<div dir="ltr">Thanks for the heads-up. I’ll work on packaging the new upstream release later today.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 18, 2017 at 4:06 AM, Karsten Heymann <span dir="ltr"><<a href="mailto:karsten.heymann@gmail.com" target="_blank">karsten.heymann@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Package: freeradius<br>
Version: 3.0.12+dfsg-5<br>
Severity: grave<br>
Tags: upstream security<br>
Justification: user security hole<br>
<br>
Dear Maintainer,<br>
<br>
the freeradius team released version 3.0.15 fixing several important<br>
security issues found by a fuzzing analysis.<br>
<br>
See:<br>
<a href="http://freeradius.org/press/index.html#3.0.15" rel="noreferrer" target="_blank">http://freeradius.org/press/<wbr>index.html#3.0.15</a><br>
<a href="http://freeradius.org/security/fuzzer-2017.html" rel="noreferrer" target="_blank">http://freeradius.org/<wbr>security/fuzzer-2017.html</a><br>
<br>
The following issues were found for v3 of freeradius up to 3.0.14:<br>
- CVE-2017-10978. No remote code execution is possible. A denial of<br>
service is possible.<br>
- CVE-2017-10984. Remote code execution is possible. A denial of<br>
service is possible.<br>
- CVE-2017-10985. No remote code execution is possible. A denial of<br>
service is possible.<br>
<br>
The following affect only the DHCP part of freeradius, which is seldomly used:<br>
- CVE-2017-10983. No remote code execution is possible. A denial of<br>
service is possible.<br>
- CVE-2017-10986. No remote code execution is possible. A denial of<br>
service is possible.<br>
- CVE-2017-10987. No remote code execution is possible. A denial of<br>
service is possible.<br>
<br>
Please update the package accordingly.<br>
<br>
-- System Information:<br>
Debian Release: 9.0<br>
APT prefers stable<br>
APT policy: (500, 'stable')<br>
Architecture: amd64 (x86_64)<br>
<br>
Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)<br>
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)<br>
Shell: /bin/sh linked to /bin/dash<br>
Init: systemd (via /run/systemd/system)<br>
<br>
Versions of packages freeradius depends on:<br>
ii freeradius-common 3.0.12+dfsg-5<br>
ii freeradius-config 3.0.12+dfsg-5<br>
ii libc6 2.24-11+deb9u1<br>
ii libcap2 1:2.25-1<br>
ii libfreeradius3 3.0.12+dfsg-5<br>
ii libgdbm3 1.8.3-14<br>
ii libpam0g 1.1.8-3.6<br>
ii libpcre3 2:8.39-3<br>
ii libperl5.24 5.24.1-3<br>
ii libpython2.7 2.7.13-2<br>
ii libreadline7 7.0-3<br>
ii libsqlite3-0 3.16.2-5<br>
ii libssl1.1 1.1.0f-3<br>
ii libtalloc2 2.1.8-1<br>
ii libwbclient0 2:4.5.8+dfsg-2+deb9u1+b1<br>
ii lsb-base 9.20161125<br>
<br>
Versions of packages freeradius recommends:<br>
pn freeradius-utils <none><br>
<br>
Versions of packages freeradius suggests:<br>
pn freeradius-krb5 <none><br>
pn freeradius-ldap <none><br>
pn freeradius-mysql <none><br>
pn freeradius-postgresql <none><br>
pn snmp <none><br>
<br>
-- no debconf information<br>
<br>
______________________________<wbr>_________________<br>
Pkg-freeradius-maintainers mailing list<br>
<a href="mailto:Pkg-freeradius-maintainers@lists.alioth.debian.org">Pkg-freeradius-maintainers@<wbr>lists.alioth.debian.org</a><br>
<a href="https://lists.alioth.debian.org/mailman/listinfo/pkg-freeradius-maintainers" rel="noreferrer" target="_blank">https://lists.alioth.debian.<wbr>org/mailman/listinfo/pkg-<wbr>freeradius-maintainers</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Best regards,<br>Michael</div>
</div>