As was reported on IRC by oden, the version in Cauldron is not affected.
CC: (none) => nanardonAssignee: bugsquad => nanardon
Upstream advisory: http://freeradius.org/security.html
URL: http://freeradius.org/security.html => http://lwn.net/Vulnerabilities/515819/
Debian has issued an advisory for this on September 11: http://www.debian.org/security/2012/dsa-2546
Mandriva has issued an advisory for this today (October 3): http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:159
CC: (none) => oe
Patched package uploaded for Mageia 2. Advisory: ======================== Updated freeradius packages fix security vulnerability: Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS 2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via a long not after timestamp in a client certificate (CVE-2012-3547). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3547 http://freeradius.org/security.html http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:159 ======================== Updated packages in core/updates_testing: ======================== freeradius-2.1.12-8.1.mga2 freeradius-krb5-2.1.12-8.1.mga2 freeradius-ldap-2.1.12-8.1.mga2 freeradius-postgresql-2.1.12-8.1.mga2 freeradius-mysql-2.1.12-8.1.mga2 freeradius-unixODBC-2.1.12-8.1.mga2 freeradius-sqlite-2.1.12-8.1.mga2 libfreeradius1-2.1.12-8.1.mga2 libfreeradius-devel-2.1.12-8.1.mga2 freeradius-web-2.1.12-8.1.mga2 from freeradius-2.1.12-8.1.mga2.src.rpm
Assignee: nanardon => qa-bugsSeverity: normal => major
Some simple tests here in 'Initial Tests' http://freeradius.org/doc/
No PoC's
Hi all, with freeradius-2.1.12-8.1.mga2, I am getting: root@lap:/etc/raddb$ radiusd -X FreeRADIUS Version 2.1.12, for host x86_64-mageia-linux-gnu, built on Oct 9 2012 at 21:46:09 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/eap.conf WARNING: No such configuration item certdir /etc/raddb/eap.conf[284]: Reference "${certdir}/bootstrap" not found Errors reading /etc/raddb/radiusd.conf root@lap:/etc/raddb$ rpm -q freeradius freeradius-2.1.12-8.1.mga2 Something seems wrong and I don't know how to fix it. Mageia 2, x86-64.
CC: (none) => shlomif
OK, it also happens with freeradius-2.1.12-8.mga2 (the one not in updates_testing).
to Olivier Thauvin: is what Shlomi Fish reports normal, or is there a problem in the package? And if there's a problem, do you want to fix it in this update or shall we try to push the security fix first? (with testing steps to pass the above issue please, since we don't know about this package well)
Whiteboard: (none) => feedback
Please update the security fix first, I am very busy and don't know when I'll look at this.
Whiteboard: feedback => (none)
In order to get the server to start, comment out line 284 in /etc/raddb/eap.conf In /lib/systemd/system/radiusd.service change the chown command to have radius:radius instead of radiusd.radiusd After the above changes, the service starts ok. Still looking into how to test it.
CC: (none) => davidwhodgins
http://en.wikipedia.org/wiki/RADIUS has a description of what a radius server is. http://freeradius.org/doc/ seems to have some basic tests, that should be enough for testing this update.
[dave@i2v ~]$ radtest testing password 127.0.0.1 0 testing123 Sending Access-Request of id 194 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "password" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=194, length=20 The server is responding. I think that's about all we should test for this update. Testing complete on Mageia 2 i586. I think /lib/systemd/system/radiusd.service will get overwritten by the update, so the advisory should also state that it may need to be fixed.
Whiteboard: (none) => MGA2-32-OK
Testing complete on Mageia 2 x86-64. Could someone from the sysadmin team push the srpm freeradius-2.1.12-8.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated freeradius packages fix security vulnerability: Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS 2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via a long not after timestamp in a client certificate (CVE-2012-3547). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3547 http://freeradius.org/security.html http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:159 Note that there are known errors included in this update, that will be fixed in a later, bugfix update. For details, see https://bugs.mageia.org/show_bug.cgi?id=7447#c11
Keywords: (none) => Security, validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA2-32-OK => MGA2-32-OK MGA2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0304
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
Depends on: (none) => 8912