Hi Berni, On Wed, Apr 24, 2019 at 05:42:31PM +0200, Bernhard Schmidt wrote: > Hi, > > I've gained access to the FreeRADIUS salsa repo and have pushed a new > debian/stretch branch containing last years security upload and the > cherry-picked fixes for #926958 > > It applies and builds cleanly, I'm currently waiting for a colleague who > runs our Radius proxies to test it.
Looking closer now again at the issue, if I understand correctly, the module would not be enabled by default and to exploit the issue one would actually as well need to have access to the authentication server. Unless I miss something in the picture, I would say this could be fixed via the next point release for stretch, and does not warrant a DSA on its own. Do I miss something? Regards, Salvatore
