Release of 3.0.12

Matthew Newton mcn4 at
Mon Sep 26 12:51:08 CEST 2016

On Mon, Sep 26, 2016 at 11:07:26AM +0200, Stefan Winter wrote:
> hm, can we still hold the press?
> Refusing to start with libssl version OpenSSL 1.0.1k 8 Jan 2015
> 0x100010bf (1.0.1k release) (in range 1.0.1 release - 1.0.1t rele)
> Security advisory CVE-2016-6304 (OCSP status request extension)
> For more information see
> Once you have verified libssl has been correctly patched, set
> security.allow_vulnerable_openssl = 'CVE-2016-6304'
> radius-int-1:/usr/local/freeradius #

Just to add to the fun...

CVE-2016-6309 and CVE-2016-7052

They missed a couple of patches from the releases last week, so
there's more today. These can lead to a segfault or arbitrary code


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list