Packages changed: cpio curl (7.66.0 -> 7.67.0) kernel-source (5.3.8 -> 5.3.9) rpm-config-SUSE (0.g42 -> 0.g44) snapper (0.8.5 -> 0.8.6) wpa_supplicant (2.6 -> 2.9) zstd (1.4.3 -> 1.4.4) === Details === ==== cpio ==== - add cpio-2.12-CVE-2019-14866.patch to fix a security issue where cpio does not properly validate the values written in the header of a TAR file through the to_oct() function [bsc#1155199] [CVE-2019-14866] ==== curl ==== Version update (7.66.0 -> 7.67.0) Subpackages: libcurl4 - Update spec file with spec-cleaner - Update to 7.67.0 * Changes: - curl: added --no-progress-meter - setopt: CURLMOPT_MAX_CONCURRENT_STREAMS is new - urlapi: CURLU_NO_AUTHORITY allows empty authority/host part * Bugfixes: - BINDINGS: five new bindings addded - CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time - CURLOPT_TIMEOUT.3: remove the mention of "minutes" - ESNI: initial build/setup support - FTP: FTPFILE_NOCWD: avoid redundant CWDs - FTP: allow "rubbish" prepended to the SIZE response - FTP: remove trailing slash from path for LIST/MLSD - FTP: skip CWD to entry dir when target is absolute - FTP: url-decode path before evaluation - HTTP3.md: move -p for mkdir, remove -j for make - HTTP3: fix invalid use of sendto for connected UDP socket - HTTP3: fix prefix parameter for ngtcp2 build - HTTP3: show an --alt-svc using example too - INSTALL: add missing space for configure commands - INSTALL: add vcpkg installation instructions - altsvc: accept quoted ma and persist values - altsvc: both backends run h3-23 now - appveyor: Add MSVC ARM64 build - appveyor: Use two parallel compilation on appveyor with CMake - appveyor: add --disable-proxy autotools build - appveyor: publish artifacts on appveyor - appveyor: upgrade VS2017 to VS2019 - asyn-thread: make use of Curl_socketpair() where available - asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris - build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines - checksrc: fix uninitialized variable warning - chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error - cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build - cirrus: switch off blackhole status on the freebsd CI machines - cleanups: 21 various PVS-Studio warnings - configure: only say ipv6 enabled when the variable is set - configure: remove all cyassl references - conn-reuse: requests wanting NTLM can reuse non-NTLM connections - connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT - connect: silence sign-compare warning - cookie: avoid harmless use after free - cookie: pass in the correct cookie amount to qsort() - cookies: change argument type for Curl_flush_cookies - cookies: using a share with cookies shouldn't enable the cookie engine - copyrights: update copyright notices to 2019 - curl: create easy handles on-demand and not ahead of time - curl: ensure HTTP 429 triggers --retry - curl: exit the create_transfers loop on errors - curl: fix memory leaked by parse_metalink() - curl: load large files with -d @ much faster - docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag - docs: added multi-event.c example - docs: disambiguate CURLUPART_HOST is for host name (ie no port) - docs: note on failed handles not being counted by curl_multi_perform - doh: allow only http and https in debug mode - doh: avoid truncating DNS QTYPE to lower octet - doh: clean up dangling DOH memory on easy close - doh: fix (harmless) buffer overrun - doh: fix undefined behaviour and open up for gcc and clang optimization - doh: return early if there is no time left - examples/sslbackend: fix -Wchar-subscripts warning - gnutls: make gnutls_bye() not wait for response on shutdown - http2: expire a timeout at end of stream - http2: prevent dup'ed handles to send dummy PRIORITY frames - http2: relax verification of :authority in push promise requests - http2_recv: a closed stream trumps pause state - http: lowercase headernames for HTTP/2 and HTTP/3 - ldap: Stop using wide char version of ldapp_err2string - ldap: fix OOM error on missing query string - mbedtls: add error message for cert validity starting in the future - mime: when disabled, avoid