[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-OPENSUSE-SU-2020:0222-1":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T08:53:30.047Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":28,"duplicates":29,"related":30,"reserved_at":9,"published_at":38,"modified_at":39,"state":9,"summary":40,"references_raw":42,"kevs":84,"epss":9,"epss_history":85,"metrics":86,"affected":87},"OPENSUSE-SU-2020:0222-1","Security update for hostapd\n\nThis update for hostapd fixes the following issues:\n\nhostapd was updated to version 2.9:\n\n* SAE changes\n  - disable use of groups using Brainpool curves\n  - improved protection against side channel attacks\n    [https://w1.fi/security/2019-6/]\n* EAP-pwd changes\n  - disable use of groups using Brainpool curves\n  - improved protection against side channel attacks\n  [https://w1.fi/security/2019-6/]\n* fixed FT-EAP initial mobility domain association using PMKSA caching\n* added configuration of airtime policy\n* fixed FILS to and RSNE into (Re)Association Response frames\n* fixed DPP bootstrapping URI parser of channel list\n* added support for regulatory WMM limitation (for ETSI)\n* added support for MACsec Key Agreement using IEEE 802.1X/PSK\n* added experimental support for EAP-TEAP server (RFC 7170)\n* added experimental support for EAP-TLS server with TLS v1.3\n* added support for two server certificates/keys (RSA/ECC)\n* added AKMSuiteSelector into 'STA \u003Caddr>' control interface data to\n  determine with AKM was used for an association\n* added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and\n  fast reauthentication use to be disabled\n* fixed an ECDH operation corner case with OpenSSL\n\nUpdate to version 2.8\n* SAE changes\n  - added support for SAE Password Identifier\n  - changed default configuration to enable only group 19\n    (i.e., disable groups 20, 21, 25, 26 from default configuration) and\n    disable all unsuitable groups completely based on REVmd changes\n  - improved anti-clogging token mechanism and SAE authentication\n    frame processing during heavy CPU load; this mitigates some issues\n    with potential DoS attacks trying to flood an AP with large number\n    of SAE messages\n  - added Finite Cyclic Group field in status code 77 responses\n  - reject use of unsuitable groups based on new implementation guidance\n    in REVmd (allow only FFC groups with prime >= 3072 bits and ECC\n    groups with prime >= 256)\n  - minimize timing and memory use differences in PWE derivation\n    [https://w1.fi/security/2019-1/] (CVE-2019-9494)\n  - fixed confirm message validation in error cases\n    [https://w1.fi/security/2019-3/] (CVE-2019-9496)\n* EAP-pwd changes\n  - minimize timing and memory use differences in PWE derivation\n    [https://w1.fi/security/2019-2/] (CVE-2019-9495)\n  - verify peer scalar/element\n    [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498)\n  - fix message reassembly issue with unexpected fragment\n    [https://w1.fi/security/2019-5/]\n  - enforce rand,mask generation rules more strictly\n  - fix a memory leak in PWE derivation\n  - disallow ECC groups with a prime under 256 bits (groups 25, 26, and\n    27)\n* Hotspot 2.0 changes\n  - added support for release number 3\n  - reject release 2 or newer association without PMF\n* added support for RSN operating channel validation\n  (CONFIG_OCV=y and configuration parameter ocv=1)\n* added Multi-AP protocol support\n* added FTM responder configuration\n* fixed build with LibreSSL\n* added FT/RRB workaround for short Ethernet frame padding\n* fixed KEK2 derivation for FILS+FT\n* added RSSI-based association rejection from OCE\n* extended beacon reporting functionality\n* VLAN changes\n  - allow local VLAN management with remote RADIUS authentication\n  - add WPA/WPA2 passphrase/PSK -based VLAN assignment\n* OpenSSL: allow systemwide policies to be overridden\n* extended PEAP to derive EMSK to enable use with ERP/FILS\n* extended WPS to allow SAE configuration to be added automatically\n  for PSK (wps_cred_add_sae=1)\n* fixed FT and SA Query Action frame with AP-MLME-in-driver cases\n* OWE: allow Diffie-Hellman Parameter element to be included with DPP\n  in preparation for DPP protocol extension\n* RADIUS server: started to accept ERP keyName-NAI as user identity\n  automatically