Your message dated Fri, 26 Oct 2018 05:30:00 +0000
with message-id <5d7369ae-eac8-9998-9304-b45cab45c...@thykier.net>
and subject line Re: freeradius: New upstream version 2.2.10 fixing security
critical bugs
has caused the Debian Bug report #868761,
regarding freeradius: New upstream version 2.2.10 fixing security critical bugs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
868761: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868761
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Subject: freeradius: New upstream version 2.2.10 fixing security critical bugs
Package: freeradius
Version: 2.2.5+dfsg-0.2
Justification: user security hole
Severity: grave
Tags: security upstream
The freeradius team released version 2.2.10 fixing several important
security issues found by a fuzzing analysis.
See:
http://freeradius.org/press/index.html#2.2.10
http://freeradius.org/security/fuzzer-2017.html
The following issues were found for v2 of freeradius up to 2.2.9:
- CVE-2017-10978. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10979. Remote code execution is possible. A denial of
service is possible.
The following affect only the DHCP part of freeradius, which is seldomly used:
- CVE-2017-10980. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10981. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10982. No remote code execution is possible. A denial of
service is possible.
- CVE-2017-10983. No remote code execution is possible. A denial of
service is possible.
I'm not sure what's the best way to proceed. As I assume updating the
package in oldstable to 2.2.10 is not a realistic option, my guess
would be that at least CVE-2017-10978 and CVE-2017-10979 should be
fixed in the code via backporting the relevant fixes. This is even
more critical as there is no backport of freeradius 3 in jessie, and
it is not possible to create or update backports for oldstable.
-- System Information:
Debian Release: 8.8
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages freeradius depends on:
ii adduser 3.113+nmu3
ii ca-certificates 20141019+deb8u3
ii freeradius-common 2.2.5+dfsg-0.2
ii libc6 2.19-18+deb8u10
ii libfreeradius2 2.2.5+dfsg-0.2
ii libgdbm3 1.8.3-13.1
ii libltdl7 2.4.2-1.11+b1
ii libpam0g 1.1.8-3.1+deb8u2
ii libperl5.20 5.20.2-3+deb8u7
ii libpython2.7 2.7.9-2+deb8u1
ii libssl1.0.0 1.0.1t-1+deb8u6
ii lsb-base 4.1+Debian13+nmu1
ii ssl-cert 1.0.35
Versions of packages freeradius recommends:
ii freeradius-utils 2.2.5+dfsg-0.2
Versions of packages freeradius suggests:
pn freeradius-krb5 <none>
ii freeradius-ldap 2.2.5+dfsg-0.2
ii freeradius-mysql 2.2.5+dfsg-0.2
pn freeradius-postgresql <none>
-- Configuration Files:
/etc/freeradius/clients.conf changed [not included]
/etc/freeradius/eap.conf changed [not included]
/etc/freeradius/ldap.attrmap changed [not included]
/etc/freeradius/modules/ldap changed [not included]
/etc/freeradius/modules/pap changed [not included]
/etc/freeradius/sites-available/control-socket changed [not included]
/etc/freeradius/sites-available/default changed [not included]
/etc/freeradius/sites-available/inner-tunnel changed [not included]
/etc/freeradius/sql.conf changed [not included]
/etc/freeradius/users changed [not included]
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: freeradius
Source-Version: 3.0.14+dfsg-1
On Tue, 18 Jul 2017 12:51:49 +0200 Karsten Heymann
<karsten.heym...@gmail.com> wrote:
> Subject: freeradius: New upstream version 2.2.10 fixing security critical bugs
> Package: freeradius
> Version: 2.2.5+dfsg-0.2
> Justification: user security hole
> Severity: grave
> Tags: security upstream
>
> The freeradius team released version 2.2.10 fixing several important
> security issues found by a fuzzing analysis.
>
> See:
> http://freeradius.org/press/index.html#2.2.10
> http://freeradius.org/security/fuzzer-2017.html
>
> The following issues were found for v2 of freeradius up to 2.2.9:
> - CVE-2017-10978. No remote code execution is possible. A denial of
> service is possible.
> - CVE-2017-10979. Remote code execution is possible. A denial of
> service is possible.
>
> The following affect only the DHCP part of freeradius, which is seldomly used:
> - CVE-2017-10980. No remote code execution is possible. A denial of
> service is possible.
> - CVE-2017-10981. No remote code execution is possible. A denial of
> service is possible.
> - CVE-2017-10982. No remote code execution is possible. A denial of
> service is possible.
> - CVE-2017-10983. No remote code execution is possible. A denial of
> service is possible.
>
> I'm not sure what's the best way to proceed. As I assume updating the
> package in oldstable to 2.2.10 is not a realistic option, my guess
> would be that at least CVE-2017-10978 and CVE-2017-10979 should be
> fixed in the code via backporting the relevant fixes. This is even
> more critical as there is no backport of freeradius 3 in jessie, and
> it is not possible to create or update backports for oldstable.
>
> [...]
Closing this bug with a version for unstable and testing (sid + buster).
According to upstream, these bugs were fixed in 3.0.14 (for the v3
series) and stretch has 3.0.12 - in a separate email I will be adding
the stretch tag to match.
Thanks,
~Niels
--- End Message ---
