wpa_supplicant package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
2018-11-26 18:37:29 +01:00 · 2018-11-26 18:37:29 +01:00 · 33a9652d3f
parent 15d5359fb0
commit 33a9652d3f
5 changed files with 411 additions and 11 deletions
--- a/SOURCES/rh1434434-wpa_supplicant-Don-t-reply-to-EAPOL-if-pkt_type-is-P.patch
+++ b/SOURCES/rh1434434-wpa_supplicant-Don-t-reply-to-EAPOL-if-pkt_type-is-P.patch
@ -0,0 +1,96 @@
+From d89edb6112f54fb65036c31eba291bda5fcad2b3 Mon Sep 17 00:00:00 2001
+Message-Id: <d89edb6112f54fb65036c31eba291bda5fcad2b3.1522770749.git.davide.caratti@gmail.com>
+From: Davide Caratti <davide.caratti@gmail.com>
+Date: Wed, 28 Mar 2018 16:34:56 +0200
+Subject: [PATCH] wpa_supplicant: Don't reply to EAPOL if pkt_type is
+ PACKET_OTHERHOST
+
+When wpa_supplicant is running on a Linux interface that is configured in
+promiscuous mode, and it is not a member of a bridge, incoming EAPOL
+packets are processed regardless of the Destination Address in the frame.
+As a consequence, there are situations where wpa_supplicant replies to
+EAPOL packets that are not destined for it.
+
+This behavior seems undesired (see IEEE Std 802.1X-2010, 11.4.a), and can
+be avoided by attaching a BPF filter that lets the kernel discard packets
+having pkt_type equal to PACKET_OTHERHOST.
+
+Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
+---
+ src/l2_packet/l2_packet.h       |  1 +
+ src/l2_packet/l2_packet_linux.c | 23 +++++++++++++++++++++++
+ wpa_supplicant/wpa_supplicant.c |  5 +++++
+ 3 files changed, 29 insertions(+)
+
+diff --git a/src/l2_packet/l2_packet.h b/src/l2_packet/l2_packet.h
+index 2a4524582..53871774b 100644
+--- a/src/l2_packet/l2_packet.h
+++ b/src/l2_packet/l2_packet.h
+@@ -42,6 +42,7 @@ struct l2_ethhdr {
+ enum l2_packet_filter_type {
+ 	L2_PACKET_FILTER_DHCP,
+ 	L2_PACKET_FILTER_NDISC,
+	L2_PACKET_FILTER_PKTTYPE,
+ };
+ 
+ /**
+diff --git a/src/l2_packet/l2_packet_linux.c b/src/l2_packet/l2_packet_linux.c
+index 65b490679..291c9dd26 100644
+--- a/src/l2_packet/l2_packet_linux.c
+++ b/src/l2_packet/l2_packet_linux.c
+@@ -84,6 +84,26 @@ static const struct sock_fprog ndisc_sock_filter = {
+ 	.filter = ndisc_sock_filter_insns,
+ };
+ 
+/* drop packet if skb->pkt_type is PACKET_OTHERHOST (0x03). Generated by:
+ * $ bpfc - <<EOF
+ * > ldb #type
+ * > jeq #0x03, drop
+ * > pass: ret #-1
+ * > drop: ret #0
+ * > EOF
+ */
+static struct sock_filter pkt_type_filter_insns[] = {
+	{ 0x30, 0, 0, 0xfffff004 },
+	{ 0x15, 1, 0, 0x00000003 },
+	{ 0x6, 0, 0, 0xffffffff },
+	{ 0x6, 0, 0, 0x00000000 },
+};
+
+static const struct sock_fprog pkt_type_sock_filter = {
+	.len = ARRAY_SIZE(pkt_type_filter_insns),
+	.filter = pkt_type_filter_insns,
+};
+
+ 
+ int l2_packet_get_own_addr(struct l2_packet_data *l2, u8 *addr)
+ {
+@@ -471,6 +491,9 @@ int l2_packet_set_packet_filter(struct l2_packet_data *l2,
