[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-OPENSUSE-SU-2020:2053-1":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T08:53:30.047Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":58,"duplicates":59,"related":60,"reserved_at":9,"published_at":83,"modified_at":84,"state":9,"summary":85,"references_raw":87,"kevs":244,"epss":9,"epss_history":245,"metrics":246,"affected":247},"OPENSUSE-SU-2020:2053-1","Security update for wpa_supplicant\n\nThis update for wpa_supplicant fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-16275: Fixed an AP mode PMF disconnection protection bypass (bsc#1150934).\n\nNon-security issues fixed:\n\n- Enable SAE support (jsc#SLE-14992).\n- Limit P2P_DEVICE name to appropriate ifname size.\n- Fix wicked wlan (bsc#1156920)\n- Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)\n- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)\n- Fix WLAN config on boot with wicked. (bsc#1166933)\n- Update to 2.9 release:\n   * SAE changes\n     - disable use of groups using Brainpool curves\n     - improved protection against side channel attacks\n     [https://w1.fi/security/2019-6/]\n   * EAP-pwd changes\n     - disable use of groups using Brainpool curves\n     - allow the set of groups to be configured (eap_pwd_groups)\n     - improved protection against side channel attacks\n     [https://w1.fi/security/2019-6/]\n   * fixed FT-EAP initial mobility domain association using PMKSA caching\n     (disabled by default for backwards compatibility; can be enabled\n     with ft_eap_pmksa_caching=1)\n   * fixed a regression in OpenSSL 1.1+ engine loading\n   * added validation of RSNE in (Re)Association Response frames\n   * fixed DPP bootstrapping URI parser of channel list\n   * extended EAP-SIM/AKA fast re-authentication to allow use with FILS\n   * extended ca_cert_blob to support PEM format\n   * improved robustness of P2P Action frame scheduling\n   * added support for EAP-SIM/AKA using anonymous@realm identity\n   * fixed Hotspot 2.0 credential selection based on roaming consortium\n     to ignore credentials without a specific EAP method\n   * added experimental support for EAP-TEAP peer (RFC 7170)\n   * added experimental support for EAP-TLS peer with TLS v1.3\n   * fixed a regression in WMM parameter configuration for a TDLS peer\n   * fixed a regression in operation with drivers that offload 802.1X\n     4-way handshake\n   * fixed an ECDH operation corner case with OpenSSL\n   * SAE changes\n     - added support for SAE Password Identifier\n     - changed default configuration to enable only groups 19, 20, 21\n       (i.e., disable groups 25 and 26) and disable all unsuitable groups\n       completely based on REVmd changes\n     - do not regenerate PWE unnecessarily when the AP uses the\n       anti-clogging token mechanisms\n     - fixed some association cases where both SAE and FT-SAE were enabled\n       on both the station and the selected AP\n     - started to prefer FT-SAE over SAE AKM if both are enabled\n     - started to prefer FT-SAE over FT-PSK if both are enabled\n     - fixed FT-SAE when SAE PMKSA caching is used\n     - reject use of unsuitable groups based on new implementation guidance\n       in REVmd (allow only FFC groups with prime >= 3072 bits and ECC\n       groups with prime >= 256)\n     - minimize timing and memory use differences in PWE derivation\n       [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868)\n   * EAP-pwd changes\n     - minimize timing and memory use differences in PWE derivation\n       [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870)\n     - verify server scalar/element\n       [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498,\n       CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644)\n     - fix message reassembly issue with unexpected