Hi, > This sounds harmless for most people, I guess, or at least for us, as we > don't use Tunnel-Password. But reading CVE-2009-3111 and looking at the > patch, it seems that this can crash any server just by sending an empty > attribute. That would mean that every 1.1.7 installation should upgrade > to 1.1.8 ASAP. Right?
correct - I've advised our UK eduroam contingent (JANET Roaming) who use FreeRADIUS 1.1.3 - 1.1.7 to upgrade ASAP. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html