CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2017/05/30 07:12:30
Modified files:
net/freeradius3: Makefile distinfo
net/freeradius3/patches: patch-src_main_detail_c
patch-src_main_tls_c
net/freeradius3/pkg: PLIST-main PLIST-mysql PLIST-pgsql
Log message:
update to freeradius 3.0.14.
Security update for configurations with TLS; FreeRADIUS intentionally
skips inner authentication for TLS resumption, however it allows a
session to be resumed before the initial connection has authenticated,
allowing access without auth to a malicious supplicant. CVE-2017-9148,
See http://seclists.org/oss-sec/2017/q2/342
Workaround: set "enabled = no" in the cache section of raddb/mods-enabled/eap.