+ 	case L2_PACKET_FILTER_NDISC:
+ 		sock_filter = &ndisc_sock_filter;
+ 		break;
+	case L2_PACKET_FILTER_PKTTYPE:
+		sock_filter = &pkt_type_sock_filter;
+		break;
+ 	default:
+ 		return -1;
+ 	}
+diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
+index 2a05ef910..dcec68a03 100644
+--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
+@@ -4014,6 +4014,11 @@ int wpa_supplicant_update_mac_addr(struct wpa_supplicant *wpa_s)
+ 					   wpa_supplicant_rx_eapol, wpa_s, 0);
+ 		if (wpa_s->l2 == NULL)
+ 			return -1;
+
+		if (l2_packet_set_packet_filter(wpa_s->l2,
+						L2_PACKET_FILTER_PKTTYPE))
+			wpa_dbg(wpa_s, MSG_DEBUG,
+				"Failed to attach pkt_type filter");
+ 	} else {
+ 		const u8 *addr = wpa_drv_get_mac_addr(wpa_s);
+ 		if (addr)
+-- 
+2.14.3
+
--- a/SOURCES/rh1490885-fix-auth-failure-when-the-mac-is-updated-externally.patch
+++ b/SOURCES/rh1490885-fix-auth-failure-when-the-mac-is-updated-externally.patch
@ -0,0 +1,158 @@
+From 175c8ec5f46fbe544eb71b80d83ed517a3c81ba4 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Thu, 15 Feb 2018 11:50:01 +0100
+Subject: [PATCH] wpa_supplicant: Fix auth failure when the MAC is updated
+ externally
+
+When connecting to a WPA-EAP network and the MAC address is changed
+just before the association (for example by NetworkManager, which sets
+a random MAC during scans), the authentication sometimes fails in the
+following way ('####' logs added by me):
+
+wpa_supplicant logs:
+ wlan0: WPA: RX message 1 of 4-Way Handshake from 02:00:00:00:01:00 (ver=1)
+ RSN: msg 1/4 key data - hexdump(len=22): dd 14 00 0f ac 04 d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23
+ WPA: PMKID in EAPOL-Key - hexdump(len=22): dd 14 00 0f ac 04 d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23
+ RSN: PMKID from Authenticator - hexdump(len=16): d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23
+ wlan0: RSN: no matching PMKID found
+ EAPOL: Successfully fetched key (len=32)
+ WPA: PMK from EAPOL state machines - hexdump(len=32): [REMOVED]
+ #### WPA: rsn_pmkid():
+ #### WPA: aa              - hexdump(len=6): 02 00 00 00 01 00
+ #### WPA: spa             - hexdump(len=6): 66 20 cf ab 8c dc
+ #### WPA: PMK             - hexdump(len=32): b5 24 76 4f 6f 50 8c f6 a1 2e 24 b8 07 4e 9a 13 1b 94 c4 a8 1f 7e 22 d6 ed fc 7d 43 c7 77 b6 f7
+ #### WPA: computed PMKID  - hexdump(len=16): ea 73 67 b1 8e 5f 18 43 58 24 e8 1c 47 23 87 71
+ RSN: Replace PMKSA entry for the current AP and any PMKSA cache entry that was based on the old PMK
+ nl80211: Delete PMKID for 02:00:00:00:01:00
+ wlan0: RSN: PMKSA cache entry free_cb: 02:00:00:00:01:00 reason=1
+ RSN: Added PMKSA cache entry for 02:00:00:00:01:00 network_ctx=0x5630bf85a270
+ nl80211: Add PMKID for 02:00:00:00:01:00
+ wlan0: RSN: PMKID mismatch - authentication server may have derived different MSK?!
