[Pkg-freeradius-maintainers] Bug#863673: Bug#863673: CVE-2017-9148: FreeRADIUS TLS resumption authentication bypass
Salvatore Bonaccorso
carnil at debian.org
Wed Jun 7 05:10:06 UTC 2017
Hi Michael
Looks it was good we had first the issue settle a bit with respect for
a jessie(-security) upload:
On Thu, Jun 01, 2017 at 11:09:17PM +0200, Michael Stapelberg wrote:
> The original question of how to proceed still stands. I sent the patch in
> my previous message; do you want me to upload it, or do you want to upload
> it? If I should do it, let me state for the record that I have no idea what
> I’m doing (I never uploaded to anything but unstable/experimental).
I learned of http://www.openwall.com/lists/oss-security/2017/06/06/5 .
Can you confirm, is this assessment correct (for us as well in
stable)? We have a 2.2.5 based version in jessie, and according to
upstream for the EOL versions only 2.1.1 through 2.1.7 are affected by
the problem.
I do not have a way to test the vulnerability on my own.
Regards,
Salvatore
More information about the Pkg-freeradius-maintainers
mailing list