Your message dated Mon, 22 Apr 2019 22:04:40 +0000 with message-id <e1hih3i-0005kp...@fasolo.debian.org> and subject line Bug#926958: fixed in freeradius 3.0.17+dfsg-1.1 has caused the Debian Bug report #926958, regarding freeradius: VU#871675: Authentication bypass in EAP-PWD (CVE-2019-11234 CVE-2019-11235) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 926958: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926958 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: src:freeradius Severity: important Tags: security 3.0.19 has been released adressing some issues in EAP-PWD. The VU# linked in the original advisory is not (yet?) accessible and I haven't found a CVE for it. Since FreeRADIUS is orphaned I'll look at doing an NMU when I find some time, but likely not before early next week. https://freeradius.org/security/ 2019.04.10Authentication bypass in EAP-PWD The EAP-PWD module is vulnerable to multiple issues, including authentication bypass. This module is not enabled in the default configuration. Administrators must manually enable it for their server to be vulnerable. Version 3.0.0 through 3.0.18 are are affected. The EAP-PWD module is vulnerable to side-channel and cache-based attacks. The issue is discussed in more in Hostap 2019-2. The attack requires the attacker to be able to run a program on the target device. This is not commonly the case on an authentication server (EAP server), so the most likely target for this would be a client device using EAP-PWD. It is not clear at this time if the attack is possible between multiple virtual machines on the same hardware. Other issues with EAP-PWD were found earlier, and patched in Hostap. The FreeRADIUS team was not notified of these attacks until recently. We have now patched FreeRADIUS to address these issues. Additional issues were found by Mathy Vanhoef as part of a deep investigation into EAP-PWD. He also supplied patches to address the issues. His report is included below. This issue is recorded in VU#871675 We have released version 3.0.19 to address these issues.
--- End Message ---
--- Begin Message ---Source: freeradius Source-Version: 3.0.17+dfsg-1.1 We believe that the bug you reported is fixed in the latest version of freeradius, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 926...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <be...@debian.org> (supplier of updated freeradius package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 22 Apr 2019 23:23:36 +0200 Source: freeradius Architecture: source Version: 3.0.17+dfsg-1.1 Distribution: unstable Urgency: high Maintainer: Debian FreeRADIUS Packaging Team <pkg-freeradius-maintain...@lists.alioth.debian.org> Changed-By: Bernhard Schmidt <be...@debian.org> Closes: 926958 Changes: freeradius (3.0.17+dfsg-1.1) unstable; urgency=high . * Non-maintainer upload. * Cherry-Pick upstream commits to fix CVE-2019-11234 / CVE-2019-11235 / VU#871675 (Invalid Curve Attack and Reflection Attack on EAP-PWD, leading to authentication bypass) (Closes: #926958) Checksums-Sha1: 6dc2174ea6db4fadd7fd8bcfce44d2e9e109cf31 3818 freeradius_3.0.17+dfsg-1.1.dsc 96316f800b19d9fefa163a29bfcf451ae5ceaea5 63832 freeradius_3.0.17+dfsg-1.1.debian.tar.xz 2b9c90ca043f46c04ae942efd408330676fe5ada 19233 freeradius_3.0.17+dfsg-1.1_amd64.buildinfo Checksums-Sha256: e25c2c7483328e3b2b6bf01188493ac60d6ba1790a7f119a33427876636e0943 3818 freeradius_3.0.17+dfsg-1.1.dsc 70c32f02cf7878b03b748825eb1c4b625e1935c93fbc9a7ad6550b5bc0d0f273 63832 freeradius_3.0.17+dfsg-1.1.debian.tar.xz e287282ba2ab945fdf06c6280549370b733b3c9ff1d64fec6f251e52f6bc80e8 19233 freeradius_3.0.17+dfsg-1.1_amd64.buildinfo Files: d9c1e5636ebbbe0d8612dfc3716a8ad5 3818 net optional freeradius_3.0.17+dfsg-1.1.dsc e69edc14d18672215c22fe13408caba2 63832 net optional freeradius_3.0.17+dfsg-1.1.debian.tar.xz 56ef52b0d1de4d7ab9058efbb8cba26c 19233 net optional freeradius_3.0.17+dfsg-1.1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAly+NPsRHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJNqJw//dHovzbcYPfGsY3lu7M4/PJVuL9HATPhq 5h4nneqwXrJyai+farBlALuDrEYmKE5VLb/lzn0ozfdqozGD0gJY9WnQ5NV9pTkS GtTHNIfCLgScsIbohsIgl7cdagsgaK7dG4ALts5glGkNKHeZkfJy2xh8Oz/XTCNO 6uq23TRSH2MFw1X8t5zPd2KyRVANTnIRW3LmZwO13aiw/l7MibMyB3OIjTNkYpfE mI1l18RUm9N5v2GnougnvpSMOtUgkKLzqGhezeEcqXtAHtu7R+gndtExArT0gOtX OedYg8dcnLPOIZJDi/fr3/gUBgvVTEX7QJCQFfWQjWCI4xdppo9Ls1drtoxNRFxG 78MIJU9RBG1GMRe8KrGZbnrb9sGE94uzw8UCA8LnYEdp2ig+qVeGIVkHmOwEsKK3 eMSO67LumesMrBh6HwHpHX0pcYaFgljMVYGJCew8G8Z6wc5ZL4wacPWKYfqHTkSP LKuROl85xVoK3hsHtdzZi0kYMlxlSMow5G7lbUqqUzghYamKHOjkFeA7csk2GP05 8JGhQdF9f5mTtkVJthPODy/ER291jZqAjzhAFhU0Ss6JGTp7LCgytTokELR2PxFi I3+maCIzrW9ubWHKJDztHOR6w30JMnvvg20p8ffghMGIQGaoBjEvuEKArt8BODhJ HdhdLVjHB6A= =kiDm -----END PGP SIGNATURE-----
--- End Message ---
