<div dir="ltr">Upstream confirmed that my patch fixes the issue, so I uploaded it to unstable.<div><br></div><div>See also <a href="https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/commit/?id=8d681449aa95ee4388b5e3c266bdb070a264f563">https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/commit/?id=8d681449aa95ee4388b5e3c266bdb070a264f563</a></div><div><br></div><div>security-team, can you take care of applying the patch to stable and oldstable please? Thank you.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 30, 2017 at 8:29 AM, Michael Stapelberg <span dir="ltr"><<a href="mailto:stapelberg@debian.org" target="_blank">stapelberg@debian.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">control: owner -1 !<div><br></div><div>I prepared a patch for this issue and emailed the FreeRADIUS security team asking for review. I’ll upload the patch once they confirm its effectiveness.</div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Mon, May 29, 2017 at 11:16 PM, Guido Günther <span dir="ltr"><<a href="mailto:agx@sigxcpu.org" target="_blank">agx@sigxcpu.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Package: freeradius<br>
Version: 3.0.12+dfsg-4<br>
severity: grave<br>
<br>
Hi,<br>
<br>
the following vulnerability was published for freeradius.<br>
<br>
CVE-2017-9148[0]: FreeRADIUS TLS resumption authentication bypass<br>
<br>
If you fix the vulnerability please also make sure to include the<br>
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.<br>
<br>
For further information see:<br>
<br>
[0] <a href="https://security-tracker.debian.org/tracker/CVE-2017-9148" rel="noreferrer" target="_blank">https://security-tracker.debia<wbr>n.org/tracker/CVE-2017-9148</a><br>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9148" rel="noreferrer" target="_blank">https://cve.mitre.org/cgi-bin/<wbr>cvename.cgi?name=CVE-2017-9148</a><br>
<br>
Please adjust the affected versions in the BTS as needed.<br>
Cheers,<br>
-- Guido<br>
<br>
______________________________<wbr>_________________<br>
Pkg-freeradius-maintainers mailing list<br>
<a href="mailto:Pkg-freeradius-maintainers@lists.alioth.debian.org" target="_blank">Pkg-freeradius-maintainers@lis<wbr>ts.alioth.debian.org</a><br>
<a href="https://lists.alioth.debian.org/mailman/listinfo/pkg-freeradius-maintainers" rel="noreferrer" target="_blank">https://lists.alioth.debian.or<wbr>g/mailman/listinfo/pkg-freerad<wbr>ius-maintainers</a><br>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><div class="m_6518090564796545805gmail_signature" data-smartmail="gmail_signature">Best regards,<br>Michael</div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Best regards,<br>Michael</div>
</div>