import CS wpa_supplicant-2.11-2.el9

.gitignore

@@ -1 +1 @@
-SOURCES/wpa_supplicant-2.10.tar.gz
+SOURCES/wpa_supplicant-2.11.tar.gz

.wpa_supplicant.metadata

@@ -1 +1 @@
-e295b07d599da4b99c3836d4402ec5746f77e8e8 SOURCES/wpa_supplicant-2.10.tar.gz
+aadb740bd2b3e2e1f39b5d8d543f9e18f2c1c090 SOURCES/wpa_supplicant-2.11.tar.gz

SOURCES/0001-D-Bus-Add-wep_disabled-capability.patch

@@ -1,52 +0,0 @@
-From 5b093570dca1855c5bf40bcbd8d149fa6f8ea8ff Mon Sep 17 00:00:00 2001
-Message-Id: <5b093570dca1855c5bf40bcbd8d149fa6f8ea8ff.1650620058.git.davide.caratti@gmail.com>
-From: Lubomir Rintel <lkundrak@v3.sk>
-Date: Mon, 7 Mar 2022 09:54:46 +0100
-Subject: [PATCH] D-Bus: Add 'wep_disabled' capability
-
-Since commit 200c7693c9a1 ('Make WEP functionality an optional build
-parameter'), WEP support is optional and, indeed, off by default.
-
-The distributions are now catching up and disabling WEP in their builds.
-Unfortunately, there's no indication prior to an attempt to connect to a
-WEP network that it's not going to work. Add a capability to communicate
-that.
-
-Unlike other capabilities, this one is negative. That is, it indicates
-lack of a WEP support as opposed to its presence. This is necessary
-because historically there has been no capability to indicate presence
-of WEP support and therefore NetworkManager (and probably others) just
-assumes it's there.
-
-Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
-Acked-by: Davide Caratti <davide.caratti@gmail.com>
----
- wpa_supplicant/dbus/dbus_new_handlers.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c
-index 1c9ded09a..0b1002bf1 100644
---- a/wpa_supplicant/dbus/dbus_new_handlers.c
-+++ b/wpa_supplicant/dbus/dbus_new_handlers.c
-@@ -1121,7 +1121,7 @@ dbus_bool_t wpas_dbus_getter_global_capabilities(
- 	const struct wpa_dbus_property_desc *property_desc,
- 	DBusMessageIter *iter, DBusError *error, void *user_data)
- {
--	const char *capabilities[13];
-+	const char *capabilities[14];
- 	size_t num_items = 0;
- 	struct wpa_global *global = user_data;
- 	struct wpa_supplicant *wpa_s;
-@@ -1177,6 +1177,9 @@ dbus_bool_t wpas_dbus_getter_global_capabilities(
- #endif /* CONFIG_SUITEB192 */
- 	if (ext_key_id_supported)
- 		capabilities[num_items++] = "extended_key_id";
-+#ifndef CONFIG_WEP
-+	capabilities[num_items++] = "wep_disabled";
-+#endif /* !CONFIG_WEP */
- 
- 	return wpas_dbus_simple_array_property_getter(iter,
- 						      DBUS_TYPE_STRING,
--- 
-2.35.1
-

SOURCES/0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch

@@ -1,103 +0,0 @@
-From 566ce69a8d0e64093309cbde80235aa522fbf84e Mon Sep 17 00:00:00 2001
-Message-Id: <566ce69a8d0e64093309cbde80235aa522fbf84e.1652450572.git.davide.caratti@gmail.com>
-From: Jouni Malinen <quic_jouni@quicinc.com>
-Date: Thu, 5 May 2022 00:07:44 +0300
-Subject: [PATCH] EAP peer: Workaround for servers that do not support safe TLS
- renegotiation
-
-The TLS protocol design for renegotiation was identified to have a
-significant security flaw in 2009 and an extension to secure this design
-was published in 2010 (RFC 5746). However, some old RADIUS
-authentication servers without support for this are still used commonly.
-
-This is obviously not good from the security view point, but since there
-are cases where the user of a network service has no realistic means for
-getting the authentication server upgraded, TLS handshake may still need
-to be allowed to be able to use the network.
-
-OpenSSL 3.0 disabled the client side workaround by default and this
-resulted in issues connection to some networks with insecure
-authentication servers. With OpenSSL 3.0, the client is now enforcing
-security by refusing to authenticate with such servers. The pre-3.0
-behavior of ignoring this issue and leaving security to the server can
-now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1.
-This should be used only when having to connect to a network that has an
-insecure authentication server that cannot be upgraded.
-
-The old (pre-2010) TLS renegotiation mechanism might open security
-vulnerabilities if the authentication server were to allow TLS
-renegotiation to be initiated. While this is unlikely to cause real
-issues with EAP-TLS, there might be cases where use of PEAP or TTLS with
-an authentication server that does not support RFC 5746 might result in
-a security vulnerability.
-
-Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
----
- src/crypto/tls.h                   | 1 +
- src/crypto/tls_openssl.c           | 5 +++++
- src/eap_peer/eap_tls_common.c      | 4 ++++
- wpa_supplicant/wpa_supplicant.conf | 5 +++++
- 4 files changed, 15 insertions(+)
-
-diff --git a/src/crypto/tls.h b/src/crypto/tls.h
-index ccaac94c9..7ea32ee4a 100644
---- a/src/crypto/tls.h
-+++ b/src/crypto/tls.h
-@@ -112,6 +112,7 @@ struct tls_config {
- #define TLS_CONN_ENABLE_TLSv1_1 BIT(15)
- #define TLS_CONN_ENABLE_TLSv1_2 BIT(16)
- #define TLS_CONN_TEAP_ANON_DH BIT(17)
-+#define TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION BIT(18)
- 
- /**
-  * struct tls_connection_params - Parameters for TLS connection
-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
-index 388c6b0f4..0d23f44ad 100644
---- a/src/crypto/tls_openssl.c
-+++ b/src/crypto/tls_openssl.c
-@@ -3081,6 +3081,11 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
- 		SSL_clear_options(ssl, SSL_OP_NO_TICKET);
- #endif /* SSL_OP_NO_TICKET */
- 
-+#ifdef SSL_OP_LEGACY_SERVER_CONNECT
-+	if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION)
-+		SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
-+#endif /* SSL_OP_LEGACY_SERVER_CONNECT */
-+
- #ifdef SSL_OP_NO_TLSv1
- 	if (flags & TLS_CONN_DISABLE_TLSv1_0)
- 		SSL_set_options(ssl, SSL_OP_NO_TLSv1);
-diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
-index 06c9b211e..6193b4bdb 100644
---- a/src/eap_peer/eap_tls_common.c
-+++ b/src/eap_peer/eap_tls_common.c
-@@ -102,6 +102,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
- 		params->flags |= TLS_CONN_SUITEB_NO_ECDH;
- 	if (os_strstr(txt, "tls_suiteb_no_ecdh=0"))
- 		params->flags &= ~TLS_CONN_SUITEB_NO_ECDH;
-+	if (os_strstr(txt, "allow_unsafe_renegotiation=1"))
-+		params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
-+	if (os_strstr(txt, "allow_unsafe_renegotiation=0"))
-+		params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
- }
- 
- 
-diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
-index a1dc769c9..b5304a77e 100644
---- a/wpa_supplicant/wpa_supplicant.conf
-+++ b/wpa_supplicant/wpa_supplicant.conf
-@@ -1370,6 +1370,11 @@ fast_reauth=1
- # tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default)
- # tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in
- #	particular when using Suite B with RSA keys of >= 3K (3072) bits
-+# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does
-+#	not support safe renegotiation (RFC 5746); please note that this
-+#	workaround should be only when having to authenticate with an old
-+#	authentication server that cannot be updated to use secure TLS
-+#	implementation.
- #
- # Following certificate/private key fields are used in inner Phase2
- # authentication when using EAP-TTLS or EAP-PEAP.
--- 
-2.35.1
-

SOURCES/0001-EAP-peer-status-notification-for-server-not-supporti.patch

@@ -1,106 +0,0 @@
-From a561d12d24c2c8bb0f825d4a3a55a5e47e845853 Mon Sep 17 00:00:00 2001
-Message-Id: <a561d12d24c2c8bb0f825d4a3a55a5e47e845853.1652450863.git.davide.caratti@gmail.com>
-From: Jouni Malinen <quic_jouni@quicinc.com>
-Date: Wed, 4 May 2022 23:55:38 +0300
-Subject: [PATCH] EAP peer status notification for server not supporting RFC
- 5746
-
-Add a notification message to indicate reason for TLS handshake failure
-due to the server not supporting safe renegotiation (RFC 5746).
-
-Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
----
- src/ap/authsrv.c         |  3 +++
- src/crypto/tls.h         |  3 ++-
- src/crypto/tls_openssl.c | 15 +++++++++++++--
- src/eap_peer/eap.c       |  5 +++++
- 4 files changed, 23 insertions(+), 3 deletions(-)
-
-diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
-index 516c1da74..fd9c96fad 100644
---- a/src/ap/authsrv.c
-+++ b/src/ap/authsrv.c
-@@ -169,6 +169,9 @@ static void authsrv_tls_event(void *ctx, enum tls_event ev,
- 			wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s",
- 				   data->alert.description);
- 		break;
-+	case TLS_UNSAFE_RENEGOTIATION_DISABLED:
-+		/* Not applicable to TLS server */
-+		break;
- 	}
- }
- #endif /* EAP_TLS_FUNCS */
-diff --git a/src/crypto/tls.h b/src/crypto/tls.h
-index 7ea32ee4a..7a2ee32df 100644
---- a/src/crypto/tls.h
-+++ b/src/crypto/tls.h
-@@ -22,7 +22,8 @@ enum tls_event {
- 	TLS_CERT_CHAIN_SUCCESS,
- 	TLS_CERT_CHAIN_FAILURE,
- 	TLS_PEER_CERTIFICATE,
--	TLS_ALERT
-+	TLS_ALERT,
-+	TLS_UNSAFE_RENEGOTIATION_DISABLED,
- };
- 
- /*
-diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
-index 0d23f44ad..912471ba2 100644
---- a/src/crypto/tls_openssl.c
-+++ b/src/crypto/tls_openssl.c
-@@ -4443,6 +4443,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
- static struct wpabuf *
- openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
- {
-+	struct tls_context *context = conn->context;
- 	int res;
- 	struct wpabuf *out_data;
- 
-@@ -4472,7 +4473,19 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
- 			wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to "
- 				   "write");
- 		else {
-+			unsigned long error = ERR_peek_last_error();
-+
- 			tls_show_errors(MSG_INFO, __func__, "SSL_connect");
-+
-+			if (context->event_cb &&
-+			    ERR_GET_LIB(error) == ERR_LIB_SSL &&
-+			    ERR_GET_REASON(error) ==
-+			    SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) {
-+				context->event_cb(
-+					context->cb_ctx,
-+					TLS_UNSAFE_RENEGOTIATION_DISABLED,
-+					NULL);
-+			}
- 			conn->failed++;
- 			if (!conn->server && !conn->client_hello_generated) {
- 				/* The server would not understand TLS Alert
-@@ -4495,8 +4508,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
- 	if ((conn->flags & TLS_CONN_SUITEB) && !conn->server &&
- 	    os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 &&
- 	    conn->server_dh_prime_len < 3072) {
--		struct tls_context *context = conn->context;
--
- 		/*
- 		 * This should not be reached since earlier cert_cb should have
- 		 * terminated the handshake. Keep this check here for extra
-diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
-index 429b20d3a..729388f4f 100644
---- a/src/eap_peer/eap.c
-+++ b/src/eap_peer/eap.c
-@@ -2172,6 +2172,11 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev,
- 			eap_notify_status(sm, "remote TLS alert",
- 					  data->alert.description);
- 		break;
-+	case TLS_UNSAFE_RENEGOTIATION_DISABLED:
-+		wpa_printf(MSG_INFO,
-+			   "TLS handshake failed due to the server not supporting safe renegotiation (RFC 5746); phase1 parameter allow_unsafe_renegotiation=1 can be used to work around this");
-+		eap_notify_status(sm, "unsafe server renegotiation", "failure");
-+		break;
- 	}
- 
- 	os_free(hash_hex);
--- 
-2.35.1
-

SOURCES/wpa_supplicant-Revert-Mark-authorization-completed-on-driver-indica.patch

@@ -0,0 +1,50 @@
+From 2514856652f9a393e505d542cb8f039f8bac10f5 Mon Sep 17 00:00:00 2001
+From: Janne Grunau <janne-fdr@jannau.net>
+Date: Sun, 4 Aug 2024 13:24:42 +0200
+Subject: [PATCH 1/1] Revert "Mark authorization completed on driver indication
+ during 4-way HS offload"
+
+This reverts commit 41638606054a09867fe3f9a2b5523aa4678cbfa5.
+---
+ wpa_supplicant/events.c | 25 ++++++++-----------------
+ 1 file changed, 8 insertions(+), 17 deletions(-)
+
+diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
+index 46e7cf1ab..7b3ef7205 100644
+--- a/wpa_supplicant/events.c
++++ b/wpa_supplicant/events.c
+@@ -4441,23 +4441,14 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s,
+ 		eapol_sm_notify_eap_success(wpa_s->eapol, true);
+ 	} else if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_PSK) &&
+ 		   wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt)) {
+-		if (already_authorized) {
+-			/*
+-			 * We are done; the driver will take care of RSN 4-way
+-			 * handshake.
+-			 */
+-			wpa_supplicant_cancel_auth_timeout(wpa_s);
+-			wpa_supplicant_set_state(wpa_s, WPA_COMPLETED);
+-			eapol_sm_notify_portValid(wpa_s->eapol, true);
+-			eapol_sm_notify_eap_success(wpa_s->eapol, true);
+-		} else {
+-			/* Update port, WPA_COMPLETED state from the
+-			 * EVENT_PORT_AUTHORIZED handler when the driver is done
+-			 * with the 4-way handshake.
+-			 */
+-			wpa_msg(wpa_s, MSG_DEBUG,
+-				"ASSOC INFO: wait for driver port authorized indication");
+-		}
++		/*
++		 * We are done; the driver will take care of RSN 4-way
++		 * handshake.
++		 */
++		wpa_supplicant_cancel_auth_timeout(wpa_s);
++		wpa_supplicant_set_state(wpa_s, WPA_COMPLETED);
++		eapol_sm_notify_portValid(wpa_s->eapol, true);
++		eapol_sm_notify_eap_success(wpa_s->eapol, true);
+ 	} else if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X) &&
+ 		   wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt)) {
+ 		/*
+-- 
+2.45.2
+

SOURCES/wpa_supplicant-assoc-timeout.patch

@@ -1,7 +1,6 @@
-diff -up wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c.assoc-timeout wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c
---- wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c.assoc-timeout	2010-09-07 10:43:39.000000000 -0500
-+++ wpa_supplicant-0.7.3/wpa_supplicant/wpa_supplicant.c	2010-12-07 18:57:45.163457000 -0600
-@@ -1262,10 +1262,10 @@ void wpa_supplicant_associate(struct wpa
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -4619,10 +4619,10 @@ static void wpas_start_assoc_cb(struct w
  
  		if (assoc_failed) {
  			/* give IBSS a bit more time */

SOURCES/wpa_supplicant-config.patch

@@ -9,7 +9,7 @@ Subject: [PATCH] defconfig: Fedora configuration
 
 --- a/wpa_supplicant/defconfig
 +++ b/wpa_supplicant/defconfig
-@@ -146,7 +146,7 @@ CONFIG_EAP_PAX=y
+@@ -149,7 +149,7 @@ CONFIG_EAP_PAX=y
  CONFIG_EAP_LEAP=y
  
  # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
@@ -18,7 +18,7 @@ Subject: [PATCH] defconfig: Fedora configuration
  
  # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
  # This requires CONFIG_EAP_AKA to be enabled, too.
-@@ -338,6 +338,7 @@ CONFIG_BACKEND=file
+@@ -350,6 +350,7 @@ CONFIG_BACKEND=file
  # Select which ciphers to use by default with OpenSSL if the user does not
  # specify them.
  #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
@@ -26,8 +26,8 @@ Subject: [PATCH] defconfig: Fedora configuration
  
  # If CONFIG_TLS=internal is used, additional library and include paths are
  # needed for LibTomMath. Alternatively, an integrated, minimal version of
-@@ -390,7 +391,7 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y
- #CONFIG_DYNAMIC_EAP_METHODS=y
+@@ -418,7 +419,7 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y
+ #CONFIG_NO_LOAD_DYNAMIC_EAP=y
  
  # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
 -CONFIG_IEEE80211R=y
@@ -35,7 +35,7 @@ Subject: [PATCH] defconfig: Fedora configuration
  
  # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
  CONFIG_DEBUG_FILE=y
-@@ -469,7 +470,7 @@ CONFIG_DEBUG_SYSLOG=y
+@@ -497,7 +498,7 @@ CONFIG_DEBUG_SYSLOG=y
  # Should we attempt to use the getrandom(2) call that provides more reliable
  # yet secure randomness source than /dev/random on Linux 3.17 and newer.
  # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
@@ -44,7 +44,16 @@ Subject: [PATCH] defconfig: Fedora configuration
  
  # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
  CONFIG_IEEE80211AC=y
-@@ -587,7 +588,7 @@ CONFIG_IBSS_RSN=y
+@@ -510,7 +511,7 @@ CONFIG_IEEE80211AX=y
+ # Note: This is experimental and work in progress. The definitions are still
+ # subject to change and this should not be expected to interoperate with the
+ # final IEEE 802.11be version.
+-#CONFIG_IEEE80211BE=y
++CONFIG_IEEE80211BE=y
+ 
+ # Wireless Network Management (IEEE Std 802.11v-2011)
+ # Note: This is experimental and not complete implementation.
+@@ -625,7 +626,7 @@ CONFIG_IBSS_RSN=y
  #CONFIG_PMKSA_CACHE_EXTERNAL=y
  
  # Mesh Networking (IEEE 802.11s)
@@ -53,7 +62,7 @@ Subject: [PATCH] defconfig: Fedora configuration
  
  # Background scanning modules
  # These can be used to request wpa_supplicant to perform background scanning
-@@ -601,7 +602,7 @@ CONFIG_BGSCAN_SIMPLE=y
+@@ -639,7 +640,7 @@ CONFIG_BGSCAN_SIMPLE=y
  
  # Opportunistic Wireless Encryption (OWE)
  # Experimental implementation of draft-harkins-owe-07.txt
@@ -62,10 +71,10 @@ Subject: [PATCH] defconfig: Fedora configuration
  
  # Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect)
  CONFIG_DPP=y
-@@ -633,3 +634,6 @@ CONFIG_DPP2=y
- # design is still subject to change. As such, this should not yet be enabled in
- # production use.
- #CONFIG_PASN=y
+@@ -686,3 +687,6 @@ CONFIG_DPP2=y
+ 
+ # Wi-Fi Aware unsynchronized service discovery (NAN USD)
+ #CONFIG_NAN_USD=y
 +#
 +CONFIG_SUITEB192=y
 +

SOURCES/wpa_supplicant-gui-qt4.patch

@@ -11,7 +11,7 @@ different locations.
 
 --- a/wpa_supplicant/Makefile
 +++ b/wpa_supplicant/Makefile
-@@ -35,6 +35,9 @@ export INCDIR ?= /usr/local/include
+@@ -46,6 +46,9 @@ export INCDIR ?= /usr/local/include
  export BINDIR ?= /usr/local/sbin
  PKG_CONFIG ?= pkg-config
  
@@ -21,7 +21,7 @@ different locations.
  CFLAGS += $(EXTRA_CFLAGS)
  CFLAGS += -I$(abspath ../src)
  CFLAGS += -I$(abspath ../src/utils)
-@@ -2039,10 +2042,10 @@ wpa_gui:
+@@ -2156,10 +2159,10 @@ wpa_gui:
  	@echo "wpa_gui has been removed - see wpa_gui-qt4 for replacement"
  
  wpa_gui-qt4/Makefile:

SOURCES/wpa_supplicant-quiet-scan-results-message.patch

@@ -7,11 +7,9 @@ Subject: [PATCH 1/2] quiet an annoying and frequent syslog message
  wpa_supplicant/events.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
-index abe3b47..72a0412 100644
 --- a/wpa_supplicant/events.c
 +++ b/wpa_supplicant/events.c
-@@ -1555,11 +1555,11 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
+@@ -2504,11 +2504,11 @@ static int _wpa_supplicant_event_scan_re
  	if (wpa_s->last_scan_req == MANUAL_SCAN_REQ &&
  	    wpa_s->manual_scan_use_id && wpa_s->own_scan_running &&
  	    own_request && !(data && data->scan_info.external_scan)) {
@@ -25,6 +23,3 @@ index abe3b47..72a0412 100644
  	}
  	wpas_notify_scan_results(wpa_s);
  
--- 
-2.9.3
-

SPECS/wpa_supplicant.spec

@@ -8,8 +8,8 @@
 Summary: WPA/WPA2/IEEE 802.1X Supplicant
 Name: wpa_supplicant
 Epoch: 1
-Version: 2.10
-Release: 4%{?dist}
+Version: 2.11
+Release: 2%{?dist}
 License: BSD
 Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz
 Source1: wpa_supplicant.conf
@@ -29,11 +29,8 @@ Patch2: wpa_supplicant-flush-debug-output.patch
 Patch3: wpa_supplicant-quiet-scan-results-message.patch
 # distro specific customization for Qt4 build tools, not suitable for upstream
 Patch4: wpa_supplicant-gui-qt4.patch
-# backport fix for bz2063730
-Patch5: 0001-D-Bus-Add-wep_disabled-capability.patch
-# backport fix for bz2077973
-Patch6: 0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch
-Patch7: 0001-EAP-peer-status-notification-for-server-not-supporti.patch
+# backport fix for a regression introduced with upstream version 2.11
+Patch5: wpa_supplicant-Revert-Mark-authorization-completed-on-driver-indica.patch
 
 URL: http://w1.fi/wpa_supplicant/
 
@@ -194,6 +191,18 @@ chmod -R 0644 wpa_supplicant/examples/*.py
 
 
 %changelog
+* Thu Feb 13 2025 Davide Caratti <dcaratti@redhat.com> - 1:2.11-2
+- Enable CONFIG_IEEE80211BE (RHEL-10237)
+
+* Thu Nov 28 2024 Davide Caratti <dcaratti@redhat.com> - 1:2.11-1
+- Update to upstream version 2.11 (plus a follow-up backport)
+  Resolves: RHEL-10237, RHEL-58725
+
+* Thu Feb 22 2024 Davide Caratti <dcaratti@redhat.com> - 1:2.10-5
+- Support macsec HW offload.
+  Resolves: RHEL-22440
+- Backport fix for PEAP client (CVE-2023-52160)
+
 * Fri May 13 2022 Davide Caratti <dcaratti@redhat.com> - 1:2.10-4
 - Explicitly allow/disallow unsafe legacy renegotiation on configuration base.
   Resolves: rhbz#2077973