Debian Bug report logs -
#694407
freeradius: CVE-2011-4966
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Mon, 26 Nov 2012 09:30:01 UTC
Severity: grave
Tags: security
Fixed in version freeradius/2.1.12+dfsg-1.2
Done: Kees Cook <kees@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#694407; Package freeradius.
(Mon, 26 Nov 2012 09:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Josip Rodin <joy-packages@debian.org>.
(Mon, 26 Nov 2012 09:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: freeradius
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4966
for details and a link to the upstream fix.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#694407; Package freeradius.
(Mon, 26 Nov 2012 14:51:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Josip Rodin <joy@debbugs.entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>.
(Mon, 26 Nov 2012 14:51:08 GMT) (full text, mbox, link).
Message #10 received at 694407@bugs.debian.org (full text, mbox, reply):
On Mon, Nov 26, 2012 at 10:24:03AM +0100, Moritz Muehlenhoff wrote:
> please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4966
> for details and a link to the upstream fix.
AFAICT this is a year old, so apparently it's not really so important? :)
Do you think we should take the opportunity to upload the fix for #689419
to stable?
--
2. That which causes joy or happiness.
Reply sent
to Kees Cook <kees@debian.org>:
You have taken responsibility.
(Sun, 16 Dec 2012 21:51:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sun, 16 Dec 2012 21:51:06 GMT) (full text, mbox, link).
Message #15 received at 694407-close@bugs.debian.org (full text, mbox, reply):
Source: freeradius
Source-Version: 2.1.12+dfsg-1.2
We believe that the bug you reported is fixed in the latest version of
freeradius, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 694407@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kees Cook <kees@debian.org> (supplier of updated freeradius package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 16 Dec 2012 12:44:35 -0800
Source: freeradius
Binary: freeradius freeradius-common freeradius-utils libfreeradius2 libfreeradius-dev freeradius-krb5 freeradius-ldap freeradius-postgresql freeradius-mysql freeradius-iodbc freeradius-dialupadmin freeradius-dbg
Architecture: source amd64 all
Version: 2.1.12+dfsg-1.2
Distribution: unstable
Urgency: high
Maintainer: Josip Rodin <joy-packages@debian.org>
Changed-By: Kees Cook <kees@debian.org>
Description:
freeradius - high-performance and highly configurable RADIUS server
freeradius-common - FreeRADIUS common files
freeradius-dbg - debug symbols for the FreeRADIUS packages
freeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS server
freeradius-iodbc - iODBC module for FreeRADIUS server
freeradius-krb5 - kerberos module for FreeRADIUS server
freeradius-ldap - LDAP module for FreeRADIUS server
freeradius-mysql - MySQL module for FreeRADIUS server
freeradius-postgresql - PostgreSQL module for FreeRADIUS server
freeradius-utils - FreeRADIUS client utilities
libfreeradius-dev - FreeRADIUS shared library development files
libfreeradius2 - FreeRADIUS shared library
Closes: 694407
Changes:
freeradius (2.1.12+dfsg-1.2) unstable; urgency=high
.
* Non-maintainer upload.
* Fix expired passwords when using the unix module (CVE-2011-4966,
Closes: #694407).
