[Pkg-freeradius-maintainers] Bug#863673: Bug#863673: CVE-2017-9148: FreeRADIUS TLS resumption authentication bypass
Michael Stapelberg
stapelberg at debian.org
Wed Jun 7 06:30:31 UTC 2017
Thanks for your reply. I don’t have a way to test the vulnerability either.
I’d trust Pavel’s assessment and call this done.
On Wed, Jun 7, 2017 at 7:10 AM, Salvatore Bonaccorso <carnil at debian.org>
wrote:
> Hi Michael
>
> Looks it was good we had first the issue settle a bit with respect for
> a jessie(-security) upload:
>
> On Thu, Jun 01, 2017 at 11:09:17PM +0200, Michael Stapelberg wrote:
> > The original question of how to proceed still stands. I sent the patch in
> > my previous message; do you want me to upload it, or do you want to
> upload
> > it? If I should do it, let me state for the record that I have no idea
> what
> > I’m doing (I never uploaded to anything but unstable/experimental).
>
> I learned of http://www.openwall.com/lists/oss-security/2017/06/06/5 .
> Can you confirm, is this assessment correct (for us as well in
> stable)? We have a 2.2.5 based version in jessie, and according to
> upstream for the EOL versions only 2.1.1 through 2.1.7 are affected by
> the problem.
>
> I do not have a way to test the vulnerability on my own.
>
> Regards,
> Salvatore
>
--
Best regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-freeradius-maintainers/attachments/20170607/f16fae92/attachment.html>
More information about the Pkg-freeradius-maintainers
mailing list