Debian Bug report logs -
#600176
freeradius: CVE-2010-3696 CVE-2010-3697
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Thu, 14 Oct 2010 10:27:01 UTC
Severity: grave
Tags: security
Fixed in version freeradius/2.1.10+dfsg-1
Done: Josip Rodin <joy-packages@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#600176; Package freeradius.
(Thu, 14 Oct 2010 10:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Josip Rodin <joy-packages@debian.org>.
(Thu, 14 Oct 2010 10:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: freeradius
Severity: grave
Tags: security
Justification: user security hole
Please see the following links with included references to
patches:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3696
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3697
Cheers,
Moritz
-- System Information:
Debian Release: 5.0.1
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.32-ucs16-amd64
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Information forwarded
to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#600176; Package freeradius.
(Thu, 14 Oct 2010 19:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Josip Rodin <joy@debbugs.entuzijast.net>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>.
(Thu, 14 Oct 2010 19:42:04 GMT) (full text, mbox, link).
Message #10 received at 600176@bugs.debian.org (full text, mbox, reply):
On Thu, Oct 14, 2010 at 12:22:50PM +0200, Moritz Muehlenhoff wrote:
> Package: freeradius
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Please see the following links with included references to
> patches:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3696
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3697
Sigh, if I had a nickel for every time FR froze on crashed on me... :)
I'll upload 2.1.10 that fixes these and other problems.
For example this one, incidentally also the reason why I never moved on to
2.1.9 in lenny-backports:
https://lists.freeradius.org/pipermail/freeradius-users/2010-June/msg00248.html
--
2. That which causes joy or happiness.
Reply sent
to Josip Rodin <joy-packages@debian.org>:
You have taken responsibility.
(Thu, 14 Oct 2010 23:09:12 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Thu, 14 Oct 2010 23:09:12 GMT) (full text, mbox, link).
Message #15 received at 600176-close@bugs.debian.org (full text, mbox, reply):
Source: freeradius
Source-Version: 2.1.10+dfsg-1
We believe that the bug you reported is fixed in the latest version of
freeradius, which is due to be installed in the Debian FTP archive:
freeradius-common_2.1.10+dfsg-1_all.deb
to main/f/freeradius/freeradius-common_2.1.10+dfsg-1_all.deb
freeradius-dbg_2.1.10+dfsg-1_amd64.deb
to main/f/freeradius/freeradius-dbg_2.1.10+dfsg-1_amd64.deb
freeradius-dialupadmin_2.1.10+dfsg-1_all.deb
to main/f/freeradius/freeradius-dialupadmin_2.1.10+dfsg-1_all.deb
freeradius-iodbc_2.1.10+dfsg-1_amd64.deb
to main/f/freeradius/freeradius-iodbc_2.1.10+dfsg-1_amd64.deb
freeradius-krb5_2.1.10+dfsg-1_amd64.deb
to main/f/freeradius/freeradius-krb5_2.1.10+dfsg-1_amd64.deb
freeradius-ldap_2.1.10+dfsg-1_amd64.deb
to main/f/freeradius/freeradius-ldap_2.1.10+dfsg-1_amd64.deb
freeradius-mysql_2.1.10+dfsg-1_amd64.deb
to main/f/freeradius/freeradius-mysql_2.1.10+dfsg-1_amd64.deb
freeradius-postgresql_2.1.10+dfsg-1_amd64.deb
to main/f/freeradius/freeradius-postgresql_2.1.10+dfsg-1_amd64.deb
freeradius-utils_2.1.10+dfsg-1_amd64.deb
to main/f/freeradius/freeradius-utils_2.1.10+dfsg-1_amd64.deb
freeradius_2.1.10+dfsg-1.diff.gz
to main/f/freeradius/freeradius_2.1.10+dfsg-1.diff.gz
freeradius_2.1.10+dfsg-1.dsc
to main/f/freeradius/freeradius_2.1.10+dfsg-1.dsc
freeradius_2.1.10+dfsg-1_amd64.deb
to main/f/freeradius/freeradius_2.1.10+dfsg-1_amd64.deb
freeradius_2.1.10+dfsg.orig.tar.gz
to main/f/freeradius/freeradius_2.1.10+dfsg.orig.tar.gz
libfreeradius-dev_2.1.10+dfsg-1_amd64.deb
to main/f/freeradius/libfreeradius-dev_2.1.10+dfsg-1_amd64.deb
libfreeradius2_2.1.10+dfsg-1_amd64.deb
to main/f/freeradius/libfreeradius2_2.1.10+dfsg-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 600176@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Josip Rodin <joy-packages@debian.org> (supplier of updated freeradius package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 14 Oct 2010 21:51:51 +0200
Source: freeradius
Binary: freeradius freeradius-common freeradius-utils libfreeradius2 libfreeradius-dev freeradius-krb5 freeradius-ldap freeradius-postgresql freeradius-mysql freeradius-iodbc freeradius-dialupadmin freeradius-dbg
Architecture: source amd64 all
Version: 2.1.10+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Josip Rodin <joy-packages@debian.org>
Changed-By: Josip Rodin <joy-packages@debian.org>
Description:
freeradius - a high-performance and highly configurable RADIUS server
freeradius-common - FreeRADIUS common files
freeradius-dbg - debug symbols for the FreeRADIUS packages
freeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS server
freeradius-iodbc - iODBC module for FreeRADIUS server
freeradius-krb5 - kerberos module for FreeRADIUS server
freeradius-ldap - LDAP module for FreeRADIUS server
freeradius-mysql - MySQL module for FreeRADIUS server
freeradius-postgresql - PostgreSQL module for FreeRADIUS server
freeradius-utils - FreeRADIUS client utilities
libfreeradius-dev - FreeRADIUS shared library development files
libfreeradius2 - FreeRADIUS shared library
Closes: 564716 584151 600176
Changes:
freeradius (2.1.10+dfsg-1) unstable; urgency=medium
.
* New upstream version, closes a bunch of reproducible SNAFUs,
including two tagged as security issues, CVE-2010-3696, CVE-2010-3697,
closes: #600176.
* Build-depend on newer Libtool because of lt_dladvise_init(), also
upstream now has a configure check so we no longer need a patch,
yet we still don't want the old behaviour. Noticed by John Morrissey,
closes: #584151.
* Added the /etc/default/freeradius file as suggested by
Rudy Gevaert and Matthew Newton, closes: #564716.
* Stop symlinking /dev/urandom into /etc/freeradius/certs/random,
it breaks grep -r in /etc. Instead, replace it inside eap.conf,
both in the new shipped conffile and in postinst.
Checksums-Sha1:
390b3ca1d05f19d0e09c412e8bb287470ec4f44f 1580 freeradius_2.1.10+dfsg-1.dsc
0cb6e0627365ba609a9c20a84f203b4379c0607e 3319467 freeradius_2.1.10+dfsg.orig.tar.gz
5ac059d06382845e882147833126998100c576f9 3386 freeradius_2.1.10+dfsg-1.diff.gz
bfcedb73d35b235076eab82347d8540fc1635384 648686 freeradius_2.1.10+dfsg-1_amd64.deb
2c8db7148ea44f1cf70343d2faecbea612a5f543 95884 freeradius-utils_2.1.10+dfsg-1_amd64.deb
55ed2b0c172cface7402d845559b90b37bebb37d 113406 libfreeradius2_2.1.10+dfsg-1_amd64.deb
a7a32877ffc4ef85a6ce3ff96d7299457b661ae2 153066 libfreeradius-dev_2.1.10+dfsg-1_amd64.deb
560f24d13b008c1b236c5aae46af2fe182f5e656 34040 freeradius-krb5_2.1.10+dfsg-1_amd64.deb
f1dfe2d7462446f6787702d98436b5fc159cd0a6 52312 freeradius-ldap_2.1.10+dfsg-1_amd64.deb
740d4a1ae7a45100b1d24e422a7014f3f174f0cb 52864 freeradius-postgresql_2.1.10+dfsg-1_amd64.deb
c4d45fe92cc6a51ad39816677fd4b47c3681d022 41442 freeradius-mysql_2.1.10+dfsg-1_amd64.deb
c2efb0488e8ea107869fb198aa063e4e33e373d8 33276 freeradius-iodbc_2.1.10+dfsg-1_amd64.deb
b9e08ec02e2b4fb5588c235e2a7b18db36254fa5 1140838 freeradius-dbg_2.1.10+dfsg-1_amd64.deb
c42f8ee5b0d2c5341e6f5449649d8a003ccc71c1 236584 freeradius-common_2.1.10+dfsg-1_all.deb
a57311df716d8b0d0d54f089c2a279fc70a6de38 131910 freeradius-dialupadmin_2.1.10+dfsg-1_all.deb
Checksums-Sha256:
b513c1382da3bfc2029df2d4f39d9bf2d8648583baa8d64e645fa4e6fc1e2de5 1580 freeradius_2.1.10+dfsg-1.dsc
e5ccdab660ed2d5d7c8709363ca288ad2e1229321aa8684539ac45ddae274885 3319467 freeradius_2.1.10+dfsg.orig.tar.gz
5649188a41ba73a20e5bd07ada52f8a0bca8e29032726c67c64bb52162dec80f 3386 freeradius_2.1.10+dfsg-1.diff.gz
1cb27b7a8bd5cf6028c3980b829f34f1d784a28cfdde81f9dd62377fa5762e65 648686 freeradius_2.1.10+dfsg-1_amd64.deb
3a1826eef06dbbf1744e8cc8b1d76def226f7c47145088a491b45ce62ca0c200 95884 freeradius-utils_2.1.10+dfsg-1_amd64.deb
c476795fca9decba3c3a4659c0c66a415cf5d054d12d3812e6faa22b010d4d01 113406 libfreeradius2_2.1.10+dfsg-1_amd64.deb
