Upstream confirmed that my patch fixes the issue, so I uploaded it to unstable.
See also https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/commit/?id=8d681449aa95ee4388b5e3c266bdb070a264f563 security-team, can you take care of applying the patch to stable and oldstable please? Thank you. On Tue, May 30, 2017 at 8:29 AM, Michael Stapelberg <stapelb...@debian.org> wrote: > control: owner -1 ! > > I prepared a patch for this issue and emailed the FreeRADIUS security team > asking for review. I’ll upload the patch once they confirm its > effectiveness. > > On Mon, May 29, 2017 at 11:16 PM, Guido Günther <a...@sigxcpu.org> wrote: > >> Package: freeradius >> Version: 3.0.12+dfsg-4 >> severity: grave >> >> Hi, >> >> the following vulnerability was published for freeradius. >> >> CVE-2017-9148[0]: FreeRADIUS TLS resumption authentication bypass >> >> If you fix the vulnerability please also make sure to include the >> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. >> >> For further information see: >> >> [0] https://security-tracker.debian.org/tracker/CVE-2017-9148 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9148 >> >> Please adjust the affected versions in the BTS as needed. >> Cheers, >> -- Guido >> >> _______________________________________________ >> Pkg-freeradius-maintainers mailing list >> pkg-freeradius-maintain...@lists.alioth.debian.org >> https://lists.alioth.debian.org/mailman/listinfo/pkg-freerad >> ius-maintainers >> > > > > -- > Best regards, > Michael > -- Best regards, Michael