Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 9 Dec 2009 13:38:15 GMT
From:      "Danilo G. Baio" <dbaio@bs2.com.br>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/141318: FreeRadius < 1.1.8 Remote Packet of Death Exploit (CVE-2009-3111)
Message-ID:  <200912091338.nB9DcFmn089176@www.freebsd.org>
Resent-Message-ID: <200912091340.nB9De0TF012452@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         141318
>Category:       ports
>Synopsis:       FreeRadius < 1.1.8 Remote Packet of Death Exploit (CVE-2009-3111)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 09 13:40:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Danilo G. Baio
>Release:        7.2-8.0
>Organization:
BS2 Internet
>Environment:
>Description:
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
  <vuln vid="1b3f854b-e4bd-11de-b276-000d8787e1be">
    <topic> freeradius -- A free RADIUS server implementation </topic>
    <affects>
      <package>
   <name>freeradius</name>
   <range><le>1.1.7_4</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">;
   <p>freeRADIUS Vulnerability Notifications reports:</p>
   <blockquote cite="http://freeradius.org/security.html">;
     <p>2009.09.09 v1.1.7 - Anyone who can send packets to
        the server can crash it by sending a Tunnel-Password
        attribute in an Access-Request packet. This
        vulnerability is not otherwise exploitable. We have
        released 1.1.8 to correct this vulnerability.

        This issue is similar to the previous Tunnel-Password
        issue noted below. The vulnerable versions are 1.1.3
        through 1.1.7. Version 2.x is not affected.
     </p>
   </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2009-3111</cvename>
      <url>http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3111</url>;
      <url>http://freeradius.org/security.html</url>;
      <url>http://www.milw0rm.com/exploits/9642</url>;
    </references>
    <dates>
      <discovery>2009-09-09</discovery>
      <entry>2009-12-09</entry>
    </dates>
  </vuln>
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200912091338.nB9DcFmn089176>