593dc61b573565b3d060f570eaf2d8f92222e7ec88d3c15dbdb24a5834e094ff 153066 libfreeradius-dev_2.1.10+dfsg-1_amd64.deb
3744516cd5e41c4062fdf2653352137d8b90166c2a51eb470a618629ea4ac931 34040 freeradius-krb5_2.1.10+dfsg-1_amd64.deb
b21894f7401f2ae805a5a4e95d4c7bb3da8cb8c9e8aaabb669f4f7abaf40ba2b 52312 freeradius-ldap_2.1.10+dfsg-1_amd64.deb
fc6c23635be2c7b9ce14dc5d86e1b67bf86fe249defe690a538e1050f42679e9 52864 freeradius-postgresql_2.1.10+dfsg-1_amd64.deb
ca32373fa219bd5eb8712ff3a5e64ec15983a427b9d3a2d53dc65cf5d5a41dbb 41442 freeradius-mysql_2.1.10+dfsg-1_amd64.deb
87b4ec07b2acdd375f5e9585fd561106cb561e478093795caaef5806789ba018 33276 freeradius-iodbc_2.1.10+dfsg-1_amd64.deb
767d54b0b0b27cfd703fe116431fe6e6d44a2d7f35ff98d7546fa67e050157a9 1140838 freeradius-dbg_2.1.10+dfsg-1_amd64.deb
11318c2f0b0289e2260a2e3b273daa29c974992d467b0ce25619ee917fee1502 236584 freeradius-common_2.1.10+dfsg-1_all.deb
c69e535490aab4ce6e327be4cf21aca79007c0cfad0b47313e8c1ef523fbf8f7 131910 freeradius-dialupadmin_2.1.10+dfsg-1_all.deb
Files:
350d35663da3d5158c6dc93e24a7bf8f 1580 net optional freeradius_2.1.10+dfsg-1.dsc
50baed20b9d603463f8c30915538c6ae 3319467 net optional freeradius_2.1.10+dfsg.orig.tar.gz
ac3a783261a4bc084880b417604d0267 3386 net optional freeradius_2.1.10+dfsg-1.diff.gz
bf607a2558d62570ec7bc3f60c3018b0 648686 net optional freeradius_2.1.10+dfsg-1_amd64.deb
23f5408c1a91b7c129bf6712eef8d4c4 95884 net optional freeradius-utils_2.1.10+dfsg-1_amd64.deb
a6ac13b3183e5b3396cc27e29784fe4b 113406 net optional libfreeradius2_2.1.10+dfsg-1_amd64.deb
b9cf541b432171eca99df34cae952bdc 153066 libdevel optional libfreeradius-dev_2.1.10+dfsg-1_amd64.deb
35008a8f50ced632030844858fcc87c5 34040 net optional freeradius-krb5_2.1.10+dfsg-1_amd64.deb
5c732e821ae437cd93c869fa8b9e6b5e 52312 net optional freeradius-ldap_2.1.10+dfsg-1_amd64.deb
d774ae5594fad01ffe6a61e2d5978cb9 52864 net optional freeradius-postgresql_2.1.10+dfsg-1_amd64.deb
73edee7aefc5b64f95662d7c95c92338 41442 net optional freeradius-mysql_2.1.10+dfsg-1_amd64.deb
75f07cdf4282af20878373187f3f929c 33276 net optional freeradius-iodbc_2.1.10+dfsg-1_amd64.deb
f7daac663657cd6e7e33a7354d83bdbc 1140838 debug extra freeradius-dbg_2.1.10+dfsg-1_amd64.deb
a5253bf1ed0ab1a27bbb6051af67f8fa 236584 net optional freeradius-common_2.1.10+dfsg-1_all.deb
dc62d6dc0488ad85d7e3b3a21567c98c 131910 net optional freeradius-dialupadmin_2.1.10+dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFMt20cC1RHoiANFZYRAtH3AJ9lGuj+H0nELelVfyL1DwtW1C6vGACgwNKk
CisQJ6WUcNKgpro7Kg7x0TI=
=360R
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 10 May 2011 07:38:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:31:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon