Full Disclosure mailing list archives
GLSA 200311-04
From: Tim Yamin <plasmaroo () gentoo org>
Date: Tue, 25 Nov 2003 17:59:49 +0000
------------------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200311-04 ------------------------------------------------------------------------------- Package : net-dialup/freeradius Summary : FreeRADIUS heap exploit and NULL pointer derefence exploits Date : 2003-11-23 Exploit : remote Versions Affected : <= 0.9.2 Fixed Version : >= 0.9.3 Gentoo Bug ID : #33989 CVE : - None - Priority : Normal ------------------------------------------------------------------------------- SUMMARY: ======== FreeRADIUS versions below 0.9.3 are vulnerable to a heap exploit, however, the attack code must be in the form of a valid RADIUS packet which limits the possible exploits. Also corrected in the 0.9.3 release is another vulnerability which causes the RADIUS server to de-reference a NULL pointer and crash when an Access-Request packet with a Tunnel-Password is received. Please see the announcement at: http://www.securitytracker.com/alerts/2003/Nov/ 1008263.html for more details regarding the issue. SOLUTION: ========= Users are encouraged to perform an 'emerge --sync' and upgrade the package to the latest available version - 0.9.3 is available in portage and is marked as stable.
Attachment:
_bin
Description:
Current thread:
- GLSA 200311-04 Tim Yamin (Nov 25)