fragment\n       [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640)\n     - enforce rand,mask generation rules more strictly\n     - fix a memory leak in PWE derivation\n     - disallow ECC groups with a prime under 256 bits (groups 25, 26, and\n       27)\n     - SAE/EAP-pwd side-channel attack update\n       [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443)\n   * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y\n   * Hotspot 2.0 changes\n     - do not indicate release number that is higher than the one\n       AP supports\n     - added support for release number 3\n     - enable PMF automatically for network profiles created from\n       credentials\n   * fixed OWE network profile saving\n   * fixed DPP network profile saving\n   * added support for RSN operating channel validation\n     (CONFIG_OCV=y and network profile parameter ocv=1)\n   * added Multi-AP backhaul STA support\n   * fixed build with LibreSSL\n   * number of MKA/MACsec fixes and extensions\n   * extended domain_match and domain_suffix_match to allow list of values\n   * fixed dNSName matching in domain_match and domain_suffix_match when\n     using wolfSSL\n   * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both\n     are enabled\n   * extended nl80211 Connect and external authentication to support\n     SAE, FT-SAE, FT-EAP-SHA384\n   * fixed KEK2 derivation for FILS+FT\n   * extended client_cert file to allow loading of a chain of PEM\n     encoded certificates\n   * extended beacon reporting functionality\n   * extended D-Bus interface with number of new properties\n   * fixed a regression in FT-over-DS with mac80211-based drivers\n   * OpenSSL: allow systemwide policies to be overridden\n   * extended driver flags indication for separate 802.1X and PSK\n     4-way handshake offload capability\n   * added support for random P2P Device/Interface Address use\n   * extended PEAP to derive EMSK to enable use with ERP/FILS\n   * extended WPS to allow SAE configuration to be added automatically\n     for PSK (wps_cred_add_sae=1)\n   * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)\n   * extended domain_match and domain_suffix_match to allow list of values\n   * added a RSN workaround for misbehaving PMF APs that advertise\n     IGTK/BIP KeyID using incorrect byte order\n   * fixed PTK rekeying with FILS and FT\n   * fixed WPA packet number reuse with replayed messages and key\n     reinstallation\n     [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078,\n     CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,\n     CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)\n   * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant\n     [https://w1.fi/security/2018-1/] (CVE-2018-14526)\n   * added support for FILS (IEEE 802.11ai) shared key authentication\n   * added support for OWE (Opportunistic Wireless Encryption, RFC 8110;\n     and transition mode defined by WFA)\n   * added support for DPP (Wi-Fi Device Provisioning Protocol)\n   * added support for RSA 3k key case with Suite B 192-bit level\n   * fixed Suite B PMKSA caching not to update PMKID during each 4-way\n     handshake\n   * fixed EAP-pwd pre-processing with PasswordHashHash\n   * added EAP-pwd client support for salted passwords\n   * fixed a regression in TDLS prohibited bit validation\n   * started to use estimated throughput to avoid undesired signal\n     strength based roaming decision\n   * MACsec/MKA:\n     - new macsec_linux driver interface support for the Linux\n       kernel macsec module\n     - number of fixes and extensions\n   * added support for external persistent storage of PMKSA cache\n     (PMKSA_GET/PMKSA_ADD control interface commands; and\n      MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case)\n   * fixed mesh channel configuration pri/sec