[Pkg-freeradius-maintainers] Bug#868761: freeradius: New upstream version 2.2.10 fixing security critical bugs

Karsten Heymann karsten.heymann at gmail.com
Tue Jul 18 10:51:49 UTC 2017


Subject: freeradius: New upstream version 2.2.10 fixing security critical bugs
Package: freeradius
Version: 2.2.5+dfsg-0.2
Justification: user security hole
Severity: grave
Tags: security upstream

The freeradius team released version 2.2.10 fixing several important
security issues found by a fuzzing analysis.

See:
http://freeradius.org/press/index.html#2.2.10
http://freeradius.org/security/fuzzer-2017.html

The following issues were found for v2 of freeradius up to 2.2.9:
- CVE-2017-10978. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10979. Remote code execution is possible. A denial of
service is possible.

The following affect only the DHCP part of freeradius, which is seldomly used:
- CVE-2017-10980. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10981. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10982. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10983. No remote code execution is possible. A denial of
service is possible.

I'm not sure what's the best way to proceed. As I assume updating the
package in oldstable to 2.2.10 is not a realistic option, my guess
would be that at least CVE-2017-10978 and CVE-2017-10979 should be
fixed in the code via backporting the relevant fixes. This is even
more critical as there is no backport of freeradius 3 in jessie, and
it is not possible to create or update backports for oldstable.

-- System Information:
Debian Release: 8.8
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages freeradius depends on:
ii  adduser            3.113+nmu3
ii  ca-certificates    20141019+deb8u3
ii  freeradius-common  2.2.5+dfsg-0.2
ii  libc6              2.19-18+deb8u10
ii  libfreeradius2     2.2.5+dfsg-0.2
ii  libgdbm3           1.8.3-13.1
ii  libltdl7           2.4.2-1.11+b1
ii  libpam0g           1.1.8-3.1+deb8u2
ii  libperl5.20        5.20.2-3+deb8u7
ii  libpython2.7       2.7.9-2+deb8u1
ii  libssl1.0.0        1.0.1t-1+deb8u6
ii  lsb-base           4.1+Debian13+nmu1
ii  ssl-cert           1.0.35

Versions of packages freeradius recommends:
ii  freeradius-utils  2.2.5+dfsg-0.2

Versions of packages freeradius suggests:
pn  freeradius-krb5        <none>
ii  freeradius-ldap        2.2.5+dfsg-0.2
ii  freeradius-mysql       2.2.5+dfsg-0.2
pn  freeradius-postgresql  <none>

-- Configuration Files:
/etc/freeradius/clients.conf changed [not included]
/etc/freeradius/eap.conf changed [not included]
/etc/freeradius/ldap.attrmap changed [not included]
/etc/freeradius/modules/ldap changed [not included]
/etc/freeradius/modules/pap changed [not included]
/etc/freeradius/sites-available/control-socket changed [not included]
/etc/freeradius/sites-available/default changed [not included]
/etc/freeradius/sites-available/inner-tunnel changed [not included]
/etc/freeradius/sql.conf changed [not included]
/etc/freeradius/users changed [not included]

-- no debconf information



More information about the Pkg-freeradius-maintainers mailing list