[Pkg-freeradius-maintainers] Bug#868765: Bug#868765: freeradius: New upstream version 3.0.15 fixing security critical bugs

Michael Stapelberg stapelberg at debian.org
Tue Jul 18 11:15:00 UTC 2017 

Thanks for the heads-up. I’ll work on packaging the new upstream release
later today.

On Tue, Jul 18, 2017 at 4:06 AM, Karsten Heymann <karsten.heymann at gmail.com>
wrote:

> Package: freeradius
> Version: 3.0.12+dfsg-5
> Severity: grave
> Tags: upstream security
> Justification: user security hole
>
> Dear Maintainer,
>
> the freeradius team released version 3.0.15 fixing several important
> security issues found by a fuzzing analysis.
>
> See:
> http://freeradius.org/press/index.html#3.0.15
> http://freeradius.org/security/fuzzer-2017.html
>
> The following issues were found for v3 of freeradius up to 3.0.14:
> - CVE-2017-10978. No remote code execution is possible. A denial of
> service is possible.
> - CVE-2017-10984. Remote code execution is possible. A denial of
> service is possible.
> - CVE-2017-10985. No remote code execution is possible. A denial of
> service is possible.
>
> The following affect only the DHCP part of freeradius, which is seldomly
> used:
> - CVE-2017-10983. No remote code execution is possible. A denial of
> service is possible.
> - CVE-2017-10986. No remote code execution is possible. A denial of
> service is possible.
> - CVE-2017-10987. No remote code execution is possible. A denial of
> service is possible.
>
> Please update the package accordingly.
>
> -- System Information:
> Debian Release: 9.0
>   APT prefers stable
>   APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages freeradius depends on:
> ii  freeradius-common  3.0.12+dfsg-5
> ii  freeradius-config  3.0.12+dfsg-5
> ii  libc6              2.24-11+deb9u1
> ii  libcap2            1:2.25-1
> ii  libfreeradius3     3.0.12+dfsg-5
> ii  libgdbm3           1.8.3-14
> ii  libpam0g           1.1.8-3.6
> ii  libpcre3           2:8.39-3
> ii  libperl5.24        5.24.1-3
> ii  libpython2.7       2.7.13-2
> ii  libreadline7       7.0-3
> ii  libsqlite3-0       3.16.2-5
> ii  libssl1.1          1.1.0f-3
> ii  libtalloc2         2.1.8-1
> ii  libwbclient0       2:4.5.8+dfsg-2+deb9u1+b1
> ii  lsb-base           9.20161125
>
> Versions of packages freeradius recommends:
> pn  freeradius-utils  <none>
>
> Versions of packages freeradius suggests:
> pn  freeradius-krb5        <none>
> pn  freeradius-ldap        <none>
> pn  freeradius-mysql       <none>
> pn  freeradius-postgresql  <none>
> pn  snmp                   <none>
>
> -- no debconf information
>
> _______________________________________________
> Pkg-freeradius-maintainers mailing list
> Pkg-freeradius-maintainers at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-
> freeradius-maintainers
>



-- 
Best regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-freeradius-maintainers/attachments/20170718/bcc9dcad/attachment-0001.html>

More information about the Pkg-freeradius-maintainers mailing list