| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3FC39895.7080004@gentoo.org>
Date: Tue, 25 Nov 2003 17:59:49 +0000
From: Tim Yamin <plasmaroo@...too.org>
To: bugtraq@...urityfocus.com, Full-Disclosure@...ts.netsys.com,
gentoo-announce@...too.org
Subject: GLSA 200311-04
-------------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200311-04
-------------------------------------------------------------------------------
Package : net-dialup/freeradius
Summary : FreeRADIUS heap exploit and NULL pointer derefence
exploits
Date : 2003-11-23
Exploit : remote
Versions Affected : <= 0.9.2
Fixed Version : >= 0.9.3
Gentoo Bug ID : #33989
CVE : - None -
Priority : Normal
-------------------------------------------------------------------------------
SUMMARY:
========
FreeRADIUS versions below 0.9.3 are vulnerable to a heap exploit,
however, the attack code must be in the form of a valid RADIUS packet
which limits the possible exploits.
Also corrected in the 0.9.3 release is another vulnerability which
causes the RADIUS server to de-reference a NULL pointer and crash when
an Access-Request packet with a Tunnel-Password is received.
Please see the announcement at:
http://www.securitytracker.com/alerts/2003/Nov/
1008263.html for more details regarding the issue.
SOLUTION:
=========
Users are encouraged to perform an 'emerge --sync' and upgrade the
package to the latest available version - 0.9.3 is available in portage
and is marked as stable.
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists