On 09/21/2009 06:51 AM, Alan Buxey wrote:
Hi,
This sounds harmless for most people, I guess, or at least for us, as we
don't use Tunnel-Password. But reading CVE-2009-3111 and looking at the
patch, it seems that this can crash any server just by sending an empty
attribute. That would mean that every 1.1.7 installation should upgrade
to 1.1.8 ASAP. Right?
correct - I've advised our UK eduroam contingent (JANET Roaming) who use
FreeRADIUS 1.1.3 - 1.1.7 to upgrade ASAP.
FWIW, Red Hat's RHEL Errata for this CVE is already in the security
update channel.
--
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
