Thanks for your hard work... we all appreciate it.
Alan DeKok wrote:
Bug reports are nice. Lack of notification is stupid.
With that said, 0.9.3 has been released. It's in the normal places:
ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz
With PGP signature at:
ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig
It is just 0.9.2 with a bug fixed, and the version number updated.
The original reporter threatened to release an exploit when I told him I was unhappy with his lack of notification prior to the public release of the vulnerability information. Blackmail is stupid.
As it turns out, however, the problem isn't as bad as it could have been. The bug he reported can cause the server to crash, but is difficult to exploit. Any attack code MUST be in the form of a valid RADIUS packet, which significantly limits the possible exploits.
However, there was another bug which the reporter did NOT discover, which causes the server to de-reference a NULL pointer, and thus crash, whenever an Access-Request packet containing a Tunnel-Password attribute is received.
Both bugs have been fixed in 0.9.3, and in the CVS head.
We recommend that everyone upgrade to 0.9.3 as soon as possible.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
