Bug#868765: marked as done (freeradius: New upstream version 3.0.15 fixing security critical bugs)

Debian Bug Tracking System Fri, 11 Aug 2017 14:06:50 -0700

Your message dated Fri, 11 Aug 2017 21:04:18 +0000
with message-id <e1dgh6q-0002fm...@fasolo.debian.org>
and subject line Bug#868765: fixed in freeradius 2.2.5+dfsg-0.2+deb8u1
has caused the Debian Bug report #868765,
regarding freeradius: New upstream version 3.0.15 fixing security critical bugs
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
868765: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868765
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: freeradius
Version: 3.0.12+dfsg-5
Severity: grave
Tags: upstream security
Justification: user security hole

Dear Maintainer,

the freeradius team released version 3.0.15 fixing several important
security issues found by a fuzzing analysis.

See:
http://freeradius.org/press/index.html#3.0.15
http://freeradius.org/security/fuzzer-2017.html

The following issues were found for v3 of freeradius up to 3.0.14:
- CVE-2017-10978. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10984. Remote code execution is possible. A denial of 
service is possible.
- CVE-2017-10985. No remote code execution is possible. A denial of
service is possible.

The following affect only the DHCP part of freeradius, which is seldomly used:
- CVE-2017-10983. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10986. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10987. No remote code execution is possible. A denial of
service is possible.

Please update the package accordingly.

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages freeradius depends on:
ii  freeradius-common  3.0.12+dfsg-5
ii  freeradius-config  3.0.12+dfsg-5
ii  libc6              2.24-11+deb9u1
ii  libcap2            1:2.25-1
ii  libfreeradius3     3.0.12+dfsg-5
ii  libgdbm3           1.8.3-14
ii  libpam0g           1.1.8-3.6
ii  libpcre3           2:8.39-3
ii  libperl5.24        5.24.1-3
ii  libpython2.7       2.7.13-2
ii  libreadline7       7.0-3
ii  libsqlite3-0       3.16.2-5
ii  libssl1.1          1.1.0f-3
ii  libtalloc2         2.1.8-1
ii  libwbclient0       2:4.5.8+dfsg-2+deb9u1+b1
ii  lsb-base           9.20161125

Versions of packages freeradius recommends:
pn  freeradius-utils  <none>

Versions of packages freeradius suggests:
pn  freeradius-krb5        <none>
pn  freeradius-ldap        <none>
pn  freeradius-mysql       <none>
pn  freeradius-postgresql  <none>
pn  snmp                   <none>

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: freeradius
Source-Version: 2.2.5+dfsg-0.2+deb8u1

