[Pkg-freeradius-maintainers] Bug#868765: freeradius: New upstream version 3.0.15 fixing security critical bugs

Karsten Heymann karsten.heymann at gmail.com
Tue Jul 18 11:06:04 UTC 2017 

Package: freeradius
Version: 3.0.12+dfsg-5
Severity: grave
Tags: upstream security
Justification: user security hole

Dear Maintainer,

the freeradius team released version 3.0.15 fixing several important
security issues found by a fuzzing analysis.

See:
http://freeradius.org/press/index.html#3.0.15
http://freeradius.org/security/fuzzer-2017.html

The following issues were found for v3 of freeradius up to 3.0.14:
- CVE-2017-10978. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10984. Remote code execution is possible. A denial of 
service is possible.
- CVE-2017-10985. No remote code execution is possible. A denial of
service is possible.

The following affect only the DHCP part of freeradius, which is seldomly used:
- CVE-2017-10983. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10986. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10987. No remote code execution is possible. A denial of
service is possible.

Please update the package accordingly.

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages freeradius depends on:
ii  freeradius-common  3.0.12+dfsg-5
ii  freeradius-config  3.0.12+dfsg-5
ii  libc6              2.24-11+deb9u1
ii  libcap2            1:2.25-1
ii  libfreeradius3     3.0.12+dfsg-5
ii  libgdbm3           1.8.3-14
ii  libpam0g           1.1.8-3.6
ii  libpcre3           2:8.39-3
ii  libperl5.24        5.24.1-3
ii  libpython2.7       2.7.13-2
ii  libreadline7       7.0-3
ii  libsqlite3-0       3.16.2-5
ii  libssl1.1          1.1.0f-3
ii  libtalloc2         2.1.8-1
ii  libwbclient0       2:4.5.8+dfsg-2+deb9u1+b1
ii  lsb-base           9.20161125

Versions of packages freeradius recommends:
pn  freeradius-utils  <none>

Versions of packages freeradius suggests:
pn  freeradius-krb5        <none>
pn  freeradius-ldap        <none>
pn  freeradius-mysql       <none>
pn  freeradius-postgresql  <none>
pn  snmp                   <none>

-- no debconf information

More information about the Pkg-freeradius-maintainers mailing list