Associated release note:
https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt

Motivation for this change

Our current hostapd setup might be vulnerable to a side-channel attack on EAP-pwd in a particular setup.

Relevant release note part:

All wpa_supplicant and hostapd versions with EAP-pwd support
(CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled
in the runtime configuration). Note that EAP-pwd server implementation
in hostapd enables only a single group at the time (pwd_group parameter)
and by default, group 19 is used. As such, this would be applicable only
if the pwd_group parameter is set to use one of the groups 28-30. The
EAP-pwd peer implementation wpa_supplicant, follows the group selected
by the server and as such, it would be vulnerable for the case where an
attacker controls the authentication server (e.g., through a rogue AP)
if the crypto library supports groups 28-30.

No reason to freak about that, but better be safe than sorry.

There's no breaking change regarding this release, updating hostapd should be safe and backward-compatible.

We probably want to backport this to 19.09 together with #75140 (not merged yet).

Tested on my test router setup.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

Notify maintainers

cc @flokli