| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As published by our hostapd upstream
Vulnerability
General security vulnerability in the way the callback URLs in the UPnP
SUBSCRIBE command are used were reported (VU#339275, CVE-2020-12695).
Some of the described issues may be applicable to the use of UPnP in WPS
AP mode functionality for supporting external registrars.
Such issues could allow a device connected to the local network (i.e., a
device that has been authorized to transmit packets in the network in
which the AP is located) could trigger the AP to initiate a HTTP
(TCP/IP) connection to an arbitrary URL, including connections to
servers in external networks. This could have a security implication if
traffic from the local network to external destinations have different
rules (e.g., firewall and packet inspection) for different local hosts
and the AP having access to external hosts while the attacker controlled
local device not having such access. Such deployment cases may not be
common for networks where WPS would be enabled, but it is not possible
to completely rule out the applicability to cases where hostapd is used
to control a WPS enabled AP.
In addition to the more generic issues with the UPnP protocol, couple of
implementation specific issues in hostapd were discovered while
reviewing this area of the WPS implementation. These issues could allow
local devices (i.e., devices that have been authorized to transmit
packets in the network in which the AP is located) to trigger
misbehavior in hostapd and cause the process to either get terminated or
to start using more CPU resources by using a specially constructed
SUBSCRIBE command.
All these issues require the attacker to be able to discover the UPnP
service provided by hostapd and to open a TCP connection toward the IP
address of the AP. The former requires access to the local network to be
able to receive broadcast packets and the latter requires access to
initiate TCP/IP connection to the IP address used by the AP. In most
common AP deployment cases, both of these operations are available only
from the local network.
Vulnerable versions/configurations
All hostapd versions with WPS AP support with UPnP enabled in the build
parameters (CONFIG_WPS_UPNP=y) and in the runtime configuration
(upnp_iface).
Possible mitigation steps
- Disable WPS UPnP support in the hostapd runtime configuration by
removing the upnp_iface parameter.
- Merge the following commits to hostapd and rebuild:
For CVE-2020-12695:
WPS UPnP: Do not allow event subscriptions with URLs to other networks
For the other issues:
WPS UPnP: Fix event message generation using a long URL path
WPS UPnP: Handle HTTP initiation failures for events more properly
These patches are available from https://w1.fi/security/2020-1/
- Update to hostapd v2.10 or newer, once available
Obtained from: https://w1.fi/security/2020-1/
MFH: 2020Q2
Security: VU#339275 and CVE-2020-12695
Notes:
svn path=/head/; revision=538281
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Silence the once per second CTRL-EVENT-SCAN-FAILED errors when the WiFi
radio is disabled through the communication device toggle key (also known
as the RF raidio kill button). Only the CTRL-EVENT-DISCONNECTED will be
issued.
Submitted by: avg
Reported by: avg
MFH: 2020Q2
Notes:
svn path=/head/; revision=535967
|
|
|
|
| |
Notes:
svn path=/head/; revision=509577
|
|
|
|
|
|
|
| |
(and missed 3 missed files from previous categories.)
Notes:
svn path=/head/; revision=508903
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
simply altering /etc/rc.conf isn't enough to make use of the ports
versions of hostapd and wpa_supplicant. This is because the rc.d
scripts are not installed when WITHOUT_WIRELESS is specified as a
build option. This patch checks for the rc scripts existence and
if they do not exist, installs the ports versions of the same
scripts, which are added by this revision.
This patch does not change the package in any way and there is no way
to enable this outside of removal of hostapd or wpa_supplicant
(depending on the port). Users who build their own world using the
WITHOUT_WIRELESS flag will almost always not use binary packages. Hence
the automatic detection and install of the rc scripts. Making this an
option would IMO increase the number of bug reports due to people
inadvertently setting or not setting an option.
To enable this a person must:
1. buildworld and installworld -DWITHOUT_WIRELESS
2. Build and install the desired wpa_supplicant and/or hostapd port
on servers one wishes to install them on.
PR: 238571
Notes:
svn path=/head/; revision=504433
|
|
|
|
| |
Notes:
svn path=/head/; revision=499654
|
|
|
|
|
|
|
|
|
| |
PR: 236230
Reported by: mt@markoturk.info
MFH: 2019Q1
Notes:
svn path=/head/; revision=494674
|
|
|
|
| |
Notes:
svn path=/head/; revision=486778
|
|
|
|
| |
Notes:
svn path=/head/; revision=477405
|
|
|
|
|
|
|
|
|
|
| |
of net/hostapd.
