diff --git a/SOURCES/rh1434434-wpa_supplicant-Don-t-reply-to-EAPOL-if-pkt_type-is-P.patch b/SOURCES/rh1434434-wpa_supplicant-Don-t-reply-to-EAPOL-if-pkt_type-is-P.patch new file mode 100644 index 0000000..205b4b8 --- /dev/null +++ b/SOURCES/rh1434434-wpa_supplicant-Don-t-reply-to-EAPOL-if-pkt_type-is-P.patch @@ -0,0 +1,96 @@ +From d89edb6112f54fb65036c31eba291bda5fcad2b3 Mon Sep 17 00:00:00 2001 +Message-Id: +From: Davide Caratti +Date: Wed, 28 Mar 2018 16:34:56 +0200 +Subject: [PATCH] wpa_supplicant: Don't reply to EAPOL if pkt_type is + PACKET_OTHERHOST + +When wpa_supplicant is running on a Linux interface that is configured in +promiscuous mode, and it is not a member of a bridge, incoming EAPOL +packets are processed regardless of the Destination Address in the frame. +As a consequence, there are situations where wpa_supplicant replies to +EAPOL packets that are not destined for it. + +This behavior seems undesired (see IEEE Std 802.1X-2010, 11.4.a), and can +be avoided by attaching a BPF filter that lets the kernel discard packets +having pkt_type equal to PACKET_OTHERHOST. + +Signed-off-by: Davide Caratti +--- + src/l2_packet/l2_packet.h | 1 + + src/l2_packet/l2_packet_linux.c | 23 +++++++++++++++++++++++ + wpa_supplicant/wpa_supplicant.c | 5 +++++ + 3 files changed, 29 insertions(+) + +diff --git a/src/l2_packet/l2_packet.h b/src/l2_packet/l2_packet.h +index 2a4524582..53871774b 100644 +--- a/src/l2_packet/l2_packet.h ++++ b/src/l2_packet/l2_packet.h +@@ -42,6 +42,7 @@ struct l2_ethhdr { + enum l2_packet_filter_type { + L2_PACKET_FILTER_DHCP, + L2_PACKET_FILTER_NDISC, ++ L2_PACKET_FILTER_PKTTYPE, + }; + + /** +diff --git a/src/l2_packet/l2_packet_linux.c b/src/l2_packet/l2_packet_linux.c +index 65b490679..291c9dd26 100644 +--- a/src/l2_packet/l2_packet_linux.c ++++ b/src/l2_packet/l2_packet_linux.c +@@ -84,6 +84,26 @@ static const struct sock_fprog ndisc_sock_filter = { + .filter = ndisc_sock_filter_insns, + }; + ++/* drop packet if skb->pkt_type is PACKET_OTHERHOST (0x03). Generated by: ++ * $ bpfc - < ldb #type ++ * > jeq #0x03, drop ++ * > pass: ret #-1 ++ * > drop: ret #0 ++ * > EOF ++ */ ++static struct sock_filter pkt_type_filter_insns[] = { ++ { 0x30, 0, 0, 0xfffff004 }, ++ { 0x15, 1, 0, 0x00000003 }, ++ { 0x6, 0, 0, 0xffffffff }, ++ { 0x6, 0, 0, 0x00000000 }, ++}; ++ ++static const struct sock_fprog pkt_type_sock_filter = { ++ .len = ARRAY_SIZE(pkt_type_filter_insns), ++ .filter = pkt_type_filter_insns, ++}; ++ + + int l2_packet_get_own_addr(struct l2_packet_data *l2, u8 *addr) + { +@@ -471,6 +491,9 @@ int l2_packet_set_packet_filter(struct l2_packet_data *l2, + case L2_PACKET_FILTER_NDISC: + sock_filter = &ndisc_sock_filter; + break; ++ case L2_PACKET_FILTER_PKTTYPE: ++ sock_filter = &pkt_type_sock_filter; ++ break; + default: + return -1; + } +diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c +index 2a05ef910..dcec68a03 100644 +--- a/wpa_supplicant/wpa_supplicant.c ++++ b/wpa_supplicant/wpa_supplicant.c +@@ -4014,6 +4014,11 @@ int wpa_supplicant_update_mac_addr(struct wpa_supplicant *wpa_s) + wpa_supplicant_rx_eapol, wpa_s, 0); + if (wpa_s->l2 == NULL) + return -1; ++ ++ if (l2_packet_set_packet_filter(wpa_s->l2, ++ L2_PACKET_FILTER_PKTTYPE)) ++ wpa_dbg(wpa_s, MSG_DEBUG, ++ "Failed to attach pkt_type filter"); + } else { + const u8 *addr = wpa_drv_get_mac_addr(wpa_s); + if (addr) +-- +2.14.3 + diff --git a/SOURCES/rh1490885-fix-auth-failure-when-the-mac-is-updated-externally.patch b/SOURCES/rh1490885-fix-auth-failure-when-the-mac-is-updated-externally.patch new file mode 100644 index 0000000..eea000a --- /dev/null +++ b/SOURCES/rh1490885-fix-auth-failure-when-the-mac-is-updated-externally.patch @@ -0,0 +1,158 @@ +From 175c8ec5f46fbe544eb71b80d83ed517a3c81ba4 Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani +Date: Thu, 15 Feb 2018 11:50:01 +0100 +Subject: [PATCH] wpa_supplicant: Fix auth failure when the MAC is updated + externally + +When connecting to a WPA-EAP network and the MAC address is changed +just before the association (for example by NetworkManager, which sets +a random MAC during scans), the authentication sometimes fails in the +following way ('####' logs added by me): + +wpa_supplicant logs: + wlan0: WPA: RX message 1 of 4-Way Handshake from 02:00:00:00:01:00 (ver=1) + RSN: msg 1/4 key data - hexdump(len=22): dd 14 00 0f ac 04 d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23 + WPA: PMKID in EAPOL-Key - hexdump(len=22): dd 14 00 0f ac 04 d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23 + RSN: PMKID from Authenticator - hexdump(len=16): d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23 + wlan0: RSN: no matching PMKID found + EAPOL: Successfully fetched key (len=32) + WPA: PMK from EAPOL state machines - hexdump(len=32): [REMOVED] + #### WPA: rsn_pmkid(): + #### WPA: aa - hexdump(len=6): 02 00 00 00 01 00 + #### WPA: spa - hexdump(len=6): 66 20 cf ab 8c dc + #### WPA: PMK - hexdump(len=32): b5 24 76 4f 6f 50 8c f6 a1 2e 24 b8 07 4e 9a 13 1b 94 c4 a8 1f 7e 22 d6 ed fc 7d 43 c7 77 b6 f7 + #### WPA: computed PMKID - hexdump(len=16): ea 73 67 b1 8e 5f 18 43 58 24 e8 1c 47 23 87 71 + RSN: Replace PMKSA entry for the current AP and any PMKSA cache entry that was based on the old PMK + nl80211: Delete PMKID for 02:00:00:00:01:00 + wlan0: RSN: PMKSA cache entry free_cb: 02:00:00:00:01:00 reason=1 + RSN: Added PMKSA cache entry for 02:00:00:00:01:00 network_ctx=0x5630bf85a270 + nl80211: Add PMKID for 02:00:00:00:01:00 + wlan0: RSN: PMKID mismatch - authentication server may have derived different MSK?! + +hostapd logs: + WPA: PMK from EAPOL state machine (MSK len=64 PMK len=32) + WPA: 02:00:00:00:00:00 WPA_PTK entering state PTKSTART + wlan1: STA 02:00:00:00:00:00 WPA: sending 1/4 msg of 4-Way Handshake + #### WPA: rsn_pmkid(): + #### WPA: aa - hexdump(len=6): 02 00 00 00 01 00 + #### WPA: spa - hexdump(len=6): 02 00 00 00 00 00 + #### WPA: PMK - hexdump(len=32): b5 24 76 4f 6f 50 8c f6 a1 2e 24 b8 07 4e 9a 13 1b 94 c4 a8 1f 7e 22 d6 ed fc 7d 43 c7 77 b6 f7 + #### WPA: computed PMKID - hexdump(len=16): d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23 + WPA: Send EAPOL(version=1 secure=0 mic=0 ack=1 install=0 pairwise=1 kde_len=22 