C99 macro - ngtcp2: adapt to API change - ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23 - ngtcp2: remove fprintf() calls - openssl: close_notify on the FTP data connection doesn't mean closure - openssl: use strerror on SSL_ERROR_SYSCALL - os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr - parsedate: fix date parsing disabled builds - quiche: don't close connection at end of stream - quiche: persist connection details (fixes -I with --http3) - quiche: set 'drain' when returning without having drained the queues - quiche: update HTTP/3 config creation to new API - redirect: handle redirects to absolute URLs containing spaces - runtests: get textaware info from curl instead of perl - schannel: reverse the order of certinfo insertions - schannel_verify: Fix concurrent openings of CA file - security: silence conversion warning - setopt: handle ALTSVC set to NULL - setopt: make it easier to add new enum values - setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly - smb: check for full size message before reading message details - smbserver: fix Python 3 compatibility - socks: Fix destination host shown on SOCKS5 error - test1162: disable MSYS2's POSIX path conversion - test1591: fix spelling of http feature - tests: add 'connect to non-listen' keywords - tests: fix narrowing conversion warnings - tests: fix the test 3001 cert failures - tests: makes tests succeed when using --disable-proxy - tests: use %FILE_PWD for file:// URLs - tests: use port 2 instead of 60000 for a safer non-listening port - tool_operate: Fix retry sleep time shown to user when Retry-After - url: Curl_free_request_state() should also free doh handles - url: don't set appconnect time for non-ssl/non-ssh connections - url: fix the NULL hostname compiler warning - url: normalize CURLINFO_EFFECTIVE_URL - url: only reuse TLS connections with matching pinning - urlapi: avoid index underflow for short ipv6 hostnames - urlapi: fix URL encoding when setting a full URL - urlapi: question mark within fragment is still fragment - urldata: use 'bool' for the bit type on MSVC compilers - vtls: fix narrowing conversion warnings ==== kernel-source ==== Version update (5.3.8 -> 5.3.9) - Linux 5.3.9 (bnc#11519). - io_uring: fix up O_NONBLOCK handling for sockets (bnc#1151927). - dm snapshot: introduce account_start_copy() and account_end_copy() (bnc#1151927). - dm snapshot: rework COW throttling to fix deadlock (bnc#1151927). - Btrfs: fix inode cache block reserve leak on failure to allocate data space (bnc#1151927). - btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bnc#1151927). - iio: adc: meson_saradc: Fix memory allocation order (bnc#1151927). - iio: fix center temperature of bmc150-accel-core (bnc#1151927). - libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature (bnc#1151927). - perf tests: Avoid raising SEGV using an obvious NULL dereference (bnc#1151927). - perf map: Fix overlapped map handling (bnc#1151927). - perf script brstackinsn: Fix recovery from LBR/binary mismatch (bnc#1151927). - perf jevents: Fix period for Intel fixed counters (bnc#1151927). - perf tools: Propagate get_cpuid() error (bnc#1151927). - perf annotate: Propagate perf_env__arch() error (bnc#1151927). - perf annotate: Fix the signedness of failure returns (bnc#1151927). - perf annotate: Propagate the symbol__annotate() error return (bnc#1151927). - perf annotate: Fix arch specific ->init() failure errors (bnc#1151927). - perf annotate: Return appropriate error code for allocation failures (bnc#1151927). - perf annotate: Don't return -1 for error when doing BPF disassembly (bnc#1151927). - staging: rtl8188eu: fix null dereference when kzalloc fails (bnc#1151927). - RDMA/siw: Fix serialization issue in write_space() (bnc#1151927). - RDMA/hfi1: Prevent memory leak in sdma_init (bnc#1151927). - RDMA/iw_cxgb4: fix SRQ access from dump_qp() (bnc#1151927). - RDMA/iwcm: Fix a lock inversion issue (bnc#1151927). - HID: hyperv: Use in-place iterator API in the channel callback (bnc#1151927). - kselftest: exclude failed TARGETS from runlist (bnc#1151927). - selftests/kselftest/runner.sh: Add 45 second