[Pkg-freeradius-maintainers] Bug#868761: freeradius: New upstream version 2.2.10 fixing security critical bugs
Karsten Heymann
karsten.heymann at gmail.com
Tue Jul 18 10:51:49 UTC 2017
Subject: freeradius: New upstream version 2.2.10 fixing security critical bugs
Package: freeradius
Version: 2.2.5+dfsg-0.2
Justification: user security hole
Severity: grave
Tags: security upstream
The freeradius team released version 2.2.10 fixing several important
security issues found by a fuzzing analysis.
See:
http://freeradius.org/press/index.html#2.2.10
http://freeradius.org/security/fuzzer-2017.html
The following issues were found for v2 of freeradius up to 2.2.9:
- CVE-2017-10978. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10979. Remote code execution is possible. A denial of
service is possible.
The following affect only the DHCP part of freeradius, which is seldomly used:
- CVE-2017-10980. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10981. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10982. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10983. No remote code execution is possible. A denial of
service is possible.
I'm not sure what's the best way to proceed. As I assume updating the
package in oldstable to 2.2.10 is not a realistic option, my guess
would be that at least CVE-2017-10978 and CVE-2017-10979 should be
fixed in the code via backporting the relevant fixes. This is even
more critical as there is no backport of freeradius 3 in jessie, and
it is not possible to create or update backports for oldstable.
-- System Information:
Debian Release: 8.8
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages freeradius depends on:
ii adduser 3.113+nmu3
ii ca-certificates 20141019+deb8u3
ii freeradius-common 2.2.5+dfsg-0.2
ii libc6 2.19-18+deb8u10
ii libfreeradius2 2.2.5+dfsg-0.2
ii libgdbm3 1.8.3-13.1
ii libltdl7 2.4.2-1.11+b1
ii libpam0g 1.1.8-3.1+deb8u2
ii libperl5.20 5.20.2-3+deb8u7
ii libpython2.7 2.7.9-2+deb8u1
ii libssl1.0.0 1.0.1t-1+deb8u6
ii lsb-base 4.1+Debian13+nmu1
ii ssl-cert 1.0.35
Versions of packages freeradius recommends:
ii freeradius-utils 2.2.5+dfsg-0.2
Versions of packages freeradius suggests:
pn freeradius-krb5 <none>
ii freeradius-ldap 2.2.5+dfsg-0.2
ii freeradius-mysql 2.2.5+dfsg-0.2
pn freeradius-postgresql <none>
-- Configuration Files:
/etc/freeradius/clients.conf changed [not included]
/etc/freeradius/eap.conf changed [not included]
/etc/freeradius/ldap.attrmap changed [not included]
/etc/freeradius/modules/ldap changed [not included]
/etc/freeradius/modules/pap changed [not included]
/etc/freeradius/sites-available/control-socket changed [not included]
/etc/freeradius/sites-available/default changed [not included]
/etc/freeradius/sites-available/inner-tunnel changed [not included]
/etc/freeradius/sql.conf changed [not included]
/etc/freeradius/users changed [not included]
-- no debconf information
More information about the Pkg-freeradius-maintainers
mailing list