keyidx=0 encr=0) + +That's because wpa_supplicant computed the PMKID using the wrong (old) +MAC address used during the scan. wpa_supplicant updates own_addr when +the interface goes up, as the MAC can only change while the interface +is down. However, drivers don't report all interface state changes: +for example the nl80211 driver may ignore a down-up cycle if the down +message is processed later, when the interface is already up. In such +cases, wpa_supplicant (and in particular, the EAP state machine) would +continue to use the old MAC. + +Add a new driver event that notifies of MAC address changes while the +interface is active. + +Signed-off-by: Beniamino Galvani +(cherry picked from commit 77a020a118168e05e7cc0d28a7bf661772e531af) +--- + src/drivers/driver.h | 9 +++++++++ + src/drivers/driver_common.c | 1 + + src/drivers/driver_nl80211.c | 11 +++++++---- + wpa_supplicant/events.c | 3 +++ + 4 files changed, 20 insertions(+), 4 deletions(-) + +diff --git a/src/drivers/driver.h b/src/drivers/driver.h +index df996dc21..f8d556133 100644 +--- a/src/drivers/driver.h ++++ b/src/drivers/driver.h +@@ -4106,6 +4106,15 @@ enum wpa_event_type { + * EVENT_P2P_LO_STOP - Notify that P2P listen offload is stopped + */ + EVENT_P2P_LO_STOP, ++ ++ /** ++ * EVENT_INTERFACE_MAC_CHANGED - Notify that interface MAC changed ++ * ++ * This event is emitted when the MAC changes while the interface is ++ * enabled. When an interface was disabled and becomes enabled, it ++ * must be always assumed that the MAC possibly changed. ++ */ ++ EVENT_INTERFACE_MAC_CHANGED, + }; + + +diff --git a/src/drivers/driver_common.c b/src/drivers/driver_common.c +index c7107ba89..bdddc0a48 100644 +--- a/src/drivers/driver_common.c ++++ b/src/drivers/driver_common.c +@@ -81,6 +81,7 @@ const char * event_to_string(enum wpa_event_type event) + E2S(ACS_CHANNEL_SELECTED); + E2S(DFS_CAC_STARTED); + E2S(P2P_LO_STOP); ++ E2S(INTERFACE_MAC_CHANGED); + } + + return "UNKNOWN"; +diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c +index f7f3cfebc..d4a879836 100644 +--- a/src/drivers/driver_nl80211.c ++++ b/src/drivers/driver_nl80211.c +@@ -923,7 +923,7 @@ nl80211_find_drv(struct nl80211_global *global, int idx, u8 *buf, size_t len) + + + static void nl80211_refresh_mac(struct wpa_driver_nl80211_data *drv, +- int ifindex) ++ int ifindex, int notify) + { + struct i802_bss *bss; + u8 addr[ETH_ALEN]; +@@ -942,6 +942,9 @@ static void nl80211_refresh_mac(struct wpa_driver_nl80211_data *drv, + ifindex, bss->ifname, + MAC2STR(bss->addr), MAC2STR(addr)); + os_memcpy(bss->addr, addr, ETH_ALEN); ++ if (notify) ++ wpa_supplicant_event(drv->ctx, ++ EVENT_INTERFACE_MAC_CHANGED, NULL); + } + } + +@@ -1010,11 +1013,11 @@ static void wpa_driver_nl80211_event_rtm_newlink(void *ctx, + namebuf[0] = '\0'; + if (if_indextoname(ifi->ifi_index, namebuf) && + linux_iface_up(drv->global->ioctl_sock, namebuf) > 0) { +- /* Re-read MAC address as it may have changed */ +- nl80211_refresh_mac(drv, ifi->ifi_index); + wpa_printf(MSG_DEBUG, "nl80211: Ignore interface down " + "event since interface %s is up", namebuf); + drv->ignore_if_down_event = 0; ++ /* Re-read MAC address as it may have changed */ ++ nl80211_refresh_mac(drv, ifi->ifi_index, 1); + return; + } + wpa_printf(MSG_DEBUG, "nl80211: Interface down (%s/%s)", +@@ -1060,7 +1063,7 @@ static void wpa_driver_nl80211_event_rtm_newlink(void *ctx, + "removed", drv->first_bss->ifname); + } else { + /* Re-read MAC address as it may have changed */ +- nl80211_refresh_mac(drv, ifi->ifi_index); ++ nl80211_refresh_mac(drv, ifi->ifi_index, 0); + + wpa_printf(MSG_DEBUG, "nl80211: Interface up"); + drv->if_disabled = 0; +diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c +index 4dc044c2b..6eb35104c 100644 +--- a/wpa_supplicant/events.c ++++ b/wpa_supplicant/events.c +@@ -3927,6 +3927,9 @@ void wpa_supplicant_event(void *ctx, enum wpa_event_type event, + data->signal_change.current_noise, + data->signal_change.current_txrate); + break; ++ case EVENT_INTERFACE_MAC_CHANGED: ++ wpa_supplicant_update_mac_addr(wpa_s); ++ break; + case EVENT_INTERFACE_ENABLED: + wpa_dbg(wpa_s, MSG_DEBUG, "Interface was enabled"); + if (wpa_s->wpa_state == WPA_INTERFACE_DISABLED) { +-- +2.14.3 + diff --git a/SOURCES/rh1500442-wpa_supplicant-Fix-memory-leaks-in-ieee802_1x_create.patch b/SOURCES/rh1500442-wpa_supplicant-Fix-memory-leaks-in-ieee802_1x_create.patch new file mode 100644 index 0000000..ae2773e --- /dev/null +++ b/SOURCES/rh1500442-wpa_supplicant-Fix-memory-leaks-in-ieee802_1x_create.patch @@ -0,0 +1,83 @@ +From 22151b111b493d4604c9490327c40fdac7bc4b37 Mon Sep 17 00:00:00 2001 +Message-Id: <22151b111b493d4604c9490327c40fdac7bc4b37.1525684664.git.davide.caratti@gmail.com> +From: Davide Caratti +Date: Thu, 8 Mar 2018 17:15:02 +0100 +Subject: [PATCH] wpa_supplicant: Fix memory leaks in + ieee802_1x_create_preshared_mka() + +In case MKA is initialized successfully, local copies of CAK and CKN +were allocated, but never freed. Ensure that such memory is released +also when ieee802_1x_kay_create_mka() returns a valid pointer. + +Fixes: ad51731abf06 ("wpa_supplicant: Allow pre-shared (CAK,CKN) pair for MKA") +Signed-off-by: Davide Caratti +--- + wpa_supplicant/wpas_kay.c | 32 +++++++++++++++----------------- + 1 file changed, 15 insertions(+), 17 deletions(-) + +diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c +index 11708b8a6..d3d06b8ae 100644 +--- a/wpa_supplicant/wpas_kay.c ++++ b/wpa_supplicant/wpas_kay.c +@@ -392,25 +392,25 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s, + { + struct mka_key *cak; + struct mka_key_name *ckn; +- void *res; ++ void *res = NULL; + + if ((ssid->mka_psk_set & MKA_PSK_SET) != MKA_PSK_SET) +- return NULL; +- +- if (ieee802_1x_alloc_kay_sm(wpa_s, ssid) < 0) +- return NULL; +- +- if (!wpa_s->kay || wpa_s->kay->policy == DO_NOT_SECURE) +- return NULL; ++ goto end; + + ckn = os_zalloc(sizeof(*ckn)); + if (!ckn) +- goto dealloc; ++ goto end; + + cak = os_zalloc(sizeof(*cak)); + if (!cak) + goto free_ckn; + ++ if (ieee802_1x_alloc_kay_sm(wpa_s, ssid) < 0 || !wpa_s->kay) ++ goto free_cak; ++ ++ if (wpa_s->kay->policy == DO_NOT_SECURE) ++ goto dealloc; ++ + cak->len = MACSEC_CAK_LEN; + os_memcpy(cak->key, ssid->mka_cak, cak->len); + +@@ -419,17 +419,15 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s, + + res = ieee802_1x_kay_create_mka(wpa_s->kay, ckn, cak, 0, PSK, FALSE); + if (res) +- return res; ++ goto free_cak; + ++dealloc: + /* Failed to create MKA */ ++ ieee802_1x_dealloc_kay_sm(wpa_s); ++free_cak: + os_free(cak); +- +- /* fallthrough */ +- + free_ckn: + os_free(ckn); +-dealloc: +- ieee802_1x_dealloc_kay_sm(wpa_s); +- +- return NULL; ++end: ++ return res; + } +-- +2.14.3 + diff --git a/SOURCES/rh1619553-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch b/SOURCES/rh1619553-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch new file mode 100644 index 0000000..a62b52c --- /dev/null +++ b/SOURCES/rh1619553-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch @@ -0,0 +1,44 @@ +From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef +Date: Sun, 15 Jul 2018 01:25:53 +0200 +Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data + +Ignore unauthenticated encrypted EAPOL-Key data in supplicant +processing. When using WPA2, these are frames that have the Encrypted +flag set, but not the MIC flag. + +When using WPA2, EAPOL-Key frames that had the Encrypted flag set but +not the MIC flag, had their data field decrypted without first verifying +the MIC. In case the data field was encrypted using RC4 (i.e., when +negotiating TKIP as the pairwise cipher), this meant that +unauthenticated but decrypted data would then be processed. An adversary +could abuse this as a decryption oracle to recover sensitive information +in the data field of EAPOL-Key messages (e.g., the group key). +(CVE-2018-14526) + +Signed-off-by: Mathy Vanhoef +--- + src/rsn_supp/wpa.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c +--- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c 2016-10-02 21:51:11.000000000 +0300 ++++ wpa_supplicant-2.6/src/rsn_supp/wpa.c 2018-08-08 16:55:11.506831029 +0300 +@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c + + if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) && + (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { ++ /* ++ * Only decrypt the Key Data field if the frame's authenticity ++ * was verified. When using AES-SIV (FILS), the MIC flag is not ++ * set, so this check should only be performed if mic_len != 0 ++ * which is the case in this code branch. ++ */ ++ if (!(key_info & WPA_KEY_INFO_MIC)) { ++ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, ++ "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data"); ++ goto out; ++ } + if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data, + &key_data_len)) + goto out; diff --git a/SPECS/wpa_supplicant.spec b/SPECS/wpa_supplicant.spec index fbcc233..d41dcfc 100644 --- a/SPECS/wpa_supplicant.spec +++ b/SPECS/wpa_supplicant.spec @@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant Name: wpa_supplicant Epoch: 1 Version: 2.6 -Release: 9%{?dist} +Release: 12%{?dist} License: BSD Group: System Environment/Base Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz @@ -24,6 +24,12 @@ Source8: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plai %define build_gui 0 %endif +# RHEL-7 doesn't define _rundir macro yet +# Fedora 15 onwards uses /run as _rundir +%if 0%{!?