Thanks for the heads-up. I’ll work on packaging the new upstream release later today.
On Tue, Jul 18, 2017 at 4:06 AM, Karsten Heymann <[email protected]> wrote: > Package: freeradius > Version: 3.0.12+dfsg-5 > Severity: grave > Tags: upstream security > Justification: user security hole > > Dear Maintainer, > > the freeradius team released version 3.0.15 fixing several important > security issues found by a fuzzing analysis. > > See: > http://freeradius.org/press/index.html#3.0.15 > http://freeradius.org/security/fuzzer-2017.html > > The following issues were found for v3 of freeradius up to 3.0.14: > - CVE-2017-10978. No remote code execution is possible. A denial of > service is possible. > - CVE-2017-10984. Remote code execution is possible. A denial of > service is possible. > - CVE-2017-10985. No remote code execution is possible. A denial of > service is possible. > > The following affect only the DHCP part of freeradius, which is seldomly > used: > - CVE-2017-10983. No remote code execution is possible. A denial of > service is possible. > - CVE-2017-10986. No remote code execution is possible. A denial of > service is possible. > - CVE-2017-10987. No remote code execution is possible. A denial of > service is possible. > > Please update the package accordingly. > > -- System Information: > Debian Release: 9.0 > APT prefers stable > APT policy: (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages freeradius depends on: > ii freeradius-common 3.0.12+dfsg-5 > ii freeradius-config 3.0.12+dfsg-5 > ii libc6 2.24-11+deb9u1 > ii libcap2 1:2.25-1 > ii libfreeradius3 3.0.12+dfsg-5 > ii libgdbm3 1.8.3-14 > ii libpam0g 1.1.8-3.6 > ii libpcre3 2:8.39-3 > ii libperl5.24 5.24.1-3 > ii libpython2.7 2.7.13-2 > ii libreadline7 7.0-3 > ii libsqlite3-0 3.16.2-5 > ii libssl1.1 1.1.0f-3 > ii libtalloc2 2.1.8-1 > ii libwbclient0 2:4.5.8+dfsg-2+deb9u1+b1 > ii lsb-base 9.20161125 > > Versions of packages freeradius recommends: > pn freeradius-utils <none> > > Versions of packages freeradius suggests: > pn freeradius-krb5 <none> > pn freeradius-ldap <none> > pn freeradius-mysql <none> > pn freeradius-postgresql <none> > pn snmp <none> > > -- no debconf information > > _______________________________________________ > Pkg-freeradius-maintainers mailing list > [email protected] > https://lists.alioth.debian.org/mailman/listinfo/pkg- > freeradius-maintainers > -- Best regards, Michael
