Package: release.debian.org Severity: normal Hi,
Please unblock radsecproxy 1.6.2-1. It's a security upload, complementing 1.4-1+squeeze1 and fixing two CVEs. Security team is aware and has reviewed the upstream fixes for those -- in fact, the second vulnerability was found by Raphael during the review. radsecproxy (1.6.2-1) unstable; urgency=high * Urgency set to high for a security release. * New upstream release, fixing two security issues: - When verifying clients, don't consider config blocks with CA settings ('tls') which differ from the one used for verifying the certificate chain (RADSECPROXY-43, CVE-2012-4523). Reported by Ralf Paffrath. - Fix the issue with verification of clients when using multiple 'tls' config blocks for DTLS too (RADSECPROXY-43, CVE-2012-4566). Reported by Raphael Geissert. * Drop most of debian/patches/fix_manpages, merged upstream. Here's the annotated diffstat between 1.6-1 and 1.6.2-1, excluding configure.ac, config.{guess,sub} and (already-applied, source/format 3.0) debian/patches: diff --exclude=.pc --exclude='patches' --exclude='config*' -Nurp \ radsecproxy-1.6/ radsecproxy-1.6.2/ | diffstat debian/changelog | 14 ++++++++++++++ AUTHORS | 1 + ChangeLog | 19 ++++++++++++++++++- README | 2 +- radsecproxy.conf.5.xml | 19 +++++++++++++++---- Version updates & documentation. Note that the manpage change is needed as it explains some of the circumstances around the security fix. aclocal.m4 | 4 ++-- AC_AUTOCONF_VERSION 2.65 -> 2.68. I realize that this, along the configure.ac update, maybe unfortunate during the freeze, but it was the only one that stood out and seems safe enough, so I opted against a 1.6-2 with everything else but this. tls.c | 28 +++++++++++++++------------- Fix for CVE-2012-4523. dtls.c | 4 +++- Fix for CVE-2012-4566. tools/naptr-eduroam.sh | 4 ++-- Two minor one-liners; that script is only shipped in doc/examples/ anyway. 9 files changed, 71 insertions(+), 24 deletions(-) Thanks, Faidon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org