Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 553308 (CVE-2015-4680) - <net-dialup/freeradius-2.2.9: insufficient CRL application (CVE-2015-4680)
Summary: <net-dialup/freeradius-2.2.9: insufficient CRL application (CVE-2015-4680)
Status: RESOLVED FIXED
Alias: CVE-2015-4680
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-26 09:38 UTC by Agostino Sarubbo
Modified: 2016-06-30 10:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-06-26 09:38:00 UTC
From ${URL} :

#2015-008 FreeRADIUS insufficent CRL application

Description:

The FreeRADIUS server is an open source project that provides a RADIUS
implementation.

The FreeRADIUS server relies on OpenSSL to perform certificate validation,
including Certificate Revocation List (CRL) checks. The FreeRADIUS usage of
OpenSSL, in CRL application, limits the checks to leaf certificates,
therefore not detecting revocation of intermediate CA certificates.

An unexpired client certificate, issued by an intermediate CA with a revoked
certificate, is therefore accepted by FreeRADIUS.

Specifically sets the X509_V_FLAG_CRL_CHECK flag for leaf certificate CRL
checks, but does not use X509_V_FLAG_CRL_CHECK_ALL for CRL checks on the
complete trust chain.

The FreeRADIUS project advises that the recommended configuration is to use
self-signed CAs for all EAP-TLS methods.

Affected version:

   FreeRADIUS <= 2.2.7, <= 3.0.8

Fixed version:

   FreeRADIUS >= 2.2.8, >= 3.0.9

Credit: vulnerability anonymously reported.

CVE: CVE-2015-4680

Timeline:

2015-06-17: vulnerability report received
2015-06-18: contacted FreeRADIUS security maintainer
2015-06-18: patch provided by maintainer
2015-06-19: assigned CVE
2015-06-22: advisory release

References:
https://github.com/FreeRADIUS/freeradius-server/blob/b28326004379260ca2fe7b8884f813d90a741197/src/main/tls.c#L2111
https://github.com/FreeRADIUS/freeradius-server/blob/b28326004379260ca2fe7b8884f813d90a741197/src/main/tls.c#L2595
http://freeradius.org/security.html

Permalink:
http://www.ocert.org/advisories/ocert-2015-008.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2015-11-22 14:17:20 UTC
It has been some time since this Bug received an update. Since it is security related, bringing it up to the surface so it is not forgotten.

Any updates?
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-04-20 08:08:53 UTC
commit 3a7259637a572d5818ad1c363fe4a85282823e12
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Apr 20 10:03:56 2016

    net-dialup/freeradius: Security bump to versions 2.2.9 and 3.0.11
    
    See security bugs #553308 and #560994.
    Also fixing version bump request #551246, init script bug #551246 and
    missing dependency on sys-libs/talloc (#543302).
    
    Package-Manager: portage-2.2.28
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>


I am not using freeradius myself but I suggest we start stabilization of =net-dialup/freeradius-2.2.9 in order to get rid of the two known security bugs.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2016-04-23 04:55:19 UTC
Arches, please test and mark stable:

=net-dialup/freeradius-2.2.9

Target Keywords : "amd64 x86"

Thank you!
Comment 4 Agostino Sarubbo gentoo-dev 2016-04-26 11:20:10 UTC
amd64 stable
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2016-06-06 21:20:37 UTC
Ping a reminder for x86 stabilization
Comment 6 Agostino Sarubbo gentoo-dev 2016-06-27 08:48:45 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 10:06:59 UTC
Devaway...

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e0574b15e5d814f53f7abd2c11c1297b7973283

GLSA Vote: No