RedHat Security updates for FR
RedHat Enterprise (and CentOS) has finally released security updates for their FreeRADIUS rpms: https://rhn.redhat.com/errata/RHSA-2006-0271.html Incase anyone is interested.... -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com
Do you know bugs that this update fixes applies to any installs o n redhat or only to RPMs? -----Original Message----- From: freeradius-users-bounces+radiussupport=lrcommunications.net@lists.freeradius .org [mailto:freeradius-users-bounces+radiussupport=lrcommunications.net@lists.fr eeradius.org] On Behalf Of Dennis Skinner Sent: Tuesday, April 04, 2006 9:13 AM To: FreeRadius users mailing list Subject: RedHat Security updates for FR RedHat Enterprise (and CentOS) has finally released security updates for their FreeRADIUS rpms: https://rhn.redhat.com/errata/RHSA-2006-0271.html Incase anyone is interested.... -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alex M wrote:
Do you know bugs that this update fixes applies to any installs o n redhat or only to RPMs?
Not sure what you mean. If you installed FR via RPM, this would update it. If you installed it from source (not the source rpm), then you will most likely screw up your FR install by overlaying the rpm version. Pick one method and stick with it or completely remove one before trying the other... See: http://www.freeradius.org/security.html for questions regarding security related bug fixes and FR. The notice from RedHat says that they backported a couple security fixes to the 1.0.1 version (although their descriptions of the bugs don't match the ones on the FR site as closely as I'd like...) -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com
Dennis Skinner <dskinner@bluefrog.com> wrote:
for questions regarding security related bug fixes and FR. The notice from RedHat says that they backported a couple security fixes to the 1.0.1 version (although their descriptions of the bugs don't match the ones on the FR site as closely as I'd like...)
Their description is incorrect. It's not the MS-CHAPv2 protool, it's EAP-MS-CHAPv2, which is substantially different. I also don't think it's pissible to execute arbitrary code, but the CVE listing they reference says that. This highlights the problem with having multiple grouips reporting on the same error. Few of them talk to the developers, so they end up playing a game of "telephone" among themselves, and get a lot of things wrong. Alan DeKok.
participants (3)
-
Alan DeKok -
Alex M -
Dennis Skinner