Statement on OpenSSL security bug
Dave Duchscher
daved at tamu.edu
Fri Apr 11 18:45:03 CEST 2014
On Apr 8, 2014, at 3:36 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Jouni Malinen wrote:
>> Unfortunately, it looks like this is not as clear as this statement
>> seems to indicate. It turned out that my initial setup did not show
>> the issue (and I still cannot reproduce it on that setup for some
>> unknown reason). However, a fresh installation of the exact same
>> FreeRADIUS version (and also couple of other versions I tested) on a
>> virtual host with a different OS variant does seem to indicated
>> limited form of this OpenSSL vulnerability being triggerable through
>> FreeRADIUS EAP PEAP/TTLS implementation. This does not seem to open as
>> large a window for getting useful data as other use cases with
>> OpenSSL, but it is unknown whether some critical memory contents could
>> be revealed.
>
> I've updated the security notification to reflect this information:
>
> http://freeradius.org/security.html
>
> Alan DeKok.
Do you know if we will see this message:
Invalid ACK received: 24
with freeradius using openssl 1.0.1g when a heartbleed attack is attempted?
Thanks for your time,
—
DaveD
More information about the Freeradius-Users
mailing list