Version 1.1.8 has been released
John Dennis
jdennis at redhat.com
Mon Sep 21 13:45:02 CEST 2009
On 09/21/2009 06:51 AM, Alan Buxey wrote:
> Hi,
>
>> This sounds harmless for most people, I guess, or at least for us, as we
>> don't use Tunnel-Password. But reading CVE-2009-3111 and looking at the
>> patch, it seems that this can crash any server just by sending an empty
>> attribute. That would mean that every 1.1.7 installation should upgrade
>> to 1.1.8 ASAP. Right?
>
> correct - I've advised our UK eduroam contingent (JANET Roaming) who use
> FreeRADIUS 1.1.3 - 1.1.7 to upgrade ASAP.
FWIW, Red Hat's RHEL Errata for this CVE is already in the security
update channel.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list