Suggested by: leres@
Approved by: leres@
Notes:
svn path=/head/; revision=477404
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
WPA: Ignore unauthenticated encrypted EAPOL-Key data
Though hostapd is technically not vulnerable, the mitigation for
CVE-2018-14526 does apply cleanly, therefore it is applied to maintain
consistency with net/wpa_supplicant and wpa in base.
Approved by: leres@
MFH: 2018Q3
Differential Revision: https://reviews.freebsd.org/D16718
Notes:
svn path=/head/; revision=477403
|
|
|
|
|
|
|
|
|
|
| |
patches per site as suggested by mat@.
Suggested by: mat@
Differential Revision: https://reviews.freebsd.org/D16718
Notes:
svn path=/head/; revision=477402
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL 1.1 API.
PR: 227172
Submitted by: brnrd
Reported by: brnrd
Reviewed by: ler (mentor)
Approved by: ler (mentor)
Differential Revision: https://reviews.freebsd.org/D14957
Notes:
svn path=/head/; revision=466381
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove obsolete mirrors.
- devel/arduino
- devel/arduino-irremote
- net/hostapd
- security/broccoli
- sysutils/lbl-cf
- sysutils/lbl-hf
- www/mini_httpd
Reviewed by: ler (mentor), matthew (mentor)
Approved by: ler (mentor), matthew (mentor)
Differential Revision: https://reviews.freebsd.org/D12748
Notes:
svn path=/head/; revision=452566
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys. Such
reinstallation of the encryption key can result in two different types
of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
Approved by: leres (maintainer)
Security: https://w1.fi/security/2017-1/ \
wpa-packet-number-reuse-with-replayed-messages.txt
Security: https://www.krackattacks.com/
MFH: 2017Q4
Differential Revision: D12691
Notes:
svn path=/head/; revision=452257
|
|
|
|
|
|
|
|
|
| |
Approved by: leres (maintainer)
MFH: 2017Q4
Differential Revision: D12691 (part of)
Notes:
svn path=/head/; revision=452256
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to use my @FreeBSD.org email address.
- devel/arduino
- devel/arduino-glcd
- devel/arduino-irremote
- devel/arduino-mk
- devel/arduino-sevseg
- net/hostapd
- net/py-pcap
- security/bro
- security/broccoli
- security/create-cert
- sysutils/lbl-cf
- sysutils/lbl-hf
- www/mini_httpd
Reviewed by: ler (mentor)
Approved by: ler (mentor)
Differential Revision: https://reviews.freebsd.org/D12374
Notes:
svn path=/head/; revision=449916
|
|
|
|
|
|
|
|
|
|
|
| |
Not bumping PORTREVISION as default options are NOT libressl
PR: 218802
Submitted by: w.schwarzenfeld@utanet.at
Approved by: adamw (mentor, implicit), leres@ee.lbl.gov (maintainer)
Notes:
svn path=/head/; revision=440391
|
|
|
|
|
|
|
| |
PR: 218036
Notes:
svn path=/head/; revision=437179
|
|
|
|
|
|
|
|
|
|
| |
PR: 217907
Submitted by: maintainer
Approved by: mat (mentor)
Differential Revision: https://reviews.freebsd.org/D10051
Notes:
svn path=/head/; revision=436625
|
|
|
|
|
|
|
|
| |
For completeness, make update os_unix.h patch to match the previous
commit to os_unix.c (no impact for FreeBSD)
Notes:
svn path=/head/; revision=423019
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Return the driver_bsd.c patch, it's still required for DF
2. Modify the os_unix.c patch to include exception for DF
3. Add patch to fix build with LibreSSL (originates from OpenBSD)
4. There's no configure set, so replace ineffective configure arg
with CFLAGS and LDFLAGS for non-base SSL library
Approved by: SSL blanket and DF blanket
Notes:
svn path=/head/; revision=423004
|
|
|
|
|
|
|
|
| |
PR: 212779
Submitted by: leres at ee.lbl.gov (maintainer)
Notes:
svn path=/head/; revision=422688
|
|
|
|
|
|
|
|
|
|
|
|
| |
The port is now configured depending on the SSL base specified by the
SSL_DEFAULT variable. Before it would break by default if SSL_DEFAULT
was set to non-base. This changes puts hostapd in line with the rest
of the ports tree.
Approved by: SSL blanket
Notes:
svn path=/head/; revision=421977
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
WITH_OPENSSL_* can't be set after bsd.port.pre.mk.
Fold all other usage into using SSL_DEFAULT == foo
PR: 210149
Submitted by: mat
Exp-run by: antoine
Sponsored by: The FreeBSD Foundation, Absolight
Differential Revision: https://reviews.freebsd.org/D6577
Notes:
svn path=/head/; revision=416966
|
|
|
|
| |
Notes:
svn path=/head/; revision=396228
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These are combined upstream patches 2015-2, 2015-3, 2015-4
They address the following security advisories:
* CVE-2015-4141
* CVE-2015-4142
* CVE-2015-4143
* CVE-2015-4144
* CVE-2015-4145
* CVE-2015-4146
These advisories also apply to security/wpa_supplicant
PR: 200567
Submitted by: Jason Unovitch
Approved by: maintainer (Craig Leres)
Notes:
svn path=/head/; revision=388314
|
|
|
|
|
|
|
| |
Approved by: portmgr blanket
Notes:
svn path=/head/; revision=385279
|
|
|
|
| |
Notes:
svn path=/head/; revision=382939
|
|
|
|
|
|
|
|
| |
PR: 198889
Submitted by: maintainer (leres - ee.lbl.gov)
Notes:
svn path=/head/; revision=382595
|
|
|
|
|
|
|
| |
PR: 195796
Notes:
svn path=/head/; revision=377064
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While upgrading to the latest version released last week:
* Rebase .config file on latest sample versoin
* Support non-default prefixes
* Merge new contents of do-configure target into post-patch target
PR: 194315
Approved by: maintainer: (Craig Leres)
Notes:
svn path=/head/; revision=370974
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The domain for hostapd has changed from hostap.epitest.fi to w1.fi
although the former still redirects. Update WWW and MASTER_SITES to
reflect the new name.
Regenerate the l2 packet patch so that hostapd also builds on DragonFly
(no-op for FreeBSD).
While here, rearrange makefile to remove need for <pre> and <post> and
use of $PORTNAME in $WRKSRC which would break if PORTNAME changes.
Notes:
svn path=/head/; revision=370693
|
|
|
|
|
|
|
|
|
|
| |
- Use just BSD3CLAUSE as LICENSE (according to README)
PR: ports/190726
Submitted by: leres@ee.lbl.gov [1]
Notes:
svn path=/head/; revision=356881
|
|
|
|
| |
Notes:
svn path=/head/; revision=350124
|
|
|
|
|
|
|
|
| |
PR: ports/187459
Submitted by: maintainer
Notes:
svn path=/head/; revision=348049
|
|
|
|
| |
Notes:
svn path=/head/; revision=346465
|
|
|
|
|
|
|
| |
net)
Notes:
svn path=/head/; revision=327755
|
|
|
|
|
|
|
| |
Approved by: portmgr (bdrewery)
Notes:
svn path=/head/; revision=324744
|
|
|
|
|
|
|
|
| |
PR: ports/175438
Submitted by: Craig Leres <leres@ee.lbl.gov> (maintainer)
Notes:
svn path=/head/; revision=311422
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Use ports framework for build:
- Bonus: Now honours CC/CFLAGS/LDFLAGS
- Remove DISTNAME override
- Update LICENSE (GPLv2 not GPLv1)
- Mark MAKE_JOBS_SAFE
- Patch Makefile to see $(CC) not "CC" when not verbose
- Pet portlint (LICENSE order)
- while here shift where arch is tested, and use MAN{1,8}PREFIX
PR: ports/169154 (based on)
Submitted by: koobs.freebsd@gmail.com
Approved by: maintainer, leres@ee.lbl.gov
Notes:
svn path=/head/; revision=299587
|
|
|
|
|
|
|
| |
Hat: portmgr
Notes:
svn path=/head/; revision=285419
|
|
|
|
| |
Notes:
svn path=/head/; revision=279399
|
|
servers. It implements IEEE 802.11 access point management, IEEE
802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and
RADIUS authentication server. The current version supports Linux
(Host AP, madwifi, mac80211-based drivers) and FreeBSD (net80211).
WWW: http://hostap.epitest.fi/hostapd/
PR: ports/154621
Submitted by: leres at ee.lbl.gov
Notes:
svn path=/head/; revision=268964
|