We believe that the bug you reported is fixed in the latest version of
freeradius, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Stapelberg <stapelb...@debian.org> (supplier of updated freeradius 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 10 Aug 2017 09:23:22 +0200
Source: freeradius
Binary: freeradius freeradius-common freeradius-utils libfreeradius2 
libfreeradius-dev freeradius-krb5 freeradius-ldap freeradius-postgresql 
freeradius-mysql freeradius-iodbc freeradius-dbg
Architecture: source amd64 all
Version: 2.2.5+dfsg-0.2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Josip Rodin <joy-packa...@debian.org>
Changed-By: Michael Stapelberg <stapelb...@debian.org>
Description:
 freeradius - high-performance and highly configurable RADIUS server
 freeradius-common - FreeRADIUS common files
 freeradius-dbg - debug symbols for the FreeRADIUS packages
 freeradius-iodbc - iODBC module for FreeRADIUS server
 freeradius-krb5 - kerberos module for FreeRADIUS server
 freeradius-ldap - LDAP module for FreeRADIUS server
 freeradius-mysql - MySQL module for FreeRADIUS server
 freeradius-postgresql - PostgreSQL module for FreeRADIUS server
 freeradius-utils - FreeRADIUS client utilities
 libfreeradius-dev - FreeRADIUS shared library development files
 libfreeradius2 - FreeRADIUS shared library
Closes: 868765
Changes:
 freeradius (2.2.5+dfsg-0.2+deb8u1) jessie-security; urgency=high
 .
   * Apply upstream patches:
     fr-ad-001.patch
     fr-gv-201.patch (CVE-2017-10978)
     fr-gv-202.patch (CVE-2017-10979)
     fr-gv-203.patch (CVE-2017-10980)
     fr-gv-204.patch (CVE-2017-10981)
     fr-gv-205.patch (CVE-2017-10982)
     fr-gv-206.patch (CVE-2017-10983)
     fr-gv-207.patch
     (Closes: #868765)
Checksums-Sha1:
 a8f362019661a2a6ff5fbdd9d8a984681ce5022d 2773 
freeradius_2.2.5+dfsg-0.2+deb8u1.dsc
 57064dc21d289efc449960746b48193a26af4143 3555329 
freeradius_2.2.5+dfsg.orig.tar.gz
 c3a6d2496adbd70dc7c6789bd1358dd9dd3c1893 43284 
freeradius_2.2.5+dfsg-0.2+deb8u1.debian.tar.xz
 f38b0ce674d8db8a6c4c4ffc7cde1056910938aa 557564 
freeradius_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 b6222e959847925fe1efa2a99715cea8bd6d9cb5 79554 
freeradius-utils_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 3493cc1f7a9f01f09cf958625b811d7d435de1cd 107136 
libfreeradius2_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 63a137d9e58f171552760db7a0dabb04b3fc8790 140226 
libfreeradius-dev_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 5426b870427fad19ba5d035eea28017420b7acf8 28904 
freeradius-krb5_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 f33a9b33b0aab707e09f8431ec044f5f6a292488 46172 
freeradius-ldap_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 eeef61ce9266aebc29bab0dcd23c27604e0e8c4f 44728 
freeradius-postgresql_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 a82fa02509fd1697cbe86212b8badd8181b7ae1f 36536 
freeradius-mysql_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 50a85366338b727cba2ca3c28ea4352864e6ba06 28120 
freeradius-iodbc_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 090f1a694a4336c9a6ea6222b721c62851b39270 984644 
freeradius-dbg_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 6456bbbe2f2d73d3b069837579068c9058302946 228518 
freeradius-common_2.2.5+dfsg-0.2+deb8u1_all.deb
Checksums-Sha256:
 9c58afc7d5537a95778981432ac78f396483f3d9341d6b37e12aac236751934c 2773 
freeradius_2.2.5+dfsg-0.2+deb8u1.dsc
 fb3b637cc76f7614e41996b9ebcdaf396ccc8bbff0a794bbfd225e1a4c8a0a97 3555329 
freeradius_2.2.5+dfsg.orig.tar.gz
 b927932abc7c741ae3d1b0a433588382f8f5320d9cf190922d3bfb6afc351515 43284 
freeradius_2.2.5+dfsg-0.2+deb8u1.debian.tar.xz
 d30deaa897fd6c5a7376a28feb4e8868673923a1530f463854d5438593cb7423 557564 
freeradius_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 890bae9692e74f6130087bbcf517aed5a75569d9790b84baa9379b48b4824ca3 79554 
freeradius-utils_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 5b2848f0d87825beab48a9520866a85fc83c56055c6932ae192829dd90bd2355 107136 
libfreeradius2_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 2b20380a8c1ffe3f5cba9ec913d2b213774f91f2b8a997ed8de218b69ee621ff 140226 
libfreeradius-dev_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 0944815053567e4cffcd7340dc5cb16b51ba9d64335aa40b143ad30a7badef56 28904 
freeradius-krb5_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 c72b1357b160eee63a7d62be9ca84806dae1d17dbf1eac49f96f0f9f0840c64f 46172 
freeradius-ldap_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 dc91dc7692135a1d6345e29362dcaebb85466f4ba66a3186331474473f0021ad 44728 
freeradius-postgresql_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 ce13b1341c06fb3f9a38de9e8a04ef2efa5c56c00360e6534e48ed5ae67775bc 36536 
freeradius-mysql_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 79757c8d3281391f2b5cf561ff2e1ab536c34b409f92e913020abffe79ea444e 28120 
freeradius-iodbc_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 25895a00c0b98544add8c08ae8ec5cd383f88b142ed27e35a430b4e8d6ffe661 984644 
freeradius-dbg_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 f50700b49f994298c347aba95e4835168029cf0693649cbabb41685b84648672 228518 
freeradius-common_2.2.5+dfsg-0.2+deb8u1_all.deb
Files:
 ba1f00a2c2450003f5b28630cf5151bc 2773 net optional 
freeradius_2.2.5+dfsg-0.2+deb8u1.dsc
 888bbddf316ecb41d6ae575414003700 3555329 net optional 
freeradius_2.2.5+dfsg.orig.tar.gz
 23628037472f79e821a72afd18b9780e 43284 net optional 
freeradius_2.2.5+dfsg-0.2+deb8u1.debian.tar.xz
 3768500513b6bf194023103f3873bbee 557564 net optional 
freeradius_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 ed81a4998ff49166b5c0b202b7489d39 79554 net optional 
freeradius-utils_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 0da6b5c08bc84af552af47c42caa031d 107136 net optional 
libfreeradius2_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 13813a67b8b5428ae73a951122cd7fe0 140226 libdevel optional 
libfreeradius-dev_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 6fe3b934c54148c297584ac213c96b27 28904 net optional 
freeradius-krb5_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 c626bf8dbdeffe5e279ca946d79b5983 46172 net optional 
freeradius-ldap_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 9e5960e26550e5bccf64d4c19ba997bd 44728 net optional 
freeradius-postgresql_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 79a6c1c874b4de101bc667446204b3a1 36536 net optional 
freeradius-mysql_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 17a85298ac23cb72464949a0140031a7 28120 net optional 
freeradius-iodbc_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 505c14f383f662237ac3e20c0b955563 984644 debug extra 
freeradius-dbg_2.2.5+dfsg-0.2+deb8u1_amd64.deb
 1f9561bf93f822eaa26566141602e851 228518 net optional 
freeradius-common_2.2.5+dfsg-0.2+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIyBAEBCgAdFiEEQk4U1wPnxtQ9nW82TnFg7UrI7h0FAlmMCtEACgkQTnFg7UrI
7h2wHg/3VdrHg6lYsgIp6YIDjbbwYVMg3gWfMoOJF2nti6muweLvXRqxubEptBCF
A6T+XOsWbMw7QtdbxLMXQvvcWu0pF5WJRR82dRnodtS0WnWxh3BvDi3h5qSoNHrY
CgzxiVVeX5bg3pyBcXen8hWODyXXtgLvEBpFAngQKqZIwzPXa2ZGCSieqKuvbupQ
cxDdDYbaQslQUIC41uyyjxYIkCcELFhFzoJUsonKx0OiCMg6MHIx7S3vjJzjBphy
M/PLm6HBmW0moOoimQKoiB5e1qq62Na0Gloo4cFeSnidCeIAaEt7mrpfzm+/+NiL
CmEd0MPHP3geSG1RF+sJbdLLWd59B3d6bQZaiDGAL3qwfQx9gvKBjl9eiZcJsEkC
3VPlFiVHM8OVmpsMIGc/9LxFEDrPp23Ku0ycXBi1Yj5jOB5Gt6oUnAhZADHUYM8o
EliJIJ2nj3G2UG0+nZfLuBDuBAnwEJ+50DAnwSqbuhLIqHPuU/A4bgNEK5nHM99g
gKylhn4yhxV1/X58XuJhRLowySSif2Mx45rEd3xR8B1JlHnktF1v8+oO+2e2W2Og
xHaVAjZtT8Htf3cw0xoXtBaGRZSPfz9qEqYwcCdS29uSOMhPF4Grn0Tz5wJ/WXyI
37+MF21gmRNcSXH7ppnzGlejTidGaYUv37RWqckT7BptPFmhJg==
=rBfa
-----END PGP SIGNATURE-----

--- End Message ---

Bug#868765: marked as done (freeradius: New upstream version 3.0.15 fixing security critical bugs)

Reply via email to