From ${URL} : A vulnerability in the decryption of very long Tunnel-Passwords was found. The decryption routines could walk off of the end of a buffer and write to adjacent addresses. The data being written is not under control of an attacker. The end result is usually a crash of the server. The packet decoder in FreeRADIUS ensures that the only time this issue is exploitable is when a proxy server receives a long Tunnel-Password attribute in the reply from a home server. The attack cannot be performed by a RADIUS client, or an end user. As such, the exploitability of the attack is limited to systems within the trusted RADIUS environment. Vulnerability affects 3.0.x and 3.1.x versions. Versions 2.x don't seem to be exploitable. External reference: http://freeradius.org/security.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit 3a7259637a572d5818ad1c363fe4a85282823e12 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Apr 20 10:03:56 2016 net-dialup/freeradius: Security bump to versions 2.2.9 and 3.0.11 See security bugs #553308 and #560994. Also fixing version bump request #551246, init script bug #551246 and missing dependency on sys-libs/talloc (#543302). Package-Manager: portage-2.2.28 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> I am not using freeradius myself but I suggest we start stabilization of =net-dialup/freeradius-2.2.9 in order to get rid of the two known security bugs.
Re-designating the severity level. This is not exploitable outside of the trusted radius environment, but more importantly it is only a potential DoS which does not rate a 2. Cleanup is already complete. GLSA Vote: No