+
+hostapd logs:
+ WPA: PMK from EAPOL state machine (MSK len=64 PMK len=32)
+ WPA: 02:00:00:00:00:00 WPA_PTK entering state PTKSTART
+ wlan1: STA 02:00:00:00:00:00 WPA: sending 1/4 msg of 4-Way Handshake
+ #### WPA: rsn_pmkid():
+ #### WPA: aa              - hexdump(len=6): 02 00 00 00 01 00
+ #### WPA: spa             - hexdump(len=6): 02 00 00 00 00 00
+ #### WPA: PMK             - hexdump(len=32): b5 24 76 4f 6f 50 8c f6 a1 2e 24 b8 07 4e 9a 13 1b 94 c4 a8 1f 7e 22 d6 ed fc 7d 43 c7 77 b6 f7
+ #### WPA: computed PMKID  - hexdump(len=16): d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23
+ WPA: Send EAPOL(version=1 secure=0 mic=0 ack=1 install=0 pairwise=1 kde_len=22 keyidx=0 encr=0)
+
+That's because wpa_supplicant computed the PMKID using the wrong (old)
+MAC address used during the scan. wpa_supplicant updates own_addr when
+the interface goes up, as the MAC can only change while the interface
+is down. However, drivers don't report all interface state changes:
+for example the nl80211 driver may ignore a down-up cycle if the down
+message is processed later, when the interface is already up. In such
+cases, wpa_supplicant (and in particular, the EAP state machine) would
+continue to use the old MAC.
+
+Add a new driver event that notifies of MAC address changes while the
+interface is active.
+
+Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
+(cherry picked from commit 77a020a118168e05e7cc0d28a7bf661772e531af)
+---
+ src/drivers/driver.h         |  9 +++++++++
+ src/drivers/driver_common.c  |  1 +
+ src/drivers/driver_nl80211.c | 11 +++++++----
+ wpa_supplicant/events.c      |  3 +++
+ 4 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/src/drivers/driver.h b/src/drivers/driver.h
+index df996dc21..f8d556133 100644
+--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
+@@ -4106,6 +4106,15 @@ enum wpa_event_type {
+ 	 * EVENT_P2P_LO_STOP - Notify that P2P listen offload is stopped
+ 	 */
+ 	EVENT_P2P_LO_STOP,
+
+	/**
+	 * EVENT_INTERFACE_MAC_CHANGED - Notify that interface MAC changed
+	 *
+	 * This event is emitted when the MAC changes while the interface is
+	 * enabled. When an interface was disabled and becomes enabled, it
+	 * must be always assumed that the MAC possibly changed.
+	 */
+	EVENT_INTERFACE_MAC_CHANGED,
+ };
+ 
+ 
+diff --git a/src/drivers/driver_common.c b/src/drivers/driver_common.c
+index c7107ba89..bdddc0a48 100644
+--- a/src/drivers/driver_common.c
+++ b/src/drivers/driver_common.c
+@@ -81,6 +81,7 @@ const char * event_to_string(enum wpa_event_type event)
+ 	E2S(ACS_CHANNEL_SELECTED);
+ 	E2S(DFS_CAC_STARTED);
+ 	E2S(P2P_LO_STOP);
+	E2S(INTERFACE_MAC_CHANGED);
+ 	}
+ 
+ 	return "UNKNOWN";
+diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
+index f7f3cfebc..d4a879836 100644
+--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