switch case\n   * added support for beacon report\n   * large number of other fixes, cleanup, and extensions\n   * added support for randomizing local address for GAS queries\n     (gas_rand_mac_addr parameter)\n   * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel\n   * added option for using random WPS UUID (auto_uuid=1)\n   * added SHA256-hash support for OCSP certificate matching\n   * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure\n   * fixed a regression in RSN pre-authentication candidate selection\n   * added option to configure allowed group management cipher suites\n     (group_mgmt network profile parameter)\n   * removed all PeerKey functionality\n   * fixed nl80211 AP and mesh mode configuration regression with\n     Linux 4.15 and newer\n   * added ap_isolate configuration option for AP mode\n   * added support for nl80211 to offload 4-way handshake into the driver\n   * added support for using wolfSSL cryptographic library\n   * SAE\n     - added support for configuring SAE password separately of the\n       WPA2 PSK/passphrase\n     - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection\n       for SAE;\n       note: this is not backwards compatible, i.e., both the AP and\n       station side implementations will need to be update at the same\n       time to maintain interoperability\n     - added support for Password Identifier\n     - fixed FT-SAE PMKID matching\n   * Hotspot 2.0\n     - added support for fetching of Operator Icon Metadata ANQP-element\n     - added support for Roaming Consortium Selection element\n     - added support for Terms and Conditions\n     - added support for OSEN connection in a shared RSN BSS\n     - added support for fetching Venue URL information\n   * added support for using OpenSSL 1.1.1\n   * FT\n     - disabled PMKSA caching with FT since it is not fully functional\n     - added support for SHA384 based AKM\n     - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128,\n       BIP-GMAC-256 in addition to previously supported BIP-CMAC-128\n     - fixed additional IE inclusion in Reassociation Request frame when\n       using FT protocol\n\n- Changed service-files for start after network (systemd-networkd).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",null,[],[],[],[14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56],{"_key":15},"CVE-2015-4141",{"_key":17},"CVE-2015-4142",{"_key":19},"CVE-2015-4143",{"_key":21},"CVE-2015-8041",{"_key":23},"CVE-2017-13077",{"_key":25},"CVE-2017-13078",{"_key":27},"CVE-2017-13079",{"_key":29},"CVE-2017-13080",{"_key":31},"CVE-2017-13081",{"_key":33},"CVE-2017-13082",{"_key":35},"CVE-2017-13086",{"_key":37},"CVE-2017-13087",{"_key":39},"CVE-2017-13088",{"_key":41},"CVE-2018-14526",{"_key":43},"CVE-2019-11555",{"_key":45},"CVE-2019-13377",{"_key":47},"CVE-2019-16275",{"_key":49},"CVE-2019-9494",{"_key":51},"CVE-2019-9495",{"_key":53},"CVE-2019-9497",{"_key":55},"CVE-2019-9498",{"_key":57},"CVE-2019-9499",[],[],[61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82],{"_key":15},{"_key":17},{"_key":19},{"_key":21},{"_key":23},{"_key":25},{"_key":27},{"_key":29},{"_key":31},{"_key":33},{"_key":35},{"_key":37},{"_key":39},{"_key":41},{"_key":43},{"_key":45},{"_key":47},{"_key":49},{"_key":51},{"_key":53},{"_key":55},{"_key":57},"2020-11-26T17:28:36Z","2026-02-04T03:04:39.782399Z",{"cisa_kev":86,"cisa_ransomware":86,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[88,94,99,103,107,111,115,119,123,127,131,135,139,143,147,151,155,160,164,168,172,176,180,184,188,192,196,200,204,208,212,216,220,224,228,232,236,240],{"url":89,"sources":90,"tags":92},"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2R3VXKTYLLUYFBZQ2NNAI5NSZOBXISJZ/",[91],"osv_opensuse",[93],"Advisory",{"url":95,"sources":96,"tags":97},"https://bugzilla.suse.com/1131644