timeout per test (bnc#1151927). - nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request (bnc#1151927). - arm64: cpufeature: Effectively expose FRINT capability to userspace (bnc#1151927). - arm64: Fix incorrect irqflag restore for priority masking for compat (bnc#1151927). - arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 #1542419 (bnc#1151927). - tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()' (bnc#1151927). - tty: serial: rda: Fix the link time qualifier of 'rda_uart_exit()' (bnc#1151927). - serial/sifive: select SERIAL_EARLYCON (bnc#1151927). - tty: n_hdlc: fix build on SPARC (bnc#1151927). - misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach (bnc#1151927). - RDMA/core: Fix an error handling path in 'res_get_common_doit()' (bnc#1151927). - RDMA/cm: Fix memory leak in cm_add/remove_one (bnc#1151927). - RDMA/nldev: Reshuffle the code to avoid need to rebind QP in error path (bnc#1151927). - RDMA/mlx5: Do not allow rereg of a ODP MR (bnc#1151927). - RDMA/mlx5: Order num_pending_prefetch properly with synchronize_srcu (bnc#1151927). - RDMA/mlx5: Add missing synchronize_srcu() for MW cases (bnc#1151927). - gpio: max77620: Use correct unit for debounce times (bnc#1151927). - fs: cifs: mute -Wunused-const-variable message (bnc#1151927). - arm64: vdso32: Fix broken compat vDSO build warnings (bnc#1151927). - arm64: vdso32: Detect binutils support for dmb ishld (bnc#1151927). - serial: mctrl_gpio: Check for NULL pointer (bnc#1151927). - serial: 8250_omap: Fix gpio check for auto RTS/CTS (bnc#1151927). - arm64: Default to building compat vDSO with clang when CONFIG_CC_IS_CLANG (bnc#1151927). - arm64: vdso32: Don't use KBUILD_CPPFLAGS unconditionally (bnc#1151927). - efi/cper: Fix endianness of PCIe class code (bnc#1151927). - efi/x86: Do not clean dummy variable in kexec path (bnc#1151927). - MIPS: include: Mark __cmpxchg as __always_inline (bnc#1151927). - riscv: avoid kernel hangs when trapped in BUG() (bnc#1151927). - riscv: avoid sending a SIGTRAP to a user thread trapped in WARN() (bnc#1151927). - riscv: Correct the handling of unexpected ebreak in do_trap_break() (bnc#1151927). - x86/xen: Return from panic notifier (bnc#1151927). - ocfs2: clear zero in unaligned direct IO (bnc#1151927). - fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry() (bnc#1151927). - fs: ocfs2: fix a possible null-pointer dereference in ocfs2_write_end_nolock() (bnc#1151927). - fs: ocfs2: fix a possible null-pointer dereference in ocfs2_info_scan_inode_alloc() (bnc#1151927). - btrfs: silence maybe-uninitialized warning in clone_range (bnc#1151927). - arm64: armv8_deprecated: Checking return value for memory allocation (bnc#1151927). - x86/cpu: Add Comet Lake to the Intel CPU models header (bnc#1151927). - sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision (bnc#1151927). - sched/vtime: Fix guest/system mis-accounting on task switch (bnc#1151927). - perf/core: Rework memory accounting in perf_mmap() (bnc#1151927). - perf/core: Fix corner case in perf_rotate_context() (bnc#1151927). - perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp (bnc#1151927). - drm/amdgpu: fix memory leak (bnc#1151927). - iio: imu: adis16400: release allocated memory on failure (bnc#1151927). - iio: imu: adis16400: fix memory leak (bnc#1151927). - iio: imu: st_lsm6dsx: fix waitime for st_lsm6dsx i2c controller (bnc#1151927). - MIPS: include: Mark __xchg as __always_inline (bnc#1151927). - MIPS: fw: sni: Fix out of bounds init of o32 stack (bnc#1151927). - s390/cio: fix virtio-ccw DMA without PV (bnc#1151927). - virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr (bnc#1151927). - nbd: fix possible sysfs duplicate warning (bnc#1151927). - NFSv4: Fix leak of clp->cl_acceptor string (bnc#1151927). - SUNRPC: fix race to sk_err after xs_error_report (bnc#1151927). - s390/uaccess: avoid (false positive) compiler warnings (bnc#1151927). - tracing: Initialize iter->seq after zeroing in tracing_read_pipe() (bnc#1151927). - perf annotate: Fix multiple memory and file descriptor leaks (bnc#1151927). - perf/aux: Fix tracking of auxiliary trace buffer allocation (bnc#1151927). - USB: legousbtower: fix a signedness bug in tower_probe() (bnc#1151927). - nbd: verify socket is supported during setup (bnc#1151927). - arm64: dts: qcom: Add Lenovo Miix 630 (bnc#1151927). - arm64: dts: qcom: Add HP Envy x2 (bnc#1151927). - arm64: dts: qcom: Add Asus NovaGo TP370QL (bnc#1151927). - rtw88: Fix misuse of GENMASK macro (bnc#1151927). - s390/pci: fix MSI message data (bnc#1151927). - thunderbolt: Correct path indices for PCIe tunnel (bnc#1151927). - thunderbolt: Use 32-bit writes when writing ring producer/consumer (bnc#1151927). - fuse: flush dirty data/metadata before non-truncate setattr (bnc#1151927). - fuse: truncate pending writes on O_TRUNC (bnc#1151927). - ALSA: bebob: Fix prototype of helper function to return negative value (bnc#1151927). - ALSA: timer: Fix mutex deadlock at releasing card (bnc#1151927). - ALSA: hda/realtek - Fix 2 front mics of codec 0x623 (bnc#1151927). - ALSA: hda/realtek - Add support for ALC623 (bnc#1151927). - ath10k: fix latency issue for QCA988x (bnc#1151927). - UAS: Revert commit 3ae62a42090f ("UAS: fix alignment of scatter/gather segments") (bnc#1151927). - nl80211: fix validation of mesh path nexthop (bnc#1151927). - USB: gadget: Reject endpoints with 0 maxpacket value (bnc#1151927). - usb-storage: Revert commit 747668dbc061 ("usb-storage: Set virt_boundary_mask to avoid SG overflows") (bnc#1151927). - USB: ldusb: fix ring-buffer locking (bnc#1151927). - USB: ldusb: fix control-message timeout (bnc#1151927). - usb: xhci: fix Immediate Data Transfer endianness (bnc#1151927). - usb: xhci: fix __le32/__le64 accessors in debugfs code (bnc#1151927). - USB: serial: whiteheat: fix potential slab corruption (bnc#1151927). - USB: serial: whiteheat: fix line-speed endianness (bnc#1151927). - xhci: Fix use-after-free regression in xhci clear hub TT implementation (bnc#1151927). - scsi: qla2xxx: Fix partial flash write of MBI (bnc#1151927). - scsi: target: cxgbit: Fix cxgbit_fw4_ack() (bnc#1151927). - HID: i2c-hid: add Trekstor Primebook C11B to descriptor override (bnc#1151927). - HID: Fix assumption that devices have inputs (bnc#1151927). - HID: fix error message in hid_open_report() (bnc#1151927). - HID: logitech-hidpp: split g920_get_config() (bnc#1151927). - HID: logitech-hidpp: rework device validation (bnc#1151927). - HID: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy() (bnc#1151927). - um-ubd: Entrust re-queue to the upper layers (bnc#1151927). - s390/unwind: fix mixing regs and sp (bnc#1151927). - s390/cmm: fix information leak in cmm_timeout_handler() (bnc#1151927). - s390/idle: fix cpu idle time calculation (bnc#1151927). - ARC: perf: Accommodate big-endian CPU (bnc#1151927). - IB/hfi1: Avoid excessive retry for TID RDMA READ request (bnc#1151927). - arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default (bnc#1151927). - arm64: cpufeature: Enable Qualcomm Falkor/Kryo errata 1003 (bnc#1151927). - virtio_ring: fix stalls for packed rings (bnc#1151927). - rtlwifi: rtl_pci: Fix problem of too small skb->len (bnc#1151927). - KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bnc#1151927). - dmaengine: qcom: bam_dma: Fix resource leak (bnc#1151927). - dmaengine: tegra210-adma: fix transfer failure (bnc#1151927). - dmaengine: imx-sdma: fix size check for sdma script_number (bnc#1151927). - dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle (bnc#1151927). - drm/amdgpu/gmc10: properly set BANK_SELECT and FRAGMENT_SIZE (bnc#1151927). - drm/i915: Fix PCH reference clock for FDI on HSW/BDW (bnc#1151927). - drm/amdgpu/gfx10: update gfx golden settings (bnc#1151927). - drm/amdgpu/powerplay/vega10: allow undervolting in p7 (bnc#1151927). - drm/amdgpu: Fix SDMA hang when performing VKexample test (bnc#1151927). - NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid() (bnc#1151927). - io_uring: ensure we clear io_kiocb->result before each issue (bnc#1151927). - iommu/vt-d: Fix panic after kexec -p for kdump (bnc#1151927). - batman-adv: Avoid free/alloc race when handling OGM buffer (bnc#1151927). - llc: fix sk_buff leak in llc_sap_state_process() (bnc#1151927). - llc: fix sk_buff leak in