We have released version 1.1.8 to fix an issue with the handling of Tunnel-Password. This is the same issue that was found in version 0.9.2, and which managed to return. Version 2.X is *not* affected by this issue. The difference between 1.1.7 and this release is the patch to fix that bug. The only other changes are that the version number has changed from 1.1.7 to 1.1.8 in a number of files. Alan DeKok.
Hi, Alan DeKok, 2009-09-09 14:54:
We have released version 1.1.8 to fix an issue with the handling of Tunnel-Password. This is the same issue that was found in version
This sounds harmless for most people, I guess, or at least for us, as we don't use Tunnel-Password. But reading CVE-2009-3111 and looking at the patch, it seems that this can crash any server just by sending an empty attribute. That would mean that every 1.1.7 installation should upgrade to 1.1.8 ASAP. Right?
Jakob Hirsch wrote:
This sounds harmless for most people, I guess, or at least for us, as we don't use Tunnel-Password. But reading CVE-2009-3111 and looking at the patch, it seems that this can crash any server just by sending an empty attribute. That would mean that every 1.1.7 installation should upgrade to 1.1.8 ASAP. Right?
Yes. Alan DeKok.
Hi,
This sounds harmless for most people, I guess, or at least for us, as we don't use Tunnel-Password. But reading CVE-2009-3111 and looking at the patch, it seems that this can crash any server just by sending an empty attribute. That would mean that every 1.1.7 installation should upgrade to 1.1.8 ASAP. Right?
correct - I've advised our UK eduroam contingent (JANET Roaming) who use FreeRADIUS 1.1.3 - 1.1.7 to upgrade ASAP. alan
On 09/21/2009 06:51 AM, Alan Buxey wrote:
Hi,
This sounds harmless for most people, I guess, or at least for us, as we don't use Tunnel-Password. But reading CVE-2009-3111 and looking at the patch, it seems that this can crash any server just by sending an empty attribute. That would mean that every 1.1.7 installation should upgrade to 1.1.8 ASAP. Right?
correct - I've advised our UK eduroam contingent (JANET Roaming) who use FreeRADIUS 1.1.3 - 1.1.7 to upgrade ASAP.
FWIW, Red Hat's RHEL Errata for this CVE is already in the security update channel. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (4)
-
Alan Buxey -
Alan DeKok -
Jakob Hirsch -
John Dennis