Help with this would be appreciated. I’m not sure about the appropriate processes, so if you could clarify that with the security/release team, that’d be helpful.
On Tue, Jul 18, 2017 at 3:51 AM, Karsten Heymann <karsten.heym...@gmail.com> wrote: > Subject: freeradius: New upstream version 2.2.10 fixing security critical > bugs > Package: freeradius > Version: 2.2.5+dfsg-0.2 > Justification: user security hole > Severity: grave > Tags: security upstream > > The freeradius team released version 2.2.10 fixing several important > security issues found by a fuzzing analysis. > > See: > http://freeradius.org/press/index.html#2.2.10 > http://freeradius.org/security/fuzzer-2017.html > > The following issues were found for v2 of freeradius up to 2.2.9: > - CVE-2017-10978. No remote code execution is possible. A denial of > service is possible. > - CVE-2017-10979. Remote code execution is possible. A denial of > service is possible. > > The following affect only the DHCP part of freeradius, which is seldomly > used: > - CVE-2017-10980. No remote code execution is possible. A denial of > service is possible. > - CVE-2017-10981. No remote code execution is possible. A denial of > service is possible. > - CVE-2017-10982. No remote code execution is possible. A denial of > service is possible. > - CVE-2017-10983. No remote code execution is possible. A denial of > service is possible. > > I'm not sure what's the best way to proceed. As I assume updating the > package in oldstable to 2.2.10 is not a realistic option, my guess > would be that at least CVE-2017-10978 and CVE-2017-10979 should be > fixed in the code via backporting the relevant fixes. This is even > more critical as there is no backport of freeradius 3 in jessie, and > it is not possible to create or update backports for oldstable. > > -- System Information: > Debian Release: 8.8 > APT prefers oldstable-updates > APT policy: (500, 'oldstable-updates'), (500, 'oldstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) > Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages freeradius depends on: > ii adduser 3.113+nmu3 > ii ca-certificates 20141019+deb8u3 > ii freeradius-common 2.2.5+dfsg-0.2 > ii libc6 2.19-18+deb8u10 > ii libfreeradius2 2.2.5+dfsg-0.2 > ii libgdbm3 1.8.3-13.1 > ii libltdl7 2.4.2-1.11+b1 > ii libpam0g 1.1.8-3.1+deb8u2 > ii libperl5.20 5.20.2-3+deb8u7 > ii libpython2.7 2.7.9-2+deb8u1 > ii libssl1.0.0 1.0.1t-1+deb8u6 > ii lsb-base 4.1+Debian13+nmu1 > ii ssl-cert 1.0.35 > > Versions of packages freeradius recommends: > ii freeradius-utils 2.2.5+dfsg-0.2 > > Versions of packages freeradius suggests: > pn freeradius-krb5 <none> > ii freeradius-ldap 2.2.5+dfsg-0.2 > ii freeradius-mysql 2.2.5+dfsg-0.2 > pn freeradius-postgresql <none> > > -- Configuration Files: > /etc/freeradius/clients.conf changed [not included] > /etc/freeradius/eap.conf changed [not included] > /etc/freeradius/ldap.attrmap changed [not included] > /etc/freeradius/modules/ldap changed [not included] > /etc/freeradius/modules/pap changed [not included] > /etc/freeradius/sites-available/control-socket changed [not included] > /etc/freeradius/sites-available/default changed [not included] > /etc/freeradius/sites-available/inner-tunnel changed [not included] > /etc/freeradius/sql.conf changed [not included] > /etc/freeradius/users changed [not included] > > -- no debconf information > > _______________________________________________ > Pkg-freeradius-maintainers mailing list > pkg-freeradius-maintain...@lists.alioth.debian.org > https://lists.alioth.debian.org/mailman/listinfo/pkg- > freeradius-maintainers > -- Best regards, Michael
