Release of 3.0.12

Matthew Newton mcn4 at leicester.ac.uk
Mon Sep 26 12:51:08 CEST 2016


On Mon, Sep 26, 2016 at 11:07:26AM +0200, Stefan Winter wrote:
> hm, can we still hold the press?
...
> Refusing to start with libssl version OpenSSL 1.0.1k 8 Jan 2015
> 0x100010bf (1.0.1k release) (in range 1.0.1 release - 1.0.1t rele)
> Security advisory CVE-2016-6304 (OCSP status request extension)
> For more information see https://www.openssl.org/news/secadv/20160922.txt
> Once you have verified libssl has been correctly patched, set
> security.allow_vulnerable_openssl = 'CVE-2016-6304'
> radius-int-1:/usr/local/freeradius #

Just to add to the fun...

CVE-2016-6309 and CVE-2016-7052
https://www.openssl.org/news/secadv/20160926.txt

They missed a couple of patches from the releases last week, so
there's more today. These can lead to a segfault or arbitrary code
execution.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list