[Pkg-freeradius-maintainers] Bug#868761: Bug#868761: freeradius: New upstream version 2.2.10 fixing security critical bugs

Michael Stapelberg stapelberg at debian.org
Tue Jul 18 11:15:43 UTC 2017 

Help with this would be appreciated. I’m not sure about the appropriate
processes, so if you could clarify that with the security/release team,
that’d be helpful.

On Tue, Jul 18, 2017 at 3:51 AM, Karsten Heymann <karsten.heymann at gmail.com>
wrote:

> Subject: freeradius: New upstream version 2.2.10 fixing security critical
> bugs
> Package: freeradius
> Version: 2.2.5+dfsg-0.2
> Justification: user security hole
> Severity: grave
> Tags: security upstream
>
> The freeradius team released version 2.2.10 fixing several important
> security issues found by a fuzzing analysis.
>
> See:
> http://freeradius.org/press/index.html#2.2.10
> http://freeradius.org/security/fuzzer-2017.html
>
> The following issues were found for v2 of freeradius up to 2.2.9:
> - CVE-2017-10978. No remote code execution is possible. A denial of
> service is possible.
> - CVE-2017-10979. Remote code execution is possible. A denial of
> service is possible.
>
> The following affect only the DHCP part of freeradius, which is seldomly
> used:
> - CVE-2017-10980. No remote code execution is possible. A denial of
> service is possible.
> - CVE-2017-10981. No remote code execution is possible. A denial of
> service is possible.
> - CVE-2017-10982. No remote code execution is possible. A denial of
> service is possible.
> - CVE-2017-10983. No remote code execution is possible. A denial of
> service is possible.
>
> I'm not sure what's the best way to proceed. As I assume updating the
> package in oldstable to 2.2.10 is not a realistic option, my guess
> would be that at least CVE-2017-10978 and CVE-2017-10979 should be
> fixed in the code via backporting the relevant fixes. This is even
> more critical as there is no backport of freeradius 3 in jessie, and
> it is not possible to create or update backports for oldstable.
>
> -- System Information:
> Debian Release: 8.8
>   APT prefers oldstable-updates
>   APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages freeradius depends on:
> ii  adduser            3.113+nmu3
> ii  ca-certificates    20141019+deb8u3
> ii  freeradius-common  2.2.5+dfsg-0.2
> ii  libc6              2.19-18+deb8u10
> ii  libfreeradius2     2.2.5+dfsg-0.2
> ii  libgdbm3           1.8.3-13.1
> ii  libltdl7           2.4.2-1.11+b1
> ii  libpam0g           1.1.8-3.1+deb8u2
> ii  libperl5.20        5.20.2-3+deb8u7
> ii  libpython2.7       2.7.9-2+deb8u1
> ii  libssl1.0.0        1.0.1t-1+deb8u6
> ii  lsb-base           4.1+Debian13+nmu1
> ii  ssl-cert           1.0.35
>
> Versions of packages freeradius recommends:
> ii  freeradius-utils  2.2.5+dfsg-0.2
>
> Versions of packages freeradius suggests:
> pn  freeradius-krb5        <none>
> ii  freeradius-ldap        2.2.5+dfsg-0.2
> ii  freeradius-mysql       2.2.5+dfsg-0.2
> pn  freeradius-postgresql  <none>
>
> -- Configuration Files:
> /etc/freeradius/clients.conf changed [not included]
> /etc/freeradius/eap.conf changed [not included]
> /etc/freeradius/ldap.attrmap changed [not included]
> /etc/freeradius/modules/ldap changed [not included]
> /etc/freeradius/modules/pap changed [not included]
> /etc/freeradius/sites-available/control-socket changed [not included]
> /etc/freeradius/sites-available/default changed [not included]
> /etc/freeradius/sites-available/inner-tunnel changed [not included]
> /etc/freeradius/sql.conf changed [not included]
> /etc/freeradius/users changed [not included]
>
> -- no debconf information
>
> _______________________________________________
> Pkg-freeradius-maintainers mailing list
> Pkg-freeradius-maintainers at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-
> freeradius-maintainers
>



-- 
Best regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-freeradius-maintainers/attachments/20170718/9d1c1a1a/attachment-0001.html>

More information about the Pkg-freeradius-maintainers mailing list