SecurityTracker Alert ID 1017463
Alan DeKok
aland at freeradius.org
Mon Jan 29 12:56:43 CET 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SecurityTracker Alert ID 1017463 was recently brought to our
attention. Our official statement about this issue is:
- -- Official Vendor Statement from the FreeRADIUS Server project
This issue is not a security vulnerability. The exploit is available
only to local administrators who have write access to the server
configuration files. As such, this issue has no security impact on any
system running FreeRADIUS.
- -- Official Vendor Statement from the FreeRADIUS Server project
Please update the title and impact fields to indicate that the issue
is NOT remotely exploitable.
The "solution" is simple: ensure that only authorized users have write
access to the server configuration files.
We are curious as to why the issue is labelled "remote execution of
code". The original notification did not claim that the issue was
vulnerable to remote exploit. If you have any additional data that
causes you to believe it is remotely exploitable, that information
should be supplied to us so we can fix the problem.
Barring additional data, we believe that the issue is non-existent,
and has no security impact on any system running FreeRADIUS.
Alan DeKok
Project Leader
The FreeRADIUS Server Project
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQCVAwUBRb3g+6kul4vkAkl9AQL59QP/TO4aw3BpNkr3k3/lFqh2jYCymjEPjC1T
GsVrW3ptuzDqO/JJ9lMWZYVPOjVWcfYWSPJg7COj+cHgDV331wC2feGeeWkgb3lG
SbmX/wv9I+rSTSe3xkTtQL8Fe3tdtNbAaeIIeYx9AhB4c8rv+vO6GKFIXkaEdUq+
7VoUZqykEbk=
=OnAE
-----END PGP SIGNATURE-----
More information about the Freeradius-Devel
mailing list