Re: Version 1.1.8 has been released
On 09/21/2009 06:51 AM, Alan Buxey wrote: Hi, This sounds harmless for most people, I guess, or at least for us, as we don't use Tunnel-Password. But reading CVE-2009-3111 and looking at the patch, it seems that this can crash any server just by sending an empty attribute. That would mean that every 1.1.7 installation should upgrade to 1.1.8 ASAP. Right? correct - I've advised our UK eduroam contingent (JANET Roaming) who use FreeRADIUS 1.1.3 - 1.1.7 to upgrade ASAP. FWIW, Red Hat's RHEL Errata for this CVE is already in the security update channel. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.1.8 has been released
Hi, > This sounds harmless for most people, I guess, or at least for us, as we > don't use Tunnel-Password. But reading CVE-2009-3111 and looking at the > patch, it seems that this can crash any server just by sending an empty > attribute. That would mean that every 1.1.7 installation should upgrade > to 1.1.8 ASAP. Right? correct - I've advised our UK eduroam contingent (JANET Roaming) who use FreeRADIUS 1.1.3 - 1.1.7 to upgrade ASAP. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.1.8 has been released
Jakob Hirsch wrote: > This sounds harmless for most people, I guess, or at least for us, as we > don't use Tunnel-Password. But reading CVE-2009-3111 and looking at the > patch, it seems that this can crash any server just by sending an empty > attribute. That would mean that every 1.1.7 installation should upgrade > to 1.1.8 ASAP. Right? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.1.8 has been released
Hi, Alan DeKok, 2009-09-09 14:54: > We have released version 1.1.8 to fix an issue with the handling of > Tunnel-Password. This is the same issue that was found in version This sounds harmless for most people, I guess, or at least for us, as we don't use Tunnel-Password. But reading CVE-2009-3111 and looking at the patch, it seems that this can crash any server just by sending an empty attribute. That would mean that every 1.1.7 installation should upgrade to 1.1.8 ASAP. Right? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 1.1.8 has been released
We have released version 1.1.8 to fix an issue with the handling of Tunnel-Password. This is the same issue that was found in version 0.9.2, and which managed to return. Version 2.X is *not* affected by this issue. The difference between 1.1.7 and this release is the patch to fix that bug. The only other changes are that the version number has changed from 1.1.7 to 1.1.8 in a number of files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html