_rundir:1} +%define _rundir /run +%endif + # distro specific customization and not suitable for upstream, # works around busted drivers Patch0: wpa_supplicant-assoc-timeout.patch @@ -87,6 +93,10 @@ Patch52: rh1495527-0006-TDLS-Reject-TPK-TK-reconfiguration.patch Patch53: rh1495527-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch Patch54: rh1495527-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch Patch55: rh1531254-common-Avoid-conflict-with-__bitwise-macro-from-linu.patch +Patch56: rh1434434-wpa_supplicant-Don-t-reply-to-EAPOL-if-pkt_type-is-P.patch +Patch57: rh1490885-fix-auth-failure-when-the-mac-is-updated-externally.patch +Patch58: rh1500442-wpa_supplicant-Fix-memory-leaks-in-ieee802_1x_create.patch +Patch59: rh1619553-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch URL: http://w1.fi/wpa_supplicant/ @@ -182,6 +192,10 @@ cp %{SOURCE8} src/linux/if_link.h %patch53 -p1 -b .rh1495527-0007 %patch54 -p1 -b .rh1495527-0008 %patch55 -p1 -b .rh1531254-fix-bitwise-redefined +%patch56 -p1 -b .rh1434434-fix-pkt_otherhost +%patch57 -p1 -b .rh1490885-mac-changed-event +%patch58 -p1 -b .rh1500442-macsec-memleak +%patch59 -p1 -b .rh1619553-ignore-unauth-eapol %build pushd wpa_supplicant @@ -228,8 +242,7 @@ install -d %{buildroot}/%{_bindir} install -m 0755 %{name}/wpa_gui-qt4/wpa_gui %{buildroot}/%{_bindir} %endif -# running -mkdir -p %{buildroot}/%{_localstatedir}/run/%{name} +install -d -m 0755 %{buildroot}%{_rundir}/%{name} # man pages install -d %{buildroot}%{_mandir}/man{5,8} @@ -254,13 +267,6 @@ if [ $1 -eq 0 ] ; then /bin/systemctl stop wpa_supplicant.service > /dev/null 2>&1 || : fi -%postun -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ $1 -ge 1 ] ; then - # Package upgrade, not uninstall - /bin/systemctl try-restart wpa_supplicant.service >/dev/null 2>&1 || : -fi - %triggerun -- wpa_supplicant < 0.7.3-10 # Save the current service runlevel info # User must manually run systemd-sysv-convert --apply wpa_supplicant @@ -286,7 +292,7 @@ fi %{_sbindir}/wpa_supplicant %{_sbindir}/wpa_cli %{_sbindir}/eapol_test -%dir %{_localstatedir}/run/%{name} +%ghost %attr(755,root,root) %verify(not owner group) %{_rundir}/%{name} %dir %{_sysconfdir}/%{name} %{_mandir}/man8/* %{_mandir}/man5/* @@ -297,6 +303,19 @@ fi %endif %changelog +* Tue Aug 28 2018 Davide Caratti - 1:2.6-12 +- Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526) + +* Fri Jun 1 2018 Davide Caratti - 1:2.6-11 +- Better handling of /run/wpa_supplicant (rh #1507919) + +* Fri May 18 2018 Davide Caratti - 1:2.6-10 +- Fix memory leak when macsec MKA/PSK is used (rh #1500442) +- Fix authentication failure when the MAC is updated externally (rh #1490885) +- Let the kernel discard EAPOL if packet type is PACKET_OTHERHOST (rh #1434434) +- Don't restart wpa_supplicant.service on package upgrade (rh #1505404) +- Don't own a directory in /run/ (rh #1507919) + * Mon Jan 8 2018 Davide Caratti - 1:2.6-9 - Fix RPMDiff failures on ppc (rh #1532320)