llc_conn_service() (bnc#1151927). - rxrpc: Fix call ref leak (bnc#1151927). - rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record (bnc#1151927). - rxrpc: Fix trace-after-put looking at the put peer record (bnc#1151927). - NFC: pn533: fix use-after-free and memleaks (bnc#1151927). - bonding: fix potential NULL deref in bond_update_slave_arr (bnc#1151927). - netfilter: conntrack: avoid possible false sharing (bnc#1151927). - net: usb: sr9800: fix uninitialized local variable (bnc#1151927). - sch_netem: fix rcu splat in netem_enqueue() (bnc#1151927). - net: sched: sch_sfb: don't call qdisc_put() while holding tree lock (bnc#1151927). - iwlwifi: exclude GEO SAR support for 3168 (bnc#1151927). - sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices (bnc#1151927). - ALSA: usb-audio: DSD auto-detection for Playback Designs (bnc#1151927). - ALSA: usb-audio: Update DSD support quirks for Oppo and Rotel (bnc#1151927). - ALSA: usb-audio: Add DSD support for Gustard U16/X26 USB Interface (bnc#1151927). - RDMA/mlx5: Use irq xarray locking for mkey_table (bnc#1151927). - sched/fair: Fix -Wunused-but-set-variable warnings (bnc#1151927). - powerpc/powernv: Fix CPU idle to be called with IRQs disabled (bnc#1151927). - Revert "nvme: allow 64-bit results in passthru commands" (bnc#1151927). - Revert "ALSA: hda: Flush interrupts on disabling" (bnc#1151927). - commit b0d4923 - rpm/kernel-binary.spec.in: add COMPRESS_VMLINUX (bnc#1155921) Let COMPRESS_VMLINUX determine the compression used for vmlinux. By default (historically), it is gz. - commit c8b2d9f - ALSA: hda/ca0132 - Fix possible workqueue stall (bsc#1155836). - commit 98ead79 - stacktrace: Don't skip first entry on noncurrent tasks (bnc#1154866). Update upstream status. - commit f4d9b5e - rpm/kernel-subpackage-spec: Mention debuginfo in the subpackage description (bsc#1149119). - commit 525ec92 - ata: make qc_prep return ata_completion_errors (bnc#1110252). - ata: define AC_ERR_OK (bnc#1110252). - ata: sata_mv, avoid trigerrable BUG_ON (bnc#1110252). - commit 8bf663b ==== rpm-config-SUSE ==== Version update (0.g42 -> 0.g44) - Update to version 0.g44: * Sync specfile changes * Add _lto_cflags to suse_macros for now ==== snapper ==== Version update (0.8.5 -> 0.8.6) Subpackages: libsnapper4 - add --machine-readable option for CSV and JSON outputs. - add --columns option for selecting columns in the commands list, list-configs and get-config. - bsc#1149322 - version 0.8.6 ==== wpa_supplicant ==== Version update (2.6 -> 2.9) - Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9499) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Drop merged patches: * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch * wpa_supplicant-bnc-1099835-fix-private-key-password.patch * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch * wpa_supplicant-log-file-permission.patch * wpa_supplicant-log-file-cloexec.patch * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch - Rebase patches: * wpa_supplicant-getrandom.patch ==== zstd ==== Version update (1.4.3 -> 1.4.4) - Update to version 1.4.4 * perf: Improved decompression speed, by > 10% * perf: Better compression speed when re-using a context * perf: Fix compression ratio when compressing large files with small dictionary * perf: zstd reference encoder can generate RLE blocks * perf: minor generic speed optimization * api: new ability to extract sequences from the parser for analysis * api: fixed decoding of magic-less frames * api: fixed ZSTD_initCStream_advanced() performance with fast modes * cli: Named pipes support * cli: short tar's extension support * cli: command --output-dir-flat=DIE , generates target files into requested directory * cli: commands --stream-size=# and --size-hint=# * cli: command --exclude-compressed * cli: faster -t test mode * cli: improved some error messages * cli: fix rare deadlock condition within dictionary builder * misc: Improved documentation : ZSTD_CLEVEL, DYNAMIC_BMI2, ZSTD_CDict, function deprecation, zstd format * misc: fixed educational decoder : accept larger literals section, and removed UNALIGNED() macro - Refresh pzstd.1.patch