",[91],[98],"REPORT",{"url":100,"sources":101,"tags":102},"https://bugzilla.suse.com/1131868",[91],[98],{"url":104,"sources":105,"tags":106},"https://bugzilla.suse.com/1131870",[91],[98],{"url":108,"sources":109,"tags":110},"https://bugzilla.suse.com/1131871",[91],[98],{"url":112,"sources":113,"tags":114},"https://bugzilla.suse.com/1131872",[91],[98],{"url":116,"sources":117,"tags":118},"https://bugzilla.suse.com/1131874",[91],[98],{"url":120,"sources":121,"tags":122},"https://bugzilla.suse.com/1133640",[91],[98],{"url":124,"sources":125,"tags":126},"https://bugzilla.suse.com/1144443",[91],[98],{"url":128,"sources":129,"tags":130},"https://bugzilla.suse.com/1150934",[91],[98],{"url":132,"sources":133,"tags":134},"https://bugzilla.suse.com/1156920",[91],[98],{"url":136,"sources":137,"tags":138},"https://bugzilla.suse.com/1166933",[91],[98],{"url":140,"sources":141,"tags":142},"https://bugzilla.suse.com/1167331",[91],[98],{"url":144,"sources":145,"tags":146},"https://bugzilla.suse.com/930077",[91],[98],{"url":148,"sources":149,"tags":150},"https://bugzilla.suse.com/930078",[91],[98],{"url":152,"sources":153,"tags":154},"https://bugzilla.suse.com/930079",[91],[98],{"url":156,"sources":157,"tags":158},"https://www.suse.com/security/cve/CVE-2015-4141",[91],[159],"WEB",{"url":161,"sources":162,"tags":163},"https://www.suse.com/security/cve/CVE-2015-4142",[91],[159],{"url":165,"sources":166,"tags":167},"https://www.suse.com/security/cve/CVE-2015-4143",[91],[159],{"url":169,"sources":170,"tags":171},"https://www.suse.com/security/cve/CVE-2015-8041",[91],[159],{"url":173,"sources":174,"tags":175},"https://www.suse.com/security/cve/CVE-2017-13077",[91],[159],{"url":177,"sources":178,"tags":179},"https://www.suse.com/security/cve/CVE-2017-13078",[91],[159],{"url":181,"sources":182,"tags":183},"https://www.suse.com/security/cve/CVE-2017-13079",[91],[159],{"url":185,"sources":186,"tags":187},"https://www.suse.com/security/cve/CVE-2017-13080",[91],[159],{"url":189,"sources":190,"tags":191},"https://www.suse.com/security/cve/CVE-2017-13081",[91],[159],{"url":193,"sources":194,"tags":195},"https://www.suse.com/security/cve/CVE-2017-13082",[91],[159],{"url":197,"sources":198,"tags":199},"https://www.suse.com/security/cve/CVE-2017-13086",[91],[159],{"url":201,"sources":202,"tags":203},"https://www.suse.com/security/cve/CVE-2017-13087",[91],[159],{"url":205,"sources":206,"tags":207},"https://www.suse.com/security/cve/CVE-2017-13088",[91],[159],{"url":209,"sources":210,"tags":211},"https://www.suse.com/security/cve/CVE-2018-14526",[91],[159],{"url":213,"sources":214,"tags":215},"https://www.suse.com/security/cve/CVE-2019-11555",[91],[159],{"url":217,"sources":218,"tags":219},"https://www.suse.com/security/cve/CVE-2019-13377",[91],[159],{"url":221,"sources":222,"tags":223},"https://www.suse.com/security/cve/CVE-2019-16275",[91],[159],{"url":225,"sources":226,"tags":227},"https://www.suse.com/security/cve/CVE-2019-9494",[91],[159],{"url":229,"sources":230,"tags":231},"https://www.suse.com/security/cve/CVE-2019-9495",[91],[159],{"url":233,"sources":234,"tags":235},"https://www.suse.com/security/cve/CVE-2019-9497",[91],[159],{"url":237,"sources":238,"tags":239},"https://www.suse.com/security/cve/CVE-2019-9498",[91],[159],{"url":241,"sources":242,"tags":243},"https://www.suse.com/security/cve/CVE-2019-9499",[91],[159],[],[],[],[248],{"ecosystem":249,"name":250,"vendor":251,"product":252,"cpe_part":9,"purl_type":253,"purl_namespace":251,"purl_name":252,"source":9,"versions":254},"openSUSE","wpa_supplicant","opensuse","wpa_supplicant&distro=openSUSE Leap 15.1","rpm",[255],{"version":256,"is_range":257,"range_type":258,"version_start":9,"version_start_type":9,"version_end":259,"version_end_type":260,"fixed_in":9},"lt2_9_lp151_5_10_1",true,"ecosystem","2.9-lp151.5.10.1","excluding"]