openSUSE Security Update: Security update for hostapd
______________________________________________________________________________

Announcement ID: openSUSE-SU-2017:2896-1
Rating: important
References: #1063479 #930077 #930078 #930079
Cross-References: CVE-2015-1863 CVE-2015-4141 CVE-2015-4142
CVE-2015-4143 CVE-2015-4144 CVE-2015-4145
CVE-2015-5314 CVE-2016-4476 CVE-2017-13078
CVE-2017-13079 CVE-2017-13080 CVE-2017-13081
CVE-2017-13087 CVE-2017-13088
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 42.2
______________________________________________________________________________

An update that fixes 14 vulnerabilities is now available.

Description:

This update for hostapd fixes the following issues:

– Fix KRACK attacks on the AP side (boo#1063479, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087,
CVE-2017-13088):

Hostap was updated to upstream release 2.6

* fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/]
(CVE-2015-5314)
* fixed WPS configuration update vulnerability with malformed passphrase
[http://w1.fi/security/2016-1/] (CVE-2016-4476)
* extended channel switch support for VHT bandwidth changes
* added support for configuring new ANQP-elements with
anqp_elem=<InfoID>:<hexdump of payload>
* fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old
releases incompatible with the fixed behavior)
* added no_probe_resp_if_max_sta=1 parameter to disable Probe Response
frame sending for not-associated STAs if max_num_sta limit has been
reached
* added option (-S as command line argument) to request all interfaces to
be started at the same time
* modified rts_threshold and fragm_threshold configuration parameters to
allow -1 to be used to disable RTS/fragmentation
* EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2
and newer)
* fixed EAPOL reauthentication after FT protocol run
* fixed FTIE generation for 4-way handshake after FT protocol run
* fixed and improved various FST operations
* TLS server
– support SHA384 and SHA512 hashes
– support TLS v1.2 signature algorithm with SHA384 and SHA512
– support PKCS #5 v2.0 PBES2
– support PKCS #5 with PKCS #12 style key decryption
– minimal support for PKCS #12
– support OCSP stapling (including ocsp_multi)
* added support for OpenSSL 1.1 API changes
– drop support for OpenSSL 0.9.8
– drop support for OpenSSL 1.0.0
* EAP-PEAP: support fast-connect crypto binding
* RADIUS
– fix Called-Station-Id to not escape SSID
– add Event-Timestamp to all Accounting-Request packets
– add Acct-Session-Id to Accounting-On/Off
– add Acct-Multi-Session-Id ton Access-Request packets
– add Service-Type (= Frames)
– allow server to provide PSK instead of passphrase for WPA-PSK
Tunnel_password case
– update full message for interim accounting updates
– add Acct-Delay-Time into Accounting messages
– add require_message_authenticator configuration option to require
CoA/Disconnect-Request packets to be authenticated
* started to postpone WNM-Notification frame sending by 100 ms so that the
STA has some more time to configure the key before this frame is
received after the 4-way handshake
* VHT: added interoperability workaround for 80+80 and 160 MHz channels
* extended VLAN support (per-STA vif, etc.)
* fixed PMKID derivation with SAE
* nl80211
– added support for full station state operations
– fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use
unencrypted EAPOL frames
* added initial MBO support; number of extensions to WNM BSS Transition
Management
* added initial functionality for location related operations
* added assocresp_elements parameter to allow vendor specific elements to
be added into (Re)Association Response frames
* improved Public Action frame addressing
– use Address 3 = wildcard BSSID in GAS response if a query from an
unassociated STA used that address
– fix TX status processing for Address 3 = wildcard BSSID
– add gas_address3 configuration parameter to control Address 3 behavior
* added command line parameter -i to override interface parameter in
hostapd.conf
* added command completion support to hostapd_cli
* added passive client taxonomy determination (CONFIG_TAXONOMY=y compile
option and “SIGNATURE <addr>” control interface command)
* number of small fixes

hostapd was updated to upstream release 2.5

* (CVE-2015-1863) is fixed in upstream release 2.5

* fixed WPS UPnP vulnerability with HTTP chunked transfer encoding
[http://w1.fi/security/2015-2/] (CVE-2015-4141 boo#930077)
* fixed WMM Action frame parser [http://w1.fi/security/2015-3/]
(CVE-2015-4142 boo#930078)
* fixed EAP-pwd server missing payload length validation
[http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144,
CVE-2015-4145, boo#930079)
* fixed validation of WPS and P2P NFC NDEF record payload length
[http://w1.fi/security/2015-5/]
* nl80211:
– fixed vendor command handling to check OUI properly
* fixed hlr_auc_gw build with OpenSSL
* hlr_auc_gw: allow Milenage RES length to be reduced
* disable HT for a station that does not support WMM/QoS
* added support for hashed password (NtHash) in EAP-pwd server
* fixed and extended dynamic VLAN cases
* added EAP-EKE server support for deriving Session-Id
* set Acct-Session-Id to a random value to make it more likely to be
unique even if the device does not have a proper clock
* added more 2.4 GHz channels for 20/40 MHz HT co-ex scan
* modified SAE routines to be more robust and PWE generation to be
stronger against timing attacks
* added support for Brainpool Elliptic Curves with SAE
* increases maximum value accepted for cwmin/cwmax
* added support for CCMP-256 and GCMP-256 as group ciphers with FT
* added Fast Session Transfer (FST) module
* removed optional fields from RSNE when using FT with PMF (workaround for
interoperability issues with iOS 8.4)
* added EAP server support for TLS session resumption
* fixed key derivation for Suite B 192-bit AKM (this breaks compatibility
with the earlier version)
* added mechanism to track unconnected stations and do minimal band
steering
* number of small fixes

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE Leap 42.3:

zypper in -t patch openSUSE-2017-1201=1

– openSUSE Leap 42.2:

zypper in -t patch openSUSE-2017-1201=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE Leap 42.3 (i586 x86_64):

hostapd-2.6-8.1
hostapd-debuginfo-2.6-8.1
hostapd-debugsource-2.6-8.1

– openSUSE Leap 42.2 (i586 x86_64):

hostapd-2.6-5.3.1
hostapd-debuginfo-2.6-5.3.1
hostapd-debugsource-2.6-5.3.1

References:

https://www.suse.com/security/cve/CVE-2015-1863.html
https://www.suse.com/security/cve/CVE-2015-4141.html
https://www.suse.com/security/cve/CVE-2015-4142.html
https://www.suse.com/security/cve/CVE-2015-4143.html
https://www.suse.com/security/cve/CVE-2015-4144.html
https://www.suse.com/security/cve/CVE-2015-4145.html
https://www.suse.com/security/cve/CVE-2015-5314.html
https://www.suse.com/security/cve/CVE-2016-4476.html
https://www.suse.com/security/cve/CVE-2017-13078.html
https://www.suse.com/security/cve/CVE-2017-13079.html
https://www.suse.com/security/cve/CVE-2017-13080.html
https://www.suse.com/security/cve/CVE-2017-13081.html
https://www.suse.com/security/cve/CVE-2017-13087.html
https://www.suse.com/security/cve/CVE-2017-13088.html
https://bugzilla.suse.com/1063479
https://bugzilla.suse.com/930077
https://bugzilla.suse.com/930078
https://bugzilla.suse.com/930079

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org