[Pkg-freeradius-maintainers] Bug#863673: Bug#863673: CVE-2017-9148: FreeRADIUS TLS resumption authentication bypass
Michael Stapelberg
stapelberg at debian.org
Tue May 30 15:50:20 UTC 2017
Upstream confirmed that my patch fixes the issue, so I uploaded it to
unstable.
See also
https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/commit/?id=8d681449aa95ee4388b5e3c266bdb070a264f563
security-team, can you take care of applying the patch to stable and
oldstable please? Thank you.
On Tue, May 30, 2017 at 8:29 AM, Michael Stapelberg <stapelberg at debian.org>
wrote:
> control: owner -1 !
>
> I prepared a patch for this issue and emailed the FreeRADIUS security team
> asking for review. I’ll upload the patch once they confirm its
> effectiveness.
>
> On Mon, May 29, 2017 at 11:16 PM, Guido Günther <agx at sigxcpu.org> wrote:
>
>> Package: freeradius
>> Version: 3.0.12+dfsg-4
>> severity: grave
>>
>> Hi,
>>
>> the following vulnerability was published for freeradius.
>>
>> CVE-2017-9148[0]: FreeRADIUS TLS resumption authentication bypass
>>
>> If you fix the vulnerability please also make sure to include the
>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>
>> For further information see:
>>
>> [0] https://security-tracker.debian.org/tracker/CVE-2017-9148
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9148
>>
>> Please adjust the affected versions in the BTS as needed.
>> Cheers,
>> -- Guido
>>
>> _______________________________________________
>> Pkg-freeradius-maintainers mailing list
>> Pkg-freeradius-maintainers at lists.alioth.debian.org
>> https://lists.alioth.debian.org/mailman/listinfo/pkg-freerad
>> ius-maintainers
>>
>
>
>
> --
> Best regards,
> Michael
>
--
Best regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-freeradius-maintainers/attachments/20170530/d37e2c39/attachment.html>
More information about the Pkg-freeradius-maintainers
mailing list