I have prepared an update for freeradius. The changelog is:
freeradius (2.1.12+dfsg-1.2+deb7u1) wheezy-security; urgency=medium
* Non-maintainer upload by the LTS team.
* CVE-2014-2015: Stack-based buffer overflow in the normify
function in the rlm_pap module.
CVE-2015-4680: Properly check revocation of intermediate CA
certificates. For this to happen, the check_all_crl option of the
EAP TLS section needs to be enabled in eap.conf.
CVE-2017-9148: Disable TLS session cache, since it fails to prevent
resumption of unauthenticated sessions, allowing remote attackers
(such as malicious 802.1X supplicants) to bypass authentication via
PEAP or TTLS without sending valid credentials.
-- Emilio Pozuelo Monfort <firstname.lastname@example.org> Wed, 31 May 2017 18:31:47 +0200
Packages are available for amd64 from . Source and debdiff are also included.
I have done some basic testing. Some extra testing in more advanced setups would
Note that the fix for CVE-2015-4680 doesn't include the template changes to the
conffile, to avoid unnecessary prompts and as not everyone needs to enable this
option. This will be explained in the advisory.
I will upload freeradius in the next few days if there is no feedback.
Pkg-freeradius-maintainers mailing list