Bug 20973 - freeradius new security issue CVE-2017-9148
Summary: freeradius new security issue CVE-2017-9148
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: All Packagers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-30 00:46 CEST by David Walser
Modified: 2017-06-07 03:55 CEST (History)
2 users (show)

See Also:
Source RPM: freeradius-2.2.9-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-05-30 00:46:52 CEST 
A security issue fixed upstream in freeradius has been announced:
http://openwall.com/lists/oss-security/2017/05/29/1
http://freeradius.org/version3.html

We fixed it today in Cauldron by upgrading to 3.0.14.

Mageia 5 is also affected, though there is no fix for 2.2.x available.
Comment 1 Marja Van Waes 2017-05-30 19:46:28 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Lécureuil 2017-06-02 11:11:28 CEST 
"We remind users that versions 1.0.x, 1.1.x, 2.0.x, 2.1.x, and 2.2.x are old and unsupported. "

maybe we should update in mga5 to radius 3.0.14

CC: (none) => mageia

Comment 3 David Walser 2017-06-07 03:55:13 CEST 
An amended advisory today (June 6) states that 2.2.9 is not vulnerable:
http://openwall.com/lists/oss-security/2017/06/06/5

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Version: 5 => Cauldron
Note You need to log in before you can comment on or make changes to this bug.