+@@ -923,7 +923,7 @@ nl80211_find_drv(struct nl80211_global *global, int idx, u8 *buf, size_t len)
+ 
+ 
+ static void nl80211_refresh_mac(struct wpa_driver_nl80211_data *drv,
+-				int ifindex)
+				int ifindex, int notify)
+ {
+ 	struct i802_bss *bss;
+ 	u8 addr[ETH_ALEN];
+@@ -942,6 +942,9 @@ static void nl80211_refresh_mac(struct wpa_driver_nl80211_data *drv,
+ 			   ifindex, bss->ifname,
+ 			   MAC2STR(bss->addr), MAC2STR(addr));
+ 		os_memcpy(bss->addr, addr, ETH_ALEN);
+		if (notify)
+			wpa_supplicant_event(drv->ctx,
+					     EVENT_INTERFACE_MAC_CHANGED, NULL);
+ 	}
+ }
+ 
+@@ -1010,11 +1013,11 @@ static void wpa_driver_nl80211_event_rtm_newlink(void *ctx,
+ 		namebuf[0] = '\0';
+ 		if (if_indextoname(ifi->ifi_index, namebuf) &&
+ 		    linux_iface_up(drv->global->ioctl_sock, namebuf) > 0) {
+-			/* Re-read MAC address as it may have changed */
+-			nl80211_refresh_mac(drv, ifi->ifi_index);
+ 			wpa_printf(MSG_DEBUG, "nl80211: Ignore interface down "
+ 				   "event since interface %s is up", namebuf);
+ 			drv->ignore_if_down_event = 0;
+			/* Re-read MAC address as it may have changed */
+			nl80211_refresh_mac(drv, ifi->ifi_index, 1);
+ 			return;
+ 		}
+ 		wpa_printf(MSG_DEBUG, "nl80211: Interface down (%s/%s)",
+@@ -1060,7 +1063,7 @@ static void wpa_driver_nl80211_event_rtm_newlink(void *ctx,
+ 				   "removed", drv->first_bss->ifname);
+ 		} else {
+ 			/* Re-read MAC address as it may have changed */
+-			nl80211_refresh_mac(drv, ifi->ifi_index);
+			nl80211_refresh_mac(drv, ifi->ifi_index, 0);
+ 
+ 			wpa_printf(MSG_DEBUG, "nl80211: Interface up");
+ 			drv->if_disabled = 0;
+diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
+index 4dc044c2b..6eb35104c 100644
+--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
+@@ -3927,6 +3927,9 @@ void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
+ 			data->signal_change.current_noise,
+ 			data->signal_change.current_txrate);
+ 		break;
+	case EVENT_INTERFACE_MAC_CHANGED:
+		wpa_supplicant_update_mac_addr(wpa_s);
+		break;
+ 	case EVENT_INTERFACE_ENABLED:
+ 		wpa_dbg(wpa_s, MSG_DEBUG, "Interface was enabled");
+ 		if (wpa_s->wpa_state == WPA_INTERFACE_DISABLED) {
+-- 
+2.14.3
+
--- a/SOURCES/rh1500442-wpa_supplicant-Fix-memory-leaks-in-ieee802_1x_create.patch
+++ b/SOURCES/rh1500442-wpa_supplicant-Fix-memory-leaks-in-ieee802_1x_create.patch
@ -0,0 +1,83 @@
+From 22151b111b493d4604c9490327c40fdac7bc4b37 Mon Sep 17 00:00:00 2001
+Message-Id: <22151b111b493d4604c9490327c40fdac7bc4b37.1525684664.git.davide.caratti@gmail.com>
+From: Davide Caratti <davide.caratti@gmail.com>
+Date: Thu, 8 Mar 2018 17:15:02 +0100
+Subject: [PATCH] wpa_supplicant: Fix memory leaks in
+ ieee802_1x_create_preshared_mka()
+
+In case MKA is initialized successfully, local copies of CAK and CKN
+were allocated, but never freed. Ensure that such memory is released
+also when ieee802_1x_kay_create_mka() returns a valid pointer.
