Statement on OpenSSL security bug
Jouni Malinen
jkmalinen at gmail.com
Tue Apr 8 22:15:28 CEST 2014
On Tue, Apr 8, 2014 at 9:35 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Thanks to Jouni Malinen for providing test cases and more detailed
> information about the bug.
Unfortunately, it looks like this is not as clear as this statement
seems to indicate. It turned out that my initial setup did not show
the issue (and I still cannot reproduce it on that setup for some
unknown reason). However, a fresh installation of the exact same
FreeRADIUS version (and also couple of other versions I tested) on a
virtual host with a different OS variant does seem to indicated
limited form of this OpenSSL vulnerability being triggerable through
FreeRADIUS EAP PEAP/TTLS implementation. This does not seem to open as
large a window for getting useful data as other use cases with
OpenSSL, but it is unknown whether some critical memory contents could
be revealed.
- Jouni
More information about the Freeradius-Users
mailing list