RedHat Security updates for FR

Alan DeKok aland at ox.org
Tue Apr 4 18:22:42 CEST 2006


Dennis Skinner <dskinner at bluefrog.com> wrote:
> for questions regarding security related bug fixes and FR.  The notice
> from RedHat says that they backported a couple security fixes to the
> 1.0.1 version (although their descriptions of the bugs don't match the
> ones on the FR site as closely as I'd like...)

  Their description is incorrect.  It's not the MS-CHAPv2 protool,
it's EAP-MS-CHAPv2, which is substantially different.  I also don't
think it's pissible to execute arbitrary code, but the CVE listing
they reference says that.

  This highlights the problem with having multiple grouips reporting
on the same error.  Few of them talk to the developers, so they end up
playing a game of "telephone" among themselves, and get a lot of
things wrong.

  Alan DeKok.



More information about the Freeradius-Users mailing list