The ocsp_check function in rlm_eap_tls.c in FreeRADIUS 2.1.11, when OCSP is
enabled, does not properly parse replies from OCSP responders, which allows
remote attackers to bypass authentication by using the EAP-TLS protocol with
a revoked X.509 client certificate.
@net-dialup, mrness, can we proceed with stabilization of net-dialup/freeradius-2.1.12? Thanks.
@net-dialup, mrness, ping? Thanks.
Go for 2.2.0 at this point (see the other open bug).
Already on existing GLSA draft.
This issue was resolved and addressed in
GLSA 201311-09 at http://security.gentoo.org/glsa/glsa-201311-09.xml
by GLSA coordinator Sergey Popov (pinkbyte).