Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 60587 - net-dialup/freeradius: 1.0.1 fixes DoS vulnerabilites
Summary: net-dialup/freeradius: 1.0.1 fixes DoS vulnerabilites
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa] jaervosz
: 57043 64738 (view as bug list)
Depends on:
Reported: 2004-08-16 13:38 UTC by Chet McNeill
Modified: 2011-10-30 22:40 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

freeradius 1.0.0 ebuild (freeradius-1.0.0.ebuild,2.74 KB, text/plain)
2004-08-16 13:39 UTC, Chet McNeill
no flags Details
Patch to freeradius 1.0.0 (freeradius-1.0.0-exec-args.patch,1.12 KB, patch)
2004-08-16 13:40 UTC, Chet McNeill
no flags Details | Diff
freeradius-1.0.1.ebuild (freeradius-1.0.1.ebuild,2.64 KB, text/plain)
2004-09-19 16:17 UTC, Alin Năstac (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Chet McNeill 2004-08-16 13:38:32 UTC
This is an update to the freeradius 1.0.0.  Added a new patch that fixes a problem with the running of external programs with quoted arguments. Removed old patch.
Comment 1 Chet McNeill 2004-08-16 13:39:04 UTC
Created attachment 37554 [details]
freeradius 1.0.0 ebuild
Comment 2 Chet McNeill 2004-08-16 13:40:24 UTC
Created attachment 37555 [details, diff]
Patch to freeradius 1.0.0

fixes problem with running of external commands w/quoted args
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2004-09-19 16:17:04 UTC
Created attachment 39967 [details]

This ebuild contains several modifications:
  - correction of use flag frnothred -> frnothread; However, in my opinion it
will be best to have just one global "thread" flag. After all, you could set
your flags on package level by using /etc/portage/package.use
  - correction for bug #42718 
  - --disable-static
  - creation of radiusd user & group
  - safe permissions on various directories
Comment 4 Alin Năstac (RETIRED) gentoo-dev 2004-09-19 16:21:37 UTC
I've forget to mention in comment #3 that I've removed flag frlargefiles. Don't see the point in making support for large files selectable by user. I've took a peek in other ebuilds and saw everywhere that where it's the case, large file support is enabled.
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-20 02:14:25 UTC
reassigning to security@g.o since freeradius 1.0.1 addresses security issues:

"2004.09.14 v1.0.0 - Multiple external DoS attacks exist in the server. These are related to the attacks below, in 0.9.2, but were not caught then. The vulnerabilities are fixed in 1.0.1, and in all later versions of the server. The vulnerabilities are not exploitable, but can be used to remotely crash the server."

Multiple unspecified vulnerabilities have been reported in FreeRADIUS, which can be exploited by malicious people to cause a DoS (Denial of Service).

No more information is currently available.

Update to version 1.0.1 or later."
Comment 6 Alin Năstac (RETIRED) gentoo-dev 2004-09-20 04:00:52 UTC
*** Bug 64738 has been marked as a duplicate of this bug. ***
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-20 04:08:23 UTC
net-dialup please bump.
Comment 8 Heinrich Wendel (RETIRED) gentoo-dev 2004-09-20 05:12:28 UTC
*** Bug 57043 has been marked as a duplicate of this bug. ***
Comment 9 Heinrich Wendel (RETIRED) gentoo-dev 2004-09-20 05:22:59 UTC
added and marked stable on x86
Comment 10 Heinrich Wendel (RETIRED) gentoo-dev 2004-09-20 05:23:39 UTC
btw: good work alin ;)
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-20 06:29:02 UTC
This one is ready for GLSA. Security please draft.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-09-20 08:30:48 UTC
Just checked out, it's not stable on x86.
freeradius-1.0.1.ebuild: KEYWORDS="~x86 ~amd64"

lanius: could you correct it ?
Comment 13 Heinrich Wendel (RETIRED) gentoo-dev 2004-09-20 11:01:51 UTC
sorry, stable on x86, amd64 needn't mark it stable since the previous versions wasn't
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-22 03:21:19 UTC
GLSA 200409-29