BSS-color.patch | ||
| 470-survey_data_fallback.patch | ||
| 590-rrm-wnm-statistics.patch | ||
| 600-ubus_support.patch | ||
| 601-ucode_support.patch | ||
| 610-hostapd_cli_ujail_permission.patch | ||
| 701-reload_config_inline.patch | ||
| 710-vlan_no_bridge.patch | ||
| 711-wds_bridge_force.patch | ||
| 720-iface_max_num_sta.patch | ||
| 730-ft_iface.patch | ||
| 740-snoop_iface.patch | ||
| 751-qos_map_ignore_when_unsupported.patch | ||
| 760-dynamic_own_ip.patch | ||
| 761-shared_das_port.patch | ||
| 762-AP-don-t-ignore-probe-requests-with-invalid-DSSS-par.patch | ||
| 770-radius_server.patch | ||
| 800-SAE-Check-for-invalid-Rejected-Groups-element-length.patch | ||
| 801-SAE-Check-for-invalid-Rejected-Groups-element-length.patch | ||
| 802-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch | ||