[Pkg-freeradius-maintainers] Bug#863673: Bug#863673: CVE-2017-9148: FreeRADIUS TLS resumption authentication bypass

[Michael Stapelberg]

I got the idea from https://www.debian.org/security/faq#upload. Is the FAQ
outdated, or did I read it wrong? If the latter, please elaborate so that
we can update the docs to be more clear.

Note that FreeRADIUS is not complex to test. The only functional tests I do
before uploading are running autopkgtest and checking whether a freshly
installed FreeRADIUS starts up.

Also note that the patch is rather simple — it permanently disables the TLS
session caching by replacing the config option with “false” in the code. I
have attached the corresponding patches for the jessie and wheezy version.

Please let me know how to proceed from here.

On Wed, May 31, 2017 at 10:32 PM, Moritz Muehlenhoff <jmm at debian.org> wrote:

> On Tue, May 30, 2017 at 05:50:20PM +0200, Michael Stapelberg wrote:
> > security-team, can you take care of applying the patch to stable and
> > oldstable please? Thank you.
>
> No, we generally expect maintainers to prepare/test security updates,
> particularly for packages which are complex to test like freeradius.
>
> Cheers,
>         Moritz
>



-- 
Best regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-freeradius-maintainers/attachments/20170601/3fa88fca/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wheezy.patch
Type: text/x-patch
Size: 1896 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-freeradius-maintainers/attachments/20170601/3fa88fca/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jessie.patch
Type: text/x-patch
Size: 1875 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-freeradius-maintainers/attachments/20170601/3fa88fca/attachment-0003.bin>