I appreciate the feedback and your concern regarding upgrades in stable-branches.

This update make sense for the master brnanch but likely not for scarthgap unless you can show that
this is a bug fix only release.

- This release for sure is not a bug fix only release. It does include support to new feature and can never classify as bug fix only release.

you'll have to backport any CVE fixes that you're interested in unless
someone explains why this is a sensible update for scarthgap.

- I do the understand that upgrades are avoided in stable/LTS branches as it might break the compatibility and result in various compilation issues.

- However, that would only take place if the backward compatibility of the new upgrade is questionable.

- Generally every new releases will have API or ABI-symbols added but if API or ABI symbols are removed from shared libraries or binaries it a matter of concern as it would be the cause of breakdown.

- For this release, there are no ABI-symbols or API removed from the binaries and shared libraries. you can cross-check it in different ways (there are open-source tools to check or can be checked by manually comparing the header files)
- I have my own script to do so and i always check the backward compatibility before submitting any upgrades and since it was all clear for wpa-supplicant, i went ahead with the upgrade.

However, if still the opinion is that upgrade should be avoided, let me know, i would submit the CVE-patch for the same.

Regards,