Bug 201059 - net/freeradius3: [security] FreeRADIUS insufficent CRL application (CVE-2015-4680)
Summary: net/freeradius3: [security] FreeRADIUS insufficent CRL application (CVE-2015-...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Ryan Steinmetz
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-22 22:06 UTC by Jason Unovitch
Modified: 2015-07-13 10:07 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (zi)

Attachments
security/vuxml for freeradius CVE-2015-4680 (2.08 KB, patch)
2015-07-13 02:03 UTC, Jason Unovitch 		junovitch: maintainer-approval? (ports-secteam)
 Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer freebsd_triage 2015-06-22 22:06:07 UTC 
Seen today on oss-security mailing list:
http://www.ocert.org/advisories/ocert-2015-008.html
Comment 1 Ryan Steinmetz freebsd_committer freebsd_triage 2015-06-23 05:56:16 UTC 
I will update the ports once the fixed versions have been released.  As of minutes ago, they are not yet out.
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2015-07-13 02:03:30 UTC 
Created attachment 158676 [details]
security/vuxml for freeradius CVE-2015-4680

Follow up with a VuXML entry.  This covers this PR and bug 201058.  

Ryan it looks like the updated release came out just before the weekend.  See http://freeradius.org/press/index.html#3.0.9


== VUXML VALIDATION == 
% make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit freeradius3-3.0.8
freeradius3-3.0.8 is vulnerable:
freeradius -- insufficent CRL application vulnerability
CVE: CVE-2015-4680
WWW: https://vuxml.FreeBSD.org/freebsd/379788f3-2900-11e5-a4a5-002590263bf5.html

1 problem(s) in the installed packages found.

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit freeradius3-3.0.9
0 problem(s) in the installed packages found.

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit freeradius2-2.2.7
freeradius2-2.2.7 is vulnerable:
freeradius -- insufficent CRL application vulnerability
CVE: CVE-2015-4680
WWW: https://vuxml.FreeBSD.org/freebsd/379788f3-2900-11e5-a4a5-002590263bf5.html

1 problem(s) in the installed packages found.

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit freeradius2-2.2.8
0 problem(s) in the installed packages found.
Comment 3 commit-hook freebsd_committer freebsd_triage 2015-07-13 04:21:35 UTC 
A commit references this bug:

Author: feld
Date: Mon Jul 13 04:21:16 UTC 2015
New revision: 391877
URL: https://svnweb.freebsd.org/changeset/ports/391877

Log:
  Document freeradius vulnerability

  PR:		201059
  Security:	CVE-2015-4680

Changes:
  head/security/vuxml/vuln.xml
Comment 4 Ryan Steinmetz freebsd_committer freebsd_triage 2015-07-13 05:32:26 UTC 
net/freeradius3 updated to 3.0.9
Comment 5 Jason Unovitch freebsd_committer freebsd_triage 2015-07-13 10:07:28 UTC 
Thanks.  We should just need an MFH to 2015Q3 of the 3.0.8 -> 3.0.9 update then PR is ready for close.