Checksums-Sha1:
4b889f7708699b6d332515d05e2a71e79269f4c9 2753 freeradius_2.1.12+dfsg-1.2.dsc
c8ccd34d4f69cb1cc5514a9b41275742d6d27147 32431 freeradius_2.1.12+dfsg-1.2.debian.tar.gz
26f52e1238eae32d23084ff3dfd5185e75d112a2 720186 freeradius_2.1.12+dfsg-1.2_amd64.deb
50dc6812617ee5f4828ac39918b4c2b0576e2f39 103716 freeradius-utils_2.1.12+dfsg-1.2_amd64.deb
72f5baf3fadaa4948d04d6c44a848a635992d57f 120460 libfreeradius2_2.1.12+dfsg-1.2_amd64.deb
065f4ed0ae6faa91cc727d0ce18e9e4213219b95 161422 libfreeradius-dev_2.1.12+dfsg-1.2_amd64.deb
a07c1b7632f109b856ab9ef1b45f164f5834bfac 39280 freeradius-krb5_2.1.12+dfsg-1.2_amd64.deb
1e16997ffcf84f78889cab8e803ccf41ecb522fa 58612 freeradius-ldap_2.1.12+dfsg-1.2_amd64.deb
8c9d21b6ff974a37b630dd661f31d5c0868bd09c 58618 freeradius-postgresql_2.1.12+dfsg-1.2_amd64.deb
5e1c62bd50d2d5b487820d742ea9a2698ec010e4 47588 freeradius-mysql_2.1.12+dfsg-1.2_amd64.deb
638cd456a949bcc5b364efdeec7723ec310e32de 38614 freeradius-iodbc_2.1.12+dfsg-1.2_amd64.deb
7c2df1d833b2fb44d89485c409fdb99c2f93d38e 1725182 freeradius-dbg_2.1.12+dfsg-1.2_amd64.deb
39bd96a8ad42706e8109f678e95da91369256f5f 273376 freeradius-common_2.1.12+dfsg-1.2_all.deb
4977b74bc5b9b269cc2fb374e2f0055f6b65330a 138946 freeradius-dialupadmin_2.1.12+dfsg-1.2_all.deb
Checksums-Sha256:
edd76a58e14b5e11bf2a4c79906c4a26b52ca6b35f8feb722fd2919d8976950f 2753 freeradius_2.1.12+dfsg-1.2.dsc
14bf0ba884c85cc71d20eb88f3491212f998c8f9bb2b7db14917a7501f329d87 32431 freeradius_2.1.12+dfsg-1.2.debian.tar.gz
8cf6f1e98e10d044474214485ad9d610afe55709b7042916bcc07e5706c1a948 720186 freeradius_2.1.12+dfsg-1.2_amd64.deb
d01bf68e904efdd83621d9b26896355204d109737c48bcd69430cdcbd465f99a 103716 freeradius-utils_2.1.12+dfsg-1.2_amd64.deb
cd1057e174d4c82031f223e139a9d40592b0f83d3a4c7c03f85071a2051f3aa0 120460 libfreeradius2_2.1.12+dfsg-1.2_amd64.deb
a1de3213e36af4c049bf7e5c089154f31d2b05e9570cd4226623bbd6b3bbd817 161422 libfreeradius-dev_2.1.12+dfsg-1.2_amd64.deb
448f76ff7d7ab4d782edb39d2d145c4bc95511db75879c5696ffcce42b46851d 39280 freeradius-krb5_2.1.12+dfsg-1.2_amd64.deb
a4edeabf61bf872e2b43d99120a413063e09c4f0a17af914a13267400c6b8ccf 58612 freeradius-ldap_2.1.12+dfsg-1.2_amd64.deb
6912084229b7f0123186ce4a0e68f0a53e5793d64dccbad55f2d02304ef407ae 58618 freeradius-postgresql_2.1.12+dfsg-1.2_amd64.deb
de6c4f3512b7023ea0825ca99e7acb9b429aa9b61fac2d621545ad47f0d14442 47588 freeradius-mysql_2.1.12+dfsg-1.2_amd64.deb
f5d7a59452c370d39bca8ab78a5077a2c30bc3214a7adb8c06fa8d8929f46b9b 38614 freeradius-iodbc_2.1.12+dfsg-1.2_amd64.deb
cb09cec62160d4d1276cc25777d733563e6584dfbcf168085d2eace0c28c5bc5 1725182 freeradius-dbg_2.1.12+dfsg-1.2_amd64.deb
b8d31bc82861232296792d0976026c7f46df1683c8ff2c14f24904ea0e96b617 273376 freeradius-common_2.1.12+dfsg-1.2_all.deb
4cacd8e6d3c81380f953c6cd3bc56e570bf58aef1d1a31de1bf77b9f6ff4cac0 138946 freeradius-dialupadmin_2.1.12+dfsg-1.2_all.deb
Files:
