CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2012/09/16 07:47:33
Modified files:
net/freeradius : Tag: OPENBSD_5_2 Makefile
Added files:
net/freeradius/patches: Tag: OPENBSD_5_2
patch-src_modules_rlm_eap_types_rlm_eap_tls_rlm_eap_tls_c
Log message:
backport fix for CVE-2012-3547 in freeradius. ok pea@
>From http://freeradius.org/security.html, "All sites using TLS-based
EAP methods and the above versions are vulnerable. The only configuration
change which can avoid the issue is to disable EAP-TLS, EAP-TTLS, and PEAP.
An external attacker can use this vulnerability to over-write the
stack frame of the RADIUS server, and cause it to crash. In addition,
more sophisticated attacks may gain additional privileges on the
system running the RADIUS server.
This attack does not require local network access to the RADIUS
server. It can be done by an attacker through a WiFi Access Point,
so long as the Access Point is configured to use 802.1X authentication
with the RADIUS server."