without matching EAP database entry\n* fixed PTK rekeying with FILS and FT\n\nwpa_supplicant:\n* SAE changes\n  - added support for SAE Password Identifier\n  - changed default configuration to enable only groups 19, 20, 21\n    (i.e., disable groups 25 and 26) and disable all unsuitable groups\n    completely based on REVmd changes\n  - do not regenerate PWE unnecessarily when the AP uses the\n    anti-clogging token mechanisms\n  - fixed some association cases where both SAE and FT-SAE were enabled\n    on both the station and the selected AP\n  - started to prefer FT-SAE over SAE AKM if both are enabled\n  - started to prefer FT-SAE over FT-PSK if both are enabled\n  - fixed FT-SAE when SAE PMKSA caching is used\n  - reject use of unsuitable groups based on new implementation guidance\n    in REVmd (allow only FFC groups with prime >= 3072 bits and ECC\n    groups with prime >= 256)\n  - minimize timing and memory use differences in PWE derivation\n    [https://w1.fi/security/2019-1/] (CVE-2019-9494)\n* EAP-pwd changes\n  - minimize timing and memory use differences in PWE derivation\n    [https://w1.fi/security/2019-2/] (CVE-2019-9495)\n  - verify server scalar/element\n    [https://w1.fi/security/2019-4/] (CVE-2019-9499)\n  - fix message reassembly issue with unexpected fragment\n    [https://w1.fi/security/2019-5/]\n  - enforce rand,mask generation rules more strictly\n  - fix a memory leak in PWE derivation\n  - disallow ECC groups with a prime under 256 bits (groups 25, 26, and\n    27)\n* fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y\n* Hotspot 2.0 changes\n  - do not indicate release number that is higher than the one\n    AP supports\n  - added support for release number 3\n  - enable PMF automatically for network profiles created from\n    credentials\n* fixed OWE network profile saving\n* fixed DPP network profile saving\n* added support for RSN operating channel validation\n  (CONFIG_OCV=y and network profile parameter ocv=1)\n* added Multi-AP backhaul STA support\n* fixed build with LibreSSL\n* number of MKA/MACsec fixes and extensions\n* extended domain_match and domain_suffix_match to allow list of values\n* fixed dNSName matching in domain_match and domain_suffix_match when\n  using wolfSSL\n* started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both\n  are enabled\n* extended nl80211 Connect and external authentication to support\n  SAE, FT-SAE, FT-EAP-SHA384\n* fixed KEK2 derivation for FILS+FT\n* extended client_cert file to allow loading of a chain of PEM\n  encoded certificates\n* extended beacon reporting functionality\n* extended D-Bus interface with number of new properties\n* fixed a regression in FT-over-DS with mac80211-based drivers\n* OpenSSL: allow systemwide policies to be overridden\n* extended driver flags indication for separate 802.1X and PSK\n  4-way handshake offload capability\n* added support for random P2P Device/Interface Address use\n* extended PEAP to derive EMSK to enable use with ERP/FILS\n* extended WPS to allow SAE configuration to be added automatically\n  for PSK (wps_cred_add_sae=1)\n* removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)\n* extended domain_match and domain_suffix_match to allow list of values\n* added a RSN workaround for misbehaving PMF APs that advertise\n  IGTK/BIP KeyID using incorrect byte order\n* fixed PTK rekeying with FILS and FT\n\n- Enabled CLI editing and history support.\n\nUpdate to version 2.7\n\n* fixed WPA packet number reuse with replayed messages and key\n  reinstallation\n  [http://w1.fi/security/2017-1/] (CVE-2017-13082) (boo#1056061)\n* added support for FILS (IEEE 802.11ai) shared key authentication\n* added support for OWE (Opportunistic Wireless Encryption, RFC 8110;\n  and transition mode defined by WFA)\n* added support for DPP (Wi-Fi Device Provisioning Protocol)\n* FT:\n  - added local generation of PMK-R0/PMK-R1 for FT-PSK\n    (ft_psk_generate_local=1)\n  - replaced inter-AP protocol with a cleaner design that is more\n    easily extensible; this breaks backward compatibility and requires\n    all APs in the ESS to be updated at the same time to maintain FT\n    functionality\n  - added support for wildcard R0KH/R1KH\n  - replaced r0_key_lifetime (minutes) parameter with\n    ft_r0_key_lifetime (seconds)\n  - fixed wpa_psk_file use for FT-PSK\n  - fixed FT-SAE PMKID matching\n  - added expiration to PMK-R0 and PMK-R1 cache\n  - added IEEE VLAN support (including tagged VLANs)\n  - added support for SHA384 based AKM\n* SAE\n  - fixed some PMKSA caching cases with SAE\n  - added support for configuring SAE password separately of the\n    WPA2 PSK/passphrase\n  - added option to require MFP for SAE associations\n    (sae_require_pmf=1)\n  - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection\n    for SAE;\n    note: this is not backwards compatible, i.e., both the AP and\n    station side implementations will need to be update at the same\n    time to maintain interoperability\n  - added support for Password Identifier\n* hostapd_cli: added support for command history and completion\n* added support for requesting beacon report\n* large number of other fixes, cleanup, and extensions\n* added option to configure EAPOL-Key retry limits\n  (wpa_group_update_count and wpa_pairwise_update_count)\n* removed all PeerKey functionality\n* fixed nl80211 AP mode configuration regression with Linux 4.15 and\n  newer\n* added support for using wolfSSL cryptographic library\n* fixed some 20/40 MHz coexistence cases where the BSS could drop to\n  20 MHz even when 40 MHz would be allowed\n* Hotspot 2.0\n  - added support for setting Venue URL ANQP-element (venue_url)\n  - added support for advertising Hotspot 2.0 operator icons\n  - added support for Roaming Consortium Selection element\n  - added support for Terms and Conditions\n  - added support for OSEN connection in a shared RSN BSS\n* added support for using OpenSSL 1.1.1\n* added EAP-pwd server support for salted passwords\n\n",null,[],[],[],[14,16,18,20,22,24,26],{"_key":15},"CVE-2017-13082",{"_key":17},"CVE-2019-9494",{"_key":19},"CVE-2019-9495",{"_key":21},"CVE-2019-9496",{"_key":23},"CVE-2019-9497",{"_key":25},"CVE-2019-9498",{"_key":27},"CVE-2019-9499",[],[],[31,32,33,34,35,36,37],{"_key":15},{"_key":17},{"_key":19},{"_key":21},{"_key":23},{"_key":25},{"_key":27},"2020-02-15T19:10:10Z","2026-02-04T03:44:46.483416Z",{"cisa_kev":41,"cisa_ransomware":41,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[43,50,55,60,64,68,72,76,80],{"url":44,"sources":45,"tags":48},"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q7B4Y5BPIVXIPXUAQX744IATOJBYNYP6/",[46,47],"osv_suse","osv_opensuse",[49],"Advisory",{"url":51,"sources":52,"tags":53},"https://bugzilla.suse.com/1056061",[46,47],[54],"REPORT",{"url":56,"sources":57,"tags":58},"https://www.suse.com/security/cve/CVE-2017-13082",[46,47],[59],"WEB",{"url":61,"sources":62,"tags":63},"https://www.suse.com/security/cve/CVE-2019-9494",[46,47],[59],{"url":65,"sources":66,"tags":67},"https://www.suse.com/security/cve/CVE-2019-9495",[46,47],[59],{"url":69,"sources":70,"tags":71},"https://www.suse.com/security/cve/CVE-2019-9496",[46,47],[59],{"url":73,"sources":74,"tags":75},"https://www.suse.com/security/cve/CVE-2019-9497",[46,47],[59],{"url":77,"sources":78,"tags":79},"https://www.suse.com/security/cve/CVE-2019-9498",[46,47],[59],{"url":81,"sources":82,"tags":83},"https://www.suse.com/security/cve/CVE-2019-9499",[46,47],[59],[],[],[],[88,101,107],{"ecosystem":89,"name":90,"vendor":91,"product":92,"cpe_part":9,"purl_type":93,"purl_namespace":91,"purl_name":92,"source":9,"versions":94},"openSUSE","hostapd","opensuse","hostapd&distro=openSUSE Leap 15.1","rpm",[95],{"version":96,"is_range":97,"range_type":98,"version_start":9,"version_start_type":9,"version_end":99,"version_end_type":100,"fixed_in":9},"lt2_9_bp151_5_3_1",true,"ecosystem","2.9-bp151.5.3.1","excluding",{"ecosystem":102,"name":90,"vendor":103,"product":104,"cpe_part":9,"purl_type":93,"purl_namespace":103,"purl_name":104,"source":9,"versions":105},"SUSE Linux Enterprise","suse","hostapd&distro=SUSE Package Hub 15",[106],{"version":96,"is_range":97,"range_type":98,"version_start":9,"version_start_type":9,"version_end":99,"version_end_type":100,"fixed_in":9},{"ecosystem":102,"name":90,"vendor":103,"product":108,"cpe_part":9,"purl_type":93,"purl_namespace":103,"purl_name":108,"source":9,"versions":109},"hostapd&distro=SUSE Package Hub 15 SP1",[110],{"version":96,"is_range":97,"range_type":98,"version_start":9,"version_start_type":9,"version_end":99,"version_end_type":100,"fixed_in":9}]