956430d7333e68cacd7c38c1457236f8 2753 net optional freeradius_2.1.12+dfsg-1.2.dsc
7bd372402aff1dc9ed8542d9db92e7c5 32431 net optional freeradius_2.1.12+dfsg-1.2.debian.tar.gz
c8c9c6d0d4b2aaecb772d1f822ea5e3a 720186 net optional freeradius_2.1.12+dfsg-1.2_amd64.deb
09504c8ed58d8eb7bf3bdcad9f217683 103716 net optional freeradius-utils_2.1.12+dfsg-1.2_amd64.deb
deaf904633984a84dec3a09ab8942b49 120460 net optional libfreeradius2_2.1.12+dfsg-1.2_amd64.deb
948f6a6e3320cd1d039f4c091fe080d7 161422 libdevel optional libfreeradius-dev_2.1.12+dfsg-1.2_amd64.deb
e8732397140edf5892f1669a6f16a701 39280 net optional freeradius-krb5_2.1.12+dfsg-1.2_amd64.deb
85967c6a9988a4dcf6cef361ae05a40c 58612 net optional freeradius-ldap_2.1.12+dfsg-1.2_amd64.deb
8ad6f618aff023820721aa5dcedcf08f 58618 net optional freeradius-postgresql_2.1.12+dfsg-1.2_amd64.deb
e7c36e2669d7d6aa348a719604c1b06b 47588 net optional freeradius-mysql_2.1.12+dfsg-1.2_amd64.deb
da658f8a1619068e42ddd3787bd075a6 38614 net optional freeradius-iodbc_2.1.12+dfsg-1.2_amd64.deb
fe801b932b43b6e2e91c82c71497304c 1725182 debug extra freeradius-dbg_2.1.12+dfsg-1.2_amd64.deb
a2332616cc850bc0a6d102f8fbd5f311 273376 net optional freeradius-common_2.1.12+dfsg-1.2_all.deb
a4f603d453935ce3fc65b13b9e0adc2d 138946 net optional freeradius-dialupadmin_2.1.12+dfsg-1.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Kees Cook <kees@outflux.net>
iQIcBAEBCgAGBQJQzj1+AAoJEIly9N/cbcAmMa8P/3bL8r9JDASyDWoHoM/jAMTs
FkfTvk2gvGdJ3R82ZO+mBOi1xuXZRykRlLJ9MXQIS+Kp3NE4s2ID0rvaZHx28pSC
R0mG3/v47CNXvaq/o+PkEfDf/+ZdHd0VCLicj4cJ1ajFnIr/P57TwFWQZtAlojo9
g7d2Skng0ARSy1qXfg2zXtl2+M0BdbDdoMpYjWAU/AYeOeJXs+R9G1QgyT/YSXbm
Ik0lAWaCLM00NyzT/R5h/mu84CMT1nb1mKizQxYKIXCilkTKcEHfKnlWwBVUYnJS
+wnlA7mFkBrOpZLoulkfXxMm/DKnuG/z+hIWPnaysx6QQfk1VC0gCZLAoQGd8b0X
OjK+OOWCwpd5Ym1HRc7Zb1bsP5hROZ/WXXLgEPukwKLxtJfEyAg/L9Ril62KUd02
oxJoYjBRvKHYCtTArlQS7Jdn0o2l+NKHV37AgSt40J6JJY+ZpymXtAI9QMjd1Lie
rVxnimkXSQdWifWtauyHMORb1DP1Z/ljgtOUKeuCkzlg98ipQ/28oFN5e1g/GPbr
o0CifcFuqGgEw1h/goR0+TSdDKVmRBs2oyJ37PqTVLeQvkosW6Kq2HhmUQtwFej0
vZs4l8phSVyJLnRiL1JjYlzqalHBjIroTsDqZaX5EN9w+bJYjYs0nKBUumaq83GO
2WXsKcWhKobNSapZcX8d
=O2Fz
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 14 Jan 2013 07:25:49 GMT) (full text, mbox, link).
Bug unarchived.
Request was from jmw@debian.org
to control@bugs.debian.org.
(Thu, 17 Jan 2013 14:06:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#694407; Package freeradius.
(Fri, 18 Jan 2013 13:06:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>.
(Fri, 18 Jan 2013 13:06:12 GMT) (full text, mbox, link).
Message #24 received at 694407@bugs.debian.org (full text, mbox, reply):
Package: freeradius
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.7) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/694407/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 16 Feb 2013 07:25:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:24:20 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon