Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 386183 (CVE-2011-2701) - <net-dialup/freeradius-2.2.0: authentication bypass (CVE-2011-2701)
Summary: <net-dialup/freeradius-2.2.0: authentication bypass (CVE-2011-2701)
Status: RESOLVED FIXED
Alias: CVE-2011-2701
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard: B4 [glsa]
Keywords:
Depends on: CVE-2012-3547
Blocks:
  Show dependency tree
 
Reported: 2011-10-08 00:13 UTC by GLSAMaker/CVETool Bot
Modified: 2013-11-13 11:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 00:13:47 UTC
CVE-2011-2701 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2701):
  The ocsp_check function in rlm_eap_tls.c in FreeRADIUS 2.1.11, when OCSP is
  enabled, does not properly parse replies from OCSP responders, which allows
  remote attackers to bypass authentication by using the EAP-TLS protocol with
  a revoked X.509 client certificate.
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-14 19:05:24 UTC
@net-dialup, mrness, can we proceed with stabilization of net-dialup/freeradius-2.1.12? Thanks.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-04-05 21:42:18 UTC
@net-dialup, mrness, ping? Thanks.
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-09-30 20:23:23 UTC
Go for 2.2.0 at this point (see the other open bug).
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-03 11:12:22 UTC
Already on existing GLSA draft.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-11-13 11:58:52 UTC
This issue was resolved and addressed in
 GLSA 201311-09 at http://security.gentoo.org/glsa/glsa-201311-09.xml
by GLSA coordinator Sergey Popov (pinkbyte).