Bugzilla – Bug 1041445
VUL-0: CVE-2017-9148: freeradius-server: TLS resumption authentication bypass
Last modified: 2017-10-26 07:33:13 UTC
Created attachment 726814 [details] upstream patch from git Description: TLS client certificate expiration not enforced on session resumption https://nvd.nist.gov/vuln/detail/CVE-2017-9148
ignore last coment
Created attachment 728232 [details] upstream patch from git
This is an autogenerated message for OBS integration: This bug (1041445) was mentioned in https://build.opensuse.org/request/show/501884 42.2 / freeradius-server
openSUSE-SU-2017:1609-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1041445 CVE References: CVE-2017-9148 Sources used: openSUSE Leap 42.2 (src): freeradius-server-3.0.12-2.3.1
Note for QA reproduction: You need to run radiusd in production mode, not in debugging mode "radiusd -X". If you run radiusd in debugging mode, it will crash because of another existing bug bsc#1042145.
SUSE-SU-2017:1705-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1027243,1041445 CVE References: CVE-2017-9148 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): freeradius-server-3.0.3-17.4