Your message dated Thu, 26 May 2005 21:17:09 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#307720: fixed in freeradius 1.0.2-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 26 May 2005 11:04:00 +0000
>From [EMAIL PROTECTED] Thu May 26 04:03:59 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail01.pironet-ndh.com (mail02.pironet-ndh.com) [194.64.31.10]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DbG9f-0001GW-00; Thu, 26 May 2005 04:03:59 -0700
Received: from mail.fbn-dd.de (mail.fbn-dd.de [195.227.105.178])
by mail02.pironet-ndh.com (Postfix) with ESMTP id 198184D92BA
for <[EMAIL PROTECTED]>; Thu, 26 May 2005 13:03:28 +0200 (CEST)
Received: from sonne.intranet.fbn-dd.de
(192-168-0-1.transfer-000.intranet.fbn-dd.de [192.168.0.1])
by mail.fbn-dd.de (Postfix) with ESMTP id A5504262DD
for <[EMAIL PROTECTED]>; Thu, 26 May 2005 13:03:28 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by sonne.intranet.fbn-dd.de (Postfix) with ESMTP id 8EA641F747
for <[EMAIL PROTECTED]>; Thu, 26 May 2005 13:03:28 +0200 (CEST)
Received: from sonne.intranet.fbn-dd.de (localhost [127.0.0.1])
by localhost (AvMailGate-2.0.1.16) id 08642-35393EF0;
Thu, 26 May 2005 13:03:28 +0200
Received: from localhost.localdomain (10-28-130-200.intranet-28-130.fbn-dd.de
[10.28.130.200])
by sonne.intranet.fbn-dd.de (Postfix) with ESMTP id 4B8791F737
for <[EMAIL PROTECTED]>; Thu, 26 May 2005 13:03:28 +0200 (CEST)
Received: by localhost.localdomain (Postfix, from userid 1000)
id 31570945D; Thu, 26 May 2005 13:03:30 +0200 (CEST)
Date: Thu, 26 May 2005 13:03:30 +0200
From: Martin Pitt <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: freeradius: [CAN-2005-1455] buffer overflow
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="HCdXmnRlPgeNBad2"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.16; AVE: 6.30.0.15;
VDF: 6.30.0.202; host: sonne)
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--HCdXmnRlPgeNBad2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: freeradius
Version: 1.0.2-3
Severity: grave
Tags: security
freeradius seems to be vulnerable against a buffer overflow:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-1455
http://www.securityfocus.com/bid/13541
Thanks in advance for checking,
Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org
--HCdXmnRlPgeNBad2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCla0CDecnbV4Fd/IRAjl1AKC4B3bYnP2ZErYedrCq6MHegLHB3QCdHudj
QsNhtvh/hDhaTaJrAQdqU28=
=Chpo
-----END PGP SIGNATURE-----
--HCdXmnRlPgeNBad2--
---------------------------------------
Received: (at 307720-close) by bugs.debian.org; 27 May 2005 01:26:37 +0000
>From [EMAIL PROTECTED] Thu May 26 18:26:37 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DbTcS-00036W-00; Thu, 26 May 2005 18:26:36 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DbTTJ-0008FS-00; Thu, 26 May 2005 21:17:09 -0400
From: Paul Hampson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#307720: fixed in freeradius 1.0.2-4
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 26 May 2005 21:17:09 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: freeradius
Source-Version: 1.0.2-4
We believe that the bug you reported is fixed in the latest version of
freeradius, which is due to be installed in the Debian FTP archive:
freeradius-dialupadmin_1.0.2-4_all.deb
to pool/main/f/freeradius/freeradius-dialupadmin_1.0.2-4_all.deb
freeradius-iodbc_1.0.2-4_i386.deb
to pool/main/f/freeradius/freeradius-iodbc_1.0.2-4_i386.deb
freeradius-krb5_1.0.2-4_i386.deb
to pool/main/f/freeradius/freeradius-krb5_1.0.2-4_i386.deb
freeradius-ldap_1.0.2-4_i386.deb
to pool/main/f/freeradius/freeradius-ldap_1.0.2-4_i386.deb
freeradius-mysql_1.0.2-4_i386.deb
to pool/main/f/freeradius/freeradius-mysql_1.0.2-4_i386.deb
freeradius_1.0.2-4.diff.gz
to pool/main/f/freeradius/freeradius_1.0.2-4.diff.gz
freeradius_1.0.2-4.dsc
to pool/main/f/freeradius/freeradius_1.0.2-4.dsc
freeradius_1.0.2-4_i386.deb
to pool/main/f/freeradius/freeradius_1.0.2-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Hampson <[EMAIL PROTECTED]> (supplier of updated freeradius package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 23 May 2005 18:53:51 +1000
Source: freeradius
Binary: freeradius-mysql freeradius-krb5 freeradius freeradius-iodbc
freeradius-ldap freeradius-dialupadmin
Architecture: source i386 all
Version: 1.0.2-4
Distribution: unstable
Urgency: high
Maintainer: Paul Hampson <[EMAIL PROTECTED]>
Changed-By: Paul Hampson <[EMAIL PROTECTED]>
Description:
freeradius - a high-performance and highly configurable RADIUS server
freeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS
server
freeradius-iodbc - iODBC module for FreeRADIUS server
freeradius-krb5 - kerberos module for FreeRADIUS server
freeradius-ldap - LDAP module for FreeRADIUS server
freeradius-mysql - MySQL module for FreeRADIUS server
Closes: 307720
Changes:
freeradius (1.0.2-4) unstable; urgency=high
.
* Security fix stolen from CVS release_1_0 branch:
- Always use sql_escape_func when calling radius_xlat
- Add a test in sql_escape_func() to check buffer bound when
input character needs escaping.
- Urgency high as these are (theoretical) security issues.
Closes: #307720 (Thanks to Primoz Bratanic and Nicolas Baradakis)
Files:
c5bbf558bb19a4127273de6b32d0cb9d 885 net optional freeradius_1.0.2-4.dsc
f398e368fa522b55ecd648550eeeca6b 15048 net optional freeradius_1.0.2-4.diff.gz
f4f526580ffcab989e3dcbdb704abdea 2032072 net optional
freeradius_1.0.2-4_i386.deb
bc144be31021e77cd92699ca87a246fa 52394 net optional
freeradius-krb5_1.0.2-4_i386.deb
183f4bb81d3e041f786bed55bd573cd3 97356 net optional
freeradius-ldap_1.0.2-4_i386.deb
48b58846c2ed81a1699c43c704762313 53142 net optional
freeradius-mysql_1.0.2-4_i386.deb
fe4cde7cd0941c1ff7d0c62da5227e8d 51294 net optional
freeradius-iodbc_1.0.2-4_i386.deb
c7c153d619b6b951524691472fd86c3e 111214 net optional
freeradius-dialupadmin_1.0.2-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFClnEhdu+M6Iexz7URAsxhAJ9NN9fEJQ+FnnxLDPNpsGWsnc2a6QCfZtMI
4Z+JJo3LBp4rcsC1qNU4yFI=
=TS+f
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
