219662 – net/freeradius{2,3}: Update to 3.0.14 (CVE-2017-9148 FreeRADIUS TLS resumption authentication bypass)

Bug 219662 - net/freeradius{2,3}: Update to 3.0.14 (CVE-2017-9148 FreeRADIUS TLS resumption authentication bypass)

Summary: net/freeradius{2,3}: Update to 3.0.14 (CVE-2017-9148 FreeRADIUS TLS resumptio...

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Ryan Steinmetz

URL:	http://seclists.org/oss-sec/2017/q2/342
Keywords:	needs-patch, needs-qa, security

Depends on:
Blocks:

Reported:	2017-05-30 17:54 UTC by O. Hartmann
Modified:	2017-06-01 14:04 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	koobs: maintainer-feedback? (zi) koobs: merge-quarterly?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description O. Hartmann 2017-05-30 17:54:07 UTC

FreeRadius < 3.0.14 suffers from a bug in the caching mechanism, as reported in
"CVE-2017-9148 FreeRADIUS TLS resumption authentication bypass", as you can read here:

http://seclists.org/oss-sec/2017/q2/342

There is a version 3.0.14 out, which fixes the bug.

Comment 1 Kubilay Kocak freebsd_committer

2017-05-31 06:00:51 UTC

net/freeradius has been deleted, assuming this is for net/freeradius3. Assign to maintainer accordingly.

It appears net/freeradius2 (EoL) is also affected, the port for which has not been deprecated/deleted. It does not appear a patch for 2.2.9 has been created (I could not identify one on initial view).

Both ports have the same maintainer.

Comment 2 O. Hartmann 2017-05-31 06:50:44 UTC

Of course, I meant net/freeradius3.

Comment 3 Ryan Steinmetz freebsd_committer

2017-06-01 14:02:29 UTC

Update to 3.0.14 committed.

Comment 4 commit-hook freebsd_committer

2017-06-01 14:03:24 UTC

A commit references this bug:

Author: zi
Date: Thu Jun  1 14:02:31 UTC 2017
New revision: 442287
URL: https://svnweb.freebsd.org/changeset/ports/442287

Log:
  - Update to 3.0.14

  PR:		219662
  Requested by:	ohartmann@walstatt.org
  Security:	673dce46-46d0-11e7-a539-0050569f7e80

Changes:
  head/net/freeradius3/Makefile
  head/net/freeradius3/distinfo
  head/net/freeradius3/pkg-plist

Comment 5 commit-hook freebsd_committer

2017-06-01 14:04:27 UTC

A commit references this bug:

Author: zi
Date: Thu Jun  1 14:03:40 UTC 2017
New revision: 442288
URL: https://svnweb.freebsd.org/changeset/ports/442288

Log:
  MFH: r442287

  - Update to 3.0.14

  PR:		219662
  Requested by:	ohartmann@walstatt.org
  Security:	673dce46-46d0-11e7-a539-0050569f7e80

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2017Q2/
  branches/2017Q2/net/freeradius3/Makefile
  branches/2017Q2/net/freeradius3/distinfo
  branches/2017Q2/net/freeradius3/pkg-plist