Upstream recently produced release 2.11, as per <https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog>:
ChangeLog for wpa_supplicant
2024-07-20 - v2.11
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* MACsec
- add support for GCM-AES-256 cipher suite
- remove incorrect EAP Session-Id length constraint
- add hardware offload support for additional drivers
* HE/IEEE 802.11ax/Wi-Fi 6
- support BSS color updates
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* support OpenSSL 3.0 API changes
* improve EAP-TLS support for TLSv1.3
* EAP-SIM/AKA: support IMSI privacy
* improve mitigation against DoS attacks when PMF is used
* improve 4-way handshake operations
- discard unencrypted EAPOL frames in additional cases
- use Secure=1 in message 2 during PTK rekeying
* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
to avoid interoperability issues
* support new SAE AKM suites with variable length keys
* support new AKM for 802.1X/EAP with SHA384
* improve cross-AKM roaming with driver-based SME/BSS selection
* PASN
- extend support for secure ranging
- allow PASN implementation to be used with external programs for
Wi-Fi Aware
* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
- this is based on additional details being added in the IEEE 802.11
standard
- the new implementation is not backwards compatible, but PMKSA
caching with FT-EAP was, and still is, disabled by default
* support a pregenerated MAC (mac_addr=3) as an alternative mechanism
for using per-network random MAC addresses
* EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1)
to improve security for still unfortunately common invalid
configurations that do not set ca_cert
* extend SCS support for QoS Characteristics
* extend MSCS support
* support unsynchronized service discovery (USD)
* add support for explicit SSID protection in 4-way handshake
(a mitigation for CVE-2023-52424; disabled by default for now, can be
enabled with ssid_protection=1)
- in addition, verify SSID after key setup when beacon protection is
used
* fix SAE H2E rejected groups validation to avoid downgrade attacks
* a large number of other fixes, cleanup, and extensions
2022-01-16 - v2.10
- -- System Information:
Debian Release: 12.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-23-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=fi_FI.utf8, LC_CTYPE=fi_FI.utf8 (charmap=UTF-8), LANGUAGE=fi:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages hostapd depends on:
ii init-system-helpers 1.65.2
ii libc6 2.36-9+deb12u7
ii libnl-3-200 3.7.0-0.2+b1
ii libnl-genl-3-200 3.7.0-0.2+b1
ii libnl-route-3-200 3.7.0-0.2+b1
ii libssl3 3.0.13-1~deb12u1
hostapd recommends no packages.
hostapd suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAmbA/T8ACgkQrh+Cd8S0
17YQVg//XqMLT4aNKoAYX8gCasy1N1jslOKSj3DXEwGpGLDdNbb4O+j0pG3tDBl0
BYgdWDeUA75gDlTWCziinxag91Gmft5+t6yv1airdaU1+LKzIfUFJeJs6rGH4hJ5
qefwW3g9fs45k179ECoeYNl8RBPzdObLMEVfzYghFzYIiY4KJyo4bR7ZQrQzAfb2
oizoBajNaoXWhHLxMv8h8RXc2jq4YvHvFa+ZHjPuEBqaMdhyfNmibkcPeHJVQyal
mAPha6eEZgzWcUYcb262Y2oPq73hvCteUejhWdk+Cir7eTNKvsOCXDaPcmrzeq13
VdL5TOaX7mSj++eLCnZMhUMlsuzjXjnvOFZfEzDeoK1iGxc0V10pP2t71TnJfeU4
DwHPa+UyahEleXIEbYWSoG6yrp7SUOiyzAerJCKj41bNUP28FuA2Lpt9QtHmngsY
l7dMv5QlH3qH0Ofv0Yse6iNMpI23kYk0bEiVKibnL26wFhWDKWNTcxiFW45ah3be
NnP5DELCYgoTVoXpzxde3sdEk+nBwXRfiGatkSvmXkRcfdy/3F46EuIyM8zYN2WK
0Uh+ZucuZauqbM8/fiZYy+M61PVK8T5bYlKqhdBSumOnT4eIr7F210MsPuIl//u0
7m00u35iyE8//vGUDC7r0V+jP5u4QdQGAXh9yJ4piaSRTrOPjSo=
=bVWi
-----END PGP SIGNATURE-----