+
+Fixes: ad51731abf06 ("wpa_supplicant: Allow pre-shared (CAK,CKN) pair for MKA")
+Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
+---
+ wpa_supplicant/wpas_kay.c | 32 +++++++++++++++-----------------
+ 1 file changed, 15 insertions(+), 17 deletions(-)
+
+diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
+index 11708b8a6..d3d06b8ae 100644
+--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
+@@ -392,25 +392,25 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s,
+ {
+ 	struct mka_key *cak;
+ 	struct mka_key_name *ckn;
+-	void *res;
+	void *res = NULL;
+ 
+ 	if ((ssid->mka_psk_set & MKA_PSK_SET) != MKA_PSK_SET)
+-		return NULL;
+-
+-	if (ieee802_1x_alloc_kay_sm(wpa_s, ssid) < 0)
+-		return NULL;
+-
+-	if (!wpa_s->kay || wpa_s->kay->policy == DO_NOT_SECURE)
+-		return NULL;
+		goto end;
+ 
+ 	ckn = os_zalloc(sizeof(*ckn));
+ 	if (!ckn)
+-		goto dealloc;
+		goto end;
+ 
+ 	cak = os_zalloc(sizeof(*cak));
+ 	if (!cak)
+ 		goto free_ckn;
+ 
+	if (ieee802_1x_alloc_kay_sm(wpa_s, ssid) < 0 || !wpa_s->kay)
+		goto free_cak;
+
+	if (wpa_s->kay->policy == DO_NOT_SECURE)
+		goto dealloc;
+
+ 	cak->len = MACSEC_CAK_LEN;
+ 	os_memcpy(cak->key, ssid->mka_cak, cak->len);
+ 
+@@ -419,17 +419,15 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s,
+ 
+ 	res = ieee802_1x_kay_create_mka(wpa_s->kay, ckn, cak, 0, PSK, FALSE);
+ 	if (res)
+-		return res;
+		goto free_cak;
+ 
+dealloc:
+ 	/* Failed to create MKA */
+	ieee802_1x_dealloc_kay_sm(wpa_s);
+free_cak:
+ 	os_free(cak);
+-
+-	/* fallthrough */
+-
+ free_ckn:
+ 	os_free(ckn);
+-dealloc:
+-	ieee802_1x_dealloc_kay_sm(wpa_s);
+-
+-	return NULL;
+end:
+	return res;
+ }
+-- 
+2.14.3
+
--- a/SOURCES/rh1619553-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
+++ b/SOURCES/rh1619553-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
@ -0,0 +1,44 @@
+From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Sun, 15 Jul 2018 01:25:53 +0200
+Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data
+
+Ignore unauthenticated encrypted EAPOL-Key data in supplicant
+processing. When using WPA2, these are frames that have the Encrypted
+flag set, but not the MIC flag.
+
+When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
+not the MIC flag, had their data field decrypted without first verifying
+the MIC. In case the data field was encrypted using RC4 (i.e., when
+negotiating TKIP as the pairwise cipher), this meant that
+unauthenticated but decrypted data would then be processed. An adversary
+could abuse this as a decryption oracle to recover sensitive information
+in the data field of EAPOL-Key messages (e.g., the group key).
+(CVE-2018-14526)
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/rsn_supp/wpa.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c
+--- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c	2016-10-02 21:51:11.000000000 +0300
+++ wpa_supplicant-2.6/src/rsn_supp/wpa.c	2018-08-08 16:55:11.506831029 +0300
+@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c
+ 
+ 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
+ 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
+		/*
+		 * Only decrypt the Key Data field if the frame's authenticity
+		 * was verified. When using AES-SIV (FILS), the MIC flag is not
+		 * set, so this check should only be performed if mic_len != 0
+		 * which is the case in this code branch.
+		 */
+		if (!(key_info & WPA_KEY_INFO_MIC)) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
+			goto out;
+		}
+ 		if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
+ 						    &key_data_len))
+ 			goto out;
--- a/SPECS/wpa_supplicant.spec
+++ b/SPECS/wpa_supplicant.spec
@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
 Name: wpa_supplicant
 Epoch: 1
 Version: 2.6
-Release: 9%{?dist}
+Release: 12%{?dist}
 License: BSD
 Group: System Environment/Base
 Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
@ -24,6 +24,12 @@ Source8: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plai
 %define build_gui 0
 %endif

+# RHEL-7 doesn't define _rundir macro yet
+# Fedora 15 onwards uses /run as _rundir
+%if 0%{!?_rundir:1}
+%define _rundir /run
+%endif
+
 # distro specific customization and not suitable for upstream,
 # works around busted drivers
 Patch0: wpa_supplicant-assoc-timeout.patch
@ -87,6 +93,10 @@ Patch52: rh1495527-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
 Patch53: rh1495527-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
 Patch54: rh1495527-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
 Patch55: rh1531254-common-Avoid-conflict-with-__bitwise-macro-from-linu.patch
+Patch56: rh1434434-wpa_supplicant-Don-t-reply-to-EAPOL-if-pkt_type-is-P.patch
+Patch57: rh1490885-fix-auth-failure-when-the-mac-is-updated-externally.patch
+Patch58: rh1500442-wpa_supplicant-Fix-memory-leaks-in-ieee802_1x_create.patch
+Patch59: rh1619553-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch

 URL: http://w1.fi/wpa_supplicant/

@ -182,6 +192,10 @@ cp %{SOURCE8} src/linux/if_link.h
 %patch53 -p1 -b .rh1495527-0007
 %patch54 -p1 -b .rh1495527-0008
 %patch55 -p1 -b .rh1531254-fix-bitwise-redefined
+%patch56 -p1 -b .rh1434434-fix-pkt_otherhost
+%patch57 -p1 -b .rh1490885-mac-changed-event
+%patch58 -p1 -b .rh1500442-macsec-memleak
+%patch59 -p1 -b .rh1619553-ignore-unauth-eapol

 %build
 pushd wpa_supplicant
@ -228,8 +242,7 @@ install -d %{buildroot}/%{_bindir}
 install -m 0755 %{name}/wpa_gui-qt4/wpa_gui %{buildroot}/%{_bindir}
 %endif

-# running
-mkdir -p %{buildroot}/%{_localstatedir}/run/%{name}
+install -d -m 0755 %{buildroot}%{_rundir}/%{name}

 # man pages
 install -d %{buildroot}%{_mandir}/man{5,8}
@ -254,13 +267,6 @@ if [ $1 -eq 0 ] ; then
    /bin/systemctl stop wpa_supplicant.service > /dev/null 2>&1 || :
 fi

-%postun
-/bin/systemctl daemon-reload >/dev/null 2>&1 || :
-if [ $1 -ge 1 ] ; then
-    # Package upgrade, not uninstall
-    /bin/systemctl try-restart wpa_supplicant.service >/dev/null 2>&1 || :
-fi
-
 %triggerun -- wpa_supplicant < 0.7.3-10
 # Save the current service runlevel info
 # User must manually run systemd-sysv-convert --apply wpa_supplicant
@ -286,7 +292,7 @@ fi
 %{_sbindir}/wpa_supplicant
 %{_sbindir}/wpa_cli
 %{_sbindir}/eapol_test
-%dir %{_localstatedir}/run/%{name}
+%ghost %attr(755,root,root) %verify(not owner group) %{_rundir}/%{name}
 %dir %{_sysconfdir}/%{name}
 %{_mandir}/man8/*
 %{_mandir}/man5/*
@ -297,6 +303,19 @@ fi
 %endif

 %changelog
+* Tue Aug 28 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-12
+- Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526)
+
+* Fri Jun  1 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-11
+- Better handling of /run/wpa_supplicant (rh #1507919)
+
+* Fri May 18 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-10
+- Fix memory leak when macsec MKA/PSK is used (rh #1500442)
+- Fix authentication failure when the MAC is updated externally (rh #1490885)
+- Let the kernel discard EAPOL if packet type is PACKET_OTHERHOST (rh #1434434)
+- Don't restart wpa_supplicant.service on package upgrade (rh #1505404)
+- Don't own a directory in /run/ (rh #1507919)
+
 * Mon Jan  8 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-9
 - Fix RPMDiff failures on ppc (rh #1532320)