[EMAIL PROTECTED] wrote on 11/20/2003 02:51:13 PM:
> Bug reports are nice. Lack of notification is stupid.
>
> With that said, 0.9.3 has been released. It's in the normal places:
>
> ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz
>
> With PGP signature at:
>
> ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig
>
> It is just 0.9.2 with a bug fixed, and the version number updated.
>
>
> The original reporter threatened to release an exploit when I told
> him I was unhappy with his lack of notification prior to the public
> release of the vulnerability information. Blackmail is stupid.
>
> As it turns out, however, the problem isn't as bad as it could have
> been. The bug he reported can cause the server to crash, but is
> difficult to exploit. Any attack code MUST be in the form of a valid
> RADIUS packet, which significantly limits the possible exploits.
>
> However, there was another bug which the reporter did NOT discover,
> which causes the server to de-reference a NULL pointer, and thus
> crash, whenever an Access-Request packet containing a Tunnel-Password
> attribute is received.
>
> Both bugs have been fixed in 0.9.3, and in the CVS head.
>
> We recommend that everyone upgrade to 0.9.3 as soon as possible.
Do either of these bugs affect (within the best of your ability to guess,
of course!) versions of FR prior to 0.9 ? (All other good reasons to
upgrade to 0.9 notwithstanding...)
Just trying to gauge if I should put this on the "do soon" pile, or the
"do right now" pile.
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush University Medical Center
(312) 942-4242
"When I was four I wanted an Action Man armoured personnel carrier. I
didn't have any genuine Action Men - my parents couldn't afford them;
instead of a professional army I had a ragtag band of Korean and Chinese
irregulars whose political commitment, I hoped, made up for their having
no knee or elbow joints."
-- Mil Millington
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
