diff -Nru wpa-2.10/debian/.gitignore wpa-2.10/debian/.gitignore
--- wpa-2.10/debian/.gitignore	2023-12-25 09:47:06.000000000 +0000
+++ wpa-2.10/debian/.gitignore	1970-01-01 00:00:00.000000000 +0000
@@ -1,11 +0,0 @@
-*.debhelper
-*.substvars
-.debhelper/
-debhelper-build-stamp
-eapoltest/
-files
-hostapd/
-libwpa-client-dev/
-wpagui/
-wpasupplicant-udeb/
-wpasupplicant/
diff -Nru wpa-2.10/debian/NEWS wpa-2.10/debian/NEWS
--- wpa-2.10/debian/NEWS	2023-12-25 09:47:06.000000000 +0000
+++ wpa-2.10/debian/NEWS	2024-08-02 12:06:25.000000000 +0000
@@ -1,3 +1,20 @@
+wpa (2:2.10-21ubuntu0.1) noble-security; urgency=medium
+
+  With this release, wpa_supplicant enforces stricter security by only loading
+  shared objects for opensc_engine_path, pkcs11_engine_path, and
+  pkcs11_module_path if they are located within the /usr/lib directory. If any
+  shared object is outside this trusted path, wpa_supplicant will refuse to load
+  it and log an error:
+
+    ENGINE: Failed to load OpenSC Engine from **: Not in trusted path /usr/lib/
+
+  To comply with this new security measure, ensure that the shared objects
+  (actual files, not symlinks) specified in your wpa_supplicant configuration
+  are copied to any directory within /usr/lib. Update the configuration paths
+  accordingly.
+
+ -- Sudhakar Verma <sudhakar.verma@canonical.com>  Fri, 02 Aug 2024 17:36:25 +0530
+
 wpasupplicant (2:2.6-19) unstable; urgency=medium
 
   With this release, wpasupplicant no longer respects the system
diff -Nru wpa-2.10/debian/changelog wpa-2.10/debian/changelog
--- wpa-2.10/debian/changelog	2023-12-25 09:47:06.000000000 +0000
+++ wpa-2.10/debian/changelog	2024-08-02 12:06:25.000000000 +0000
@@ -1,3 +1,36 @@
+wpa (2:2.10-21ubuntu0.1) noble-security; urgency=medium
+
+  * SECURITY UPDATE: loading arbitrary shared objects, privilege escalation
+    - debian/patches/lib_engine_trusted_path.patch: Allow shared objects
+      to only be loaded from /usr/lib, thanks to mdeslaur
+    - CVE-2024-5290
+
+ -- Sudhakar Verma <sudhakar.verma@canonical.com>  Fri, 02 Aug 2024 17:36:25 +0530
+
+wpa (2:2.10-21build4) noble; urgency=medium
+
+  * No-change rebuild against libssl3t64 and libqt5core5t64.
+
+ -- Colin Watson <cjwatson@ubuntu.com>  Sun, 14 Apr 2024 23:43:08 +0100
+
+wpa (2:2.10-21build3) noble; urgency=medium
+
+  * No-change rebuild for CVE-2024-3094
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 31 Mar 2024 17:25:51 +0000
+
+wpa (2:2.10-21build2) noble; urgency=medium
+
+  * No-change rebuild against libqt5core5t64
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 15 Mar 2024 07:30:42 +0000
+
+wpa (2:2.10-21build1) noble; urgency=medium
+
+  * No-change rebuild against libssl3t64
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 05 Mar 2024 02:16:39 +0000
+
 wpa (2:2.10-21) unstable; urgency=medium
 
   [ Jan Van Buggenhout ]
diff -Nru wpa-2.10/debian/control wpa-2.10/debian/control
--- wpa-2.10/debian/control	2023-12-25 09:47:06.000000000 +0000
+++ wpa-2.10/debian/control	2024-03-05 02:16:39.000000000 +0000
@@ -1,5 +1,6 @@
 Source: wpa
-Maintainer: Debian wpasupplicant Maintainers <wpa@packages.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian wpasupplicant Maintainers <wpa@packages.debian.org>
 Uploaders:
  Andrej Shadura <andrewsh@debian.org>
 Section: net
diff -Nru wpa-2.10/debian/patches/lib_engine_trusted_path.patch wpa-2.10/debian/patches/lib_engine_trusted_path.patch
--- wpa-2.10/debian/patches/lib_engine_trusted_path.patch	1970-01-01 00:00:00.000000000 +0000
+++ wpa-2.10/debian/patches/lib_engine_trusted_path.patch	2024-08-02 12:06:25.000000000 +0000
@@ -0,0 +1,114 @@
+Description: only load libraries from trusted path
+Author: Marc Deslauriers <marc.deslauriers@canonical.com>
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613
+
+--- wpa-2.10.orig/src/crypto/tls_openssl.c
++++ wpa-2.10/src/crypto/tls_openssl.c
+@@ -862,6 +862,7 @@ static int tls_engine_load_dynamic_gener
+ 	return 0;
+ }
+ 
++#define TRUSTED_PATH "/usr/lib/"
+ 
+ /**
+  * tls_engine_load_dynamic_pkcs11 - load the pkcs11 engine provided by opensc
+@@ -871,6 +872,8 @@ static int tls_engine_load_dynamic_gener
+ static int tls_engine_load_dynamic_pkcs11(const char *pkcs11_so_path,
+ 					  const char *pkcs11_module_path)
+ {
++	char real_pkcs11_so_path[PATH_MAX];
++	char real_pkcs11_module_path[PATH_MAX];
+ 	char *engine_id = "pkcs11";
+ 	const char *pre_cmd[] = {
+ 		"SO_PATH", NULL /* pkcs11_so_path */,
+@@ -888,15 +891,47 @@ static int tls_engine_load_dynamic_pkcs1
+ 	if (!pkcs11_so_path)
+ 		return 0;
+ 
+-	pre_cmd[1] = pkcs11_so_path;
++	if (realpath(pkcs11_so_path, real_pkcs11_so_path) == NULL) {
++		wpa_printf(MSG_INFO, "ENGINE: Failed to load pkcs11 Engine from %s: realpath: %s",
++			   pkcs11_so_path,
++			   strerror(errno));
++		return -1;
++	}
++
++	if (strncmp(TRUSTED_PATH, real_pkcs11_so_path, strlen(TRUSTED_PATH)) != 0) {
++		wpa_printf(MSG_INFO, "ENGINE: Failed to load pkcs11 Engine from %s: Not in trusted path %s",
++			   pkcs11_so_path,
++			   TRUSTED_PATH);
++		return -1;
++	}
++
++	pre_cmd[1] = real_pkcs11_so_path;
+ 	pre_cmd[3] = engine_id;
+-	if (pkcs11_module_path)
+-		post_cmd[1] = pkcs11_module_path;
+-	else
+-		post_cmd[0] = NULL;
+ 
+-	wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s",
+-		   pkcs11_so_path);
++	if (pkcs11_module_path) {
++		if (realpath(pkcs11_module_path, real_pkcs11_module_path) == NULL) {
++			wpa_printf(MSG_INFO, "ENGINE: Failed to load pkcs11 Module from %s: realpath: %s",
++				pkcs11_module_path,
++				strerror(errno));
++			return -1;
++		}
++
++		if (strncmp(TRUSTED_PATH, real_pkcs11_module_path, strlen(TRUSTED_PATH)) != 0) {
++			wpa_printf(MSG_INFO, "ENGINE: Failed to load pkcs11 Module from %s: Not in trusted path %s",
++				pkcs11_module_path,
++				TRUSTED_PATH);
++			return -1;
++		}
++
++		wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s with module %s",
++			real_pkcs11_so_path, real_pkcs11_module_path);
++
++		post_cmd[1] = real_pkcs11_module_path;
++	} else {
++		wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s",
++			real_pkcs11_so_path);
++		post_cmd[0] = NULL;
++	}
+ 
+ 	return tls_engine_load_dynamic_generic(pre_cmd, post_cmd, engine_id);
+ }
+@@ -908,6 +943,7 @@ static int tls_engine_load_dynamic_pkcs1
+  */
+ static int tls_engine_load_dynamic_opensc(const char *opensc_so_path)
+ {
++	char real_opensc_so_path[PATH_MAX];
+ 	char *engine_id = "opensc";
+ 	const char *pre_cmd[] = {
+ 		"SO_PATH", NULL /* opensc_so_path */,
+@@ -920,11 +956,25 @@ static int tls_engine_load_dynamic_opens
+ 	if (!opensc_so_path)
+ 		return 0;
+ 
+-	pre_cmd[1] = opensc_so_path;
++	if (realpath(opensc_so_path, real_opensc_so_path) == NULL) {
++		wpa_printf(MSG_INFO, "ENGINE: Failed to load OpenSC Engine from %s: realpath: %s",
++			   opensc_so_path,
++			   strerror(errno));
++		return -1;
++	}
++
++	if (strncmp(TRUSTED_PATH, real_opensc_so_path, strlen(TRUSTED_PATH)) != 0) {
++		wpa_printf(MSG_INFO, "ENGINE: Failed to load OpenSC Engine from %s: Not in trusted path %s",
++			   opensc_so_path,
++			   TRUSTED_PATH);
++		return -1;
++	}
++
++	pre_cmd[1] = real_opensc_so_path;
+ 	pre_cmd[3] = engine_id;
+ 
+ 	wpa_printf(MSG_DEBUG, "ENGINE: Loading OpenSC Engine from %s",
+-		   opensc_so_path);
++		   real_opensc_so_path);
+ 
+ 	return tls_engine_load_dynamic_generic(pre_cmd, NULL, engine_id);
+ }
diff -Nru wpa-2.10/debian/patches/series wpa-2.10/debian/patches/series
--- wpa-2.10/debian/patches/series	2023-12-25 09:47:06.000000000 +0000
+++ wpa-2.10/debian/patches/series	2024-08-02 12:04:37.000000000 +0000
@@ -14,3 +14,4 @@
 upstream-fixes/0014-wpa_supplicant-Fix-wpa_supplicant-configuration-pars.patch
 upstream-fixes/0015-Abort-ongoing-scan.patch
 upstream-fixes/0016-Override-ieee80211w-from-pmf-for-AP-mode-in-wpa_supp.patch
+lib_engine_trusted_path.patch