Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0864 freeradius security update 12 September 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: freeradius Publisher: Debian Operating System: Debian GNU/Linux 6 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-3547 Original Bulletin: http://www.debian.org/security/2012/dsa-2546 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running freeradius check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2546-1 security@debian.org http://www.debian.org/security/ Nico Golde September 11, 2012 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : freeradius Vulnerability : stack-based buffer overflows Problem type : remote Debian-specific: no Debian bug : 687175 CVE ID : CVE-2012-3547 Timo Warns discovered that the EAP-TLS handling of freeradius, a high-performance and highly configurable RADIUS server, is not properly performing length checks on user-supplied input before copying to a local stack buffer. As a result, an unauthenticated attacker can exploit this flaw to crash the daemon or execute arbitrary code via crafted certificates. For the stable distribution (squeeze), this problem has been fixed in version 2.1.10+dfsg-2+squeeze1. For the testing distribution (wheezy), this problem has will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2.1.12+dfsg-1.1. We recommend that you upgrade your freeradius packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBPhSMACgkQHYflSXNkfP+jkgCguBRC59t3IWGZxUDZaQczo1xs MHgAoKPB8SwG7vTXcoIAV/fbrfHxLJx5 =Ie9A - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUE/8le4yVqjM2NGpAQLJMQ/8CDX21z4+6Y8PqNZ/k/nrCuaOI29L9Xlm 4i7UYqYH71y/aO0q4tJrEbv12R6bE1+WWXLmnIAlXRl22+RCVm+/NIearsdlFYb6 mFce+V3VIHv/DKKcdVNdNPoUVVd/3ee770Hhq21eu4EZMNcrbJlKxokokED9hI2P 9Au4HXNQvuugGjxKDoR7tV96reVxBE50hszi7hDglsXJWkHd78kh2tMgIq8gQWdI GZh5tLQtmRv6ogWrVk2MvdRla8LLPrMY6jxZW8p3ZL/T5glyYvxei8s5oWvK8eJE bBhDY56YOQxE6Hef3lZvjXiuJgjtizs83p65ZvcjwU+U0ayHjDV1//Q+88CZ0x2t sggFiEBvOnptaNKxhu/KLbWfWLbB+PikzgVXgC8oiVa8Etqg1EE4vceChp6koFXk hAFIyYQs/bGwGuoTRW9VxvssOSFmZhrd4WYtoFhRc/CjYF0hJI76mcxLH2PAPs4m SNmorHJ/zqaVVqcQ1zrGXJYX75PnpLwYqHjetn111fnnuLGWgniVCw1aCM5hJrN9 Ic6iltB0MzhLbyYs+Lm4rN1r5KWuJirAukagsowUWsvK8tb5d9N05sZYp1LOG22x V4Q324SS1e4JiTaOpk0E0zxQ/CW/EYFkxGzoR4oDr1v8KqKhcCdtuw7WKDqbeYSK OAq3GS+nZT0= =9vUy -----END PGP SIGNATURE-----