Statement on OpenSSL security bug
Alan DeKok
aland at deployingradius.com
Tue Apr 8 22:36:39 CEST 2014
Jouni Malinen wrote:
> Unfortunately, it looks like this is not as clear as this statement
> seems to indicate. It turned out that my initial setup did not show
> the issue (and I still cannot reproduce it on that setup for some
> unknown reason). However, a fresh installation of the exact same
> FreeRADIUS version (and also couple of other versions I tested) on a
> virtual host with a different OS variant does seem to indicated
> limited form of this OpenSSL vulnerability being triggerable through
> FreeRADIUS EAP PEAP/TTLS implementation. This does not seem to open as
> large a window for getting useful data as other use cases with
> OpenSSL, but it is unknown whether some critical memory contents could
> be revealed.
I've updated the security notification to reflect this information:
http://freeradius.org/security.html
Alan DeKok.
More information about the Freeradius-Users
mailing list