Bug 20973

Summary: freeradius new security issue CVE-2017-9148
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, marja11
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: freeradius-2.2.9-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-05-30 00:46:52 CEST 
A security issue fixed upstream in freeradius has been announced:
http://openwall.com/lists/oss-security/2017/05/29/1
http://freeradius.org/version3.html

We fixed it today in Cauldron by upgrading to 3.0.14.

Mageia 5 is also affected, though there is no fix for 2.2.x available.
Comment 1 Marja Van Waes 2017-05-30 19:46:28 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Lécureuil 2017-06-02 11:11:28 CEST 
"We remind users that versions 1.0.x, 1.1.x, 2.0.x, 2.1.x, and 2.2.x are old and unsupported. "

maybe we should update in mga5 to radius 3.0.14

CC: (none) => mageia

Comment 3 David Walser 2017-06-07 03:55:13 CEST 
An amended advisory today (June 6) states that 2.2.9 is not vulnerable:
http://openwall.com/lists/oss-security/2017/06/06/5

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Version: 5 => Cauldron