Re: CVE request: vulnerability in FreeRADIUS (OCSP)

[Solar Designer <solar () openwall com>]

Hi,

We have almost 800 subscribers on oss-security, but DFN-CERT doesn't
appear to be subscribed - so I've re-added the CC on this reply, and
I'll over-quote a little.

dfncert () dfn-cert de wrote:
> > We would be willing to provide the patch to all Linux distributors
> > but we do not want to release the patch publicly and wait for the
> > official patch by the packet maintainer of FreeRADIUS.

On Tue, Jul 19, 2011 at 12:06:15AM +0200, Stefan Behte wrote:
> Then posting it to the new vendor-sec (linux-distros () vs openwall org)
> sounds like the right thing to do.

This is not exactly the new vendor-sec.  As the name suggests, it is a
Linux distros only list.  Also, please note that the maximum acceptable
embargo period on this list is 14 days.  We need to communicate this
detail to whoever we're asking to disclose anything to the list, before
they disclose.  When posting to the list, you may encrypt messages to
the attached key.

For FreeRADIUS specifically, it sounds like non-Linux vendors could be
interested as well.  DFN-CERT did mention Linux distros specifically in
the quote above, so the suggestion to use the list was appropriate, but
perhaps requests from other distros shipping FreeRADIUS should be
accommodated as well.  If something like this arrived to the Linux
distros list without prior discussion on oss-security, I would bring
this up and suggest that we contact *BSD's at least.  Since this is
already on oss-security, I assume that interested *BSD's and others may
ask DFN-CERT themselves. ;-)

> Gentoo complies to your requirements
> and would like to get the patch directly, if you do not plan to send it
> there.

Alexander

Attachment: linux-distros.asc
Description: