This update for hostapd fixes the following issues:
hostapd was updated to version 2.9:
- SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
- EAP-pwd changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
- fixed FT-EAP initial mobility domain association using PMKSA caching
- added configuration of airtime policy
- fixed FILS to and RSNE into (Re)Association Response frames
- fixed DPP bootstrapping URI parser of channel list
- added support for regulatory WMM limitation (for ETSI)
- added support for MACsec Key Agreement using IEEE 802.1X/PSK
- added experimental support for EAP-TEAP server (RFC 7170)
- added experimental support for EAP-TLS server with TLS v1.3
- added support for two server certificates/keys (RSA/ECC)
- added AKMSuiteSelector into 'STA <addr>' control interface data to
determine with AKM was used for an association
- added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and
fast reauthentication use to be disabled
- fixed an ECDH operation corner case with OpenSSL
Update to version 2.8
- SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only group 19
(i.e., disable groups 20, 21, 25, 26 from default configuration) and
disable all unsuitable groups completely based on REVmd changes
- improved anti-clogging token mechanism and SAE authentication
frame processing during heavy CPU load; this mitigates some issues
with potential DoS attacks trying to flood an AP with large number
of SAE messages
- added Finite Cyclic Group field in status code 77 responses
- reject use of unsuitable groups based on new implementation guidance
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
groups with prime >= 256)
- minimize timing and memory use differences...