Bug#692461: unblock radsecproxy/1.6.2-1
Package: release.debian.org
Severity: normal
Hi,
Please unblock radsecproxy 1.6.2-1. It's a security upload, complementing
1.4-1+squeeze1 and fixing two CVEs. Security team is aware and has reviewed the
upstream fixes for those -- in fact, the second vulnerability was found by
Raphael during the review.
radsecproxy (1.6.2-1) unstable; urgency=high
* Urgency set to high for a security release.
* New upstream release, fixing two security issues:
- When verifying clients, don't consider config blocks with CA settings
('tls') which differ from the one used for verifying the certificate
chain (RADSECPROXY-43, CVE-2012-4523). Reported by Ralf Paffrath.
- Fix the issue with verification of clients when using multiple 'tls'
config blocks for DTLS too (RADSECPROXY-43, CVE-2012-4566). Reported by
Raphael Geissert.
* Drop most of debian/patches/fix_manpages, merged upstream.
Here's the annotated diffstat between 1.6-1 and 1.6.2-1, excluding
configure.ac, config.{guess,sub} and (already-applied, source/format 3.0)
debian/patches:
diff --exclude=.pc --exclude='patches' --exclude='config*' -Nurp \
radsecproxy-1.6/ radsecproxy-1.6.2/ | diffstat
debian/changelog | 14 ++++++++++++++
AUTHORS | 1 +
ChangeLog | 19 ++++++++++++++++++-
README | 2 +-
radsecproxy.conf.5.xml | 19 +++++++++++++++----
Version updates & documentation. Note that the manpage change is needed
as it explains some of the circumstances around the security fix.
aclocal.m4 | 4 ++--
AC_AUTOCONF_VERSION 2.65 -> 2.68. I realize that this, along the
configure.ac update, maybe unfortunate during the freeze, but it was the
only one that stood out and seems safe enough, so I opted against a
1.6-2 with everything else but this.
tls.c | 28 +++++++++++++++-------------
Fix for CVE-2012-4523.
dtls.c | 4 +++-
Fix for CVE-2012-4566.
tools/naptr-eduroam.sh | 4 ++--
Two minor one-liners; that script is only shipped in doc/examples/
anyway.
9 files changed, 71 insertions(+), 24 deletions(-)
Thanks,
Faidon
Reply to: