Your message dated Sun, 02 Jul 2006 04:47:04 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#359042: fixed in freeradius 1.1.2-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: freeradius
Severity: grave
Tags: security
A new security issue has been discovered in freeradius:
2006.03.20 v1.0.5, and v1.1.0 - A validation issue exists with the
EAP-MSCHAPv2 module in all versions from 1.0.0 (where the module
first appeared) to 1.1.0. Insufficient input validation was being
done in the EAP-MSCHAPv2 state machine. A malicious attacker could
manipulate their EAP-MSCHAPv2 client state machine to potentially
convince the server to bypass authentication checks. This bypassing
could also result in the server crashing. We recommend that
administrators upgrade immediately.
--- End Message ---
--- Begin Message ---
Source: freeradius
Source-Version: 1.1.2-2
We believe that the bug you reported is fixed in the latest version of
freeradius, which is due to be installed in the Debian FTP archive:
freeradius-dialupadmin_1.1.2-2_all.deb
to pool/main/f/freeradius/freeradius-dialupadmin_1.1.2-2_all.deb
freeradius-iodbc_1.1.2-2_i386.deb
to pool/main/f/freeradius/freeradius-iodbc_1.1.2-2_i386.deb
freeradius-krb5_1.1.2-2_i386.deb
to pool/main/f/freeradius/freeradius-krb5_1.1.2-2_i386.deb
freeradius-ldap_1.1.2-2_i386.deb
to pool/main/f/freeradius/freeradius-ldap_1.1.2-2_i386.deb
freeradius-mysql_1.1.2-2_i386.deb
to pool/main/f/freeradius/freeradius-mysql_1.1.2-2_i386.deb
freeradius_1.1.2-2.diff.gz
to pool/main/f/freeradius/freeradius_1.1.2-2.diff.gz
freeradius_1.1.2-2.dsc
to pool/main/f/freeradius/freeradius_1.1.2-2.dsc
freeradius_1.1.2-2_i386.deb
to pool/main/f/freeradius/freeradius_1.1.2-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stephen Gran <[EMAIL PROTECTED]> (supplier of updated freeradius package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 25 Jun 2006 23:06:16 +0100
Source: freeradius
Binary: freeradius-mysql freeradius-krb5 freeradius freeradius-iodbc
freeradius-ldap freeradius-dialupadmin
Architecture: source i386 all
Version: 1.1.2-2
Distribution: unstable
Urgency: low
Maintainer: Stephen Gran <[EMAIL PROTECTED]>
Changed-By: Stephen Gran <[EMAIL PROTECTED]>
Description:
freeradius - a high-performance and highly configurable RADIUS server
freeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS
server
freeradius-iodbc - iODBC module for FreeRADIUS server
freeradius-krb5 - kerberos module for FreeRADIUS server
freeradius-ldap - LDAP module for FreeRADIUS server
freeradius-mysql - MySQL module for FreeRADIUS server
Closes: 334299 351732 351735 359042 374670
Changes:
freeradius (1.1.2-2) unstable; urgency=low
.
[ Stephen Gran ]
* Acknowledge my previous NMU's (closes: #351732, #359042)
* Init scripts overhaul:
- now use reload on upgrade of modules
- replace sleep statements with --retry, as time based tests are
fragile
- no longer exit with an error if stop fails because the
daemon isn't running (closes: #374670, #351735)
- stop using command -v in /bin/sh scripts
* General maintainer script overhaul:
- Don't rm -rf something in /etc (ouch)
- Use chown -R instead of 'find .. -exec'
- should not need to manually remove the init script on purge (it's a dpkg
managed conffile)
- Only do user management stuff if user is missing. No point rerunning it
every upgrade.
- Install /etc/freeradius/dictionary with relaxed permissions, but never
touch it again (closes: #334299)
- switch to debhelper files where possible. I like an easy to read
Makefile.
* Arg. Move README.rfc to the freeradius package where it belongs.
.
[ Mark Hymers ]
* Document building SSL/PostgreSQL modules in debian/rules, add
control.postgresql to make it more convenient. Tested on AMD64 using
system libtool.
Files:
92d65f8e5151517194e8437c615f070e 975 net optional freeradius_1.1.2-2.dsc
191124ec8f2b69f0425a5a5b45b0d1db 15320 net optional freeradius_1.1.2-2.diff.gz
3d44861bf8e00ad1212ea295739eb762 115146 net optional
freeradius-dialupadmin_1.1.2-2_all.deb
e85179d38abaeb61fe3b583ee3b218d1 1179062 net optional
freeradius_1.1.2-2_i386.deb
8697a8a15c9baad193f0541534d696cc 40012 net optional
freeradius-krb5_1.1.2-2_i386.deb
c11ff32ba0a0beecd1b58d348a5575cb 84926 net optional
freeradius-ldap_1.1.2-2_i386.deb
e655a7540dd2cfb993baa46ea91217eb 43762 net optional
freeradius-mysql_1.1.2-2_i386.deb
c3fe7b3d30e229318c88863cd176ef98 38312 net optional
freeradius-iodbc_1.1.2-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEp66FSYIMHOpZA44RAgCdAKCq76c3UC29YNiAcPXSBWHP0WF7fwCeLg61
MVL4laxq48/gOZAB9mergwM=
=FRfu
-----END PGP SIGNATURE-----
--- End Message ---