[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Please test freeradius for wheezy LTS


I have prepared an update for freeradius. The changelog is:

freeradius (2.1.12+dfsg-1.2+deb7u1) wheezy-security; urgency=medium

  * Non-maintainer upload by the LTS team.
  * CVE-2014-2015: Stack-based buffer overflow in the normify
    function in the rlm_pap module.
    CVE-2015-4680: Properly check revocation of intermediate CA
    certificates. For this to happen, the check_all_crl option of the
    EAP TLS section needs to be enabled in eap.conf.
    CVE-2017-9148: Disable TLS session cache, since it fails to prevent
    resumption of unauthenticated sessions, allowing remote attackers
    (such as malicious 802.1X supplicants) to bypass authentication via
    PEAP or TTLS without sending valid credentials.

 -- Emilio Pozuelo Monfort <pochu@debian.org>  Wed, 31 May 2017 18:31:47 +0200

Packages are available for amd64 from [1]. Source and debdiff are also included.

[1] https://people.debian.org/~pochu/lts/freeradius/

I have done some basic testing. Some extra testing in more advanced setups would
be apreciated.

Note that the fix for CVE-2015-4680 doesn't include the template changes to the
conffile, to avoid unnecessary prompts and as not everyone needs to enable this
option. This will be explained in the advisory.

I will upload freeradius in the next few days if there is no feedback.


Reply to: