On Fri, Nov 21, 2003, Alan DeKok wrote: >Oliver Graf <[EMAIL PROTECTED]> wrote: >> > With that said, 0.9.3 has been released. It's in the normal places: >> >> I submitted a security report and a new package ebuild to the gentoo >> ( http://gentoo.org/ ) community. > > Thanks. This just re-iterates my beleif that RADIUS servers should >on private networks, far away from any possible source of malicious >packets.
Either that, or packet filters that restrict the hosts that can access the radius servers. On a related security note, the src/lib/radius.c program has several references to msg_auth_vector and calc_auth_vector starting around line 1108 with several memcpy and memcmp operations, some of which refer use sizeof(calc_auth_vector) for the length, others with AUTH_VECTOR_LEN. Given that msg_auth_vector is an array of uint8_t size AUTH_VECTOR_LEN, I doubt these lengths would be same. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Systems, Inc. UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``The meek shall inherit the Earth, the rest of us will go to the stars...'' -Dr. Isaac Asimov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
