Public bug reported:
Binary package hint: freeradius
A validation issue exists with the EAP-MSCHAPv2 module in all versions
from 1.0.0 (where the module first appeared) to 1.1.0. Insufficient
input validation was being done in the EAP-MSCHAPv2 state machine. A
malicious attacker could manipulate their EAP-MSCHAPv2 client state
machine to potentially convince the server to bypass authentication
checks. This bypassing could also result in the server crashing. We
recommend that administrators upgrade immediately.
Only Dapper is unfixed, and I'll roll this in with the fix for bug
#106006.
** Affects: freeradius (Ubuntu)
Importance: Undecided
Status: Fix Released
** Affects: freeradius (Ubuntu Dapper)
Importance: Undecided
Assignee: William Grant (fujitsu)
Status: Triaged
** Affects: freeradius (Debian)
Importance: Unknown
Status: Unknown
** Affects: freeradius (Fedora)
Importance: Unknown
Status: Unknown
** Visibility changed to: Public
** Changed in: freeradius (Ubuntu)
Status: New => Fix Released
** Changed in: freeradius (Ubuntu Dapper)
Assignee: (unassigned) => William Grant (fujitsu)
Status: New => Triaged
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2006-1354
** Bug watch added: Debian Bug tracker #359042
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359042
** Also affects: freeradius (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359042
Importance: Unknown
Status: Unknown
** Bug watch added: Red Hat Bugzilla #186083
https://bugzilla.redhat.com/show_bug.cgi?id=186083
** Also affects: freeradius (Fedora) via
https://bugzilla.redhat.com/show_bug.cgi?id=186083
Importance: Unknown
Status: Unknown
--
CVE-2006-1354: EAP-MSCHAPv2 vulnerability
https://bugs.launchpad.net/bugs/164000
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
