Subject: freeradius: New upstream version 2.2.10 fixing security critical bugs Package: freeradius Version: 2.2.5+dfsg-0.2 Justification: user security hole Severity: grave Tags: security upstream
The freeradius team released version 2.2.10 fixing several important security issues found by a fuzzing analysis. See: http://freeradius.org/press/index.html#2.2.10 http://freeradius.org/security/fuzzer-2017.html The following issues were found for v2 of freeradius up to 2.2.9: - CVE-2017-10978. No remote code execution is possible. A denial of service is possible. - CVE-2017-10979. Remote code execution is possible. A denial of service is possible. The following affect only the DHCP part of freeradius, which is seldomly used: - CVE-2017-10980. No remote code execution is possible. A denial of service is possible. - CVE-2017-10981. No remote code execution is possible. A denial of service is possible. - CVE-2017-10982. No remote code execution is possible. A denial of service is possible. - CVE-2017-10983. No remote code execution is possible. A denial of service is possible. I'm not sure what's the best way to proceed. As I assume updating the package in oldstable to 2.2.10 is not a realistic option, my guess would be that at least CVE-2017-10978 and CVE-2017-10979 should be fixed in the code via backporting the relevant fixes. This is even more critical as there is no backport of freeradius 3 in jessie, and it is not possible to create or update backports for oldstable. -- System Information: Debian Release: 8.8 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages freeradius depends on: ii adduser 3.113+nmu3 ii ca-certificates 20141019+deb8u3 ii freeradius-common 2.2.5+dfsg-0.2 ii libc6 2.19-18+deb8u10 ii libfreeradius2 2.2.5+dfsg-0.2 ii libgdbm3 1.8.3-13.1 ii libltdl7 2.4.2-1.11+b1 ii libpam0g 1.1.8-3.1+deb8u2 ii libperl5.20 5.20.2-3+deb8u7 ii libpython2.7 2.7.9-2+deb8u1 ii libssl1.0.0 1.0.1t-1+deb8u6 ii lsb-base 4.1+Debian13+nmu1 ii ssl-cert 1.0.35 Versions of packages freeradius recommends: ii freeradius-utils 2.2.5+dfsg-0.2 Versions of packages freeradius suggests: pn freeradius-krb5 <none> ii freeradius-ldap 2.2.5+dfsg-0.2 ii freeradius-mysql 2.2.5+dfsg-0.2 pn freeradius-postgresql <none> -- Configuration Files: /etc/freeradius/clients.conf changed [not included] /etc/freeradius/eap.conf changed [not included] /etc/freeradius/ldap.attrmap changed [not included] /etc/freeradius/modules/ldap changed [not included] /etc/freeradius/modules/pap changed [not included] /etc/freeradius/sites-available/control-socket changed [not included] /etc/freeradius/sites-available/default changed [not included] /etc/freeradius/sites-available/inner-tunnel changed [not included] /etc/freeradius/sql.conf changed [not included] /etc/freeradius/users changed [not included] -- no debconf information