From ${URL} : PHP PECL upstream has released 1.2.7 version of the Radius client library, correcting one security flaw (from [1]): "- Fix a security issue in radius_get_vendor_attr() by enforcing checks of the VSA length field against the buffer size. (Adam)" References: [1] http://pecl.php.net/package-changelog.php?package=radius [2] http://pecl.php.net/news/ Relevant upstream patch: [3] https://github.com/LawnGnome/php-radius/commit/13c149b051f82b709e8d7cc32111e84b49d57234 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
CVE-2013-2220 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2220): Buffer overflow in the radius_get_vendor_attr function in the Radius extension before 1.2.7 for PHP allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large Vendor Specific Attributes (VSA) length value.
The ebuild exists in the tree and old versions are removed. Security team can continue from here.
Security: this is ready for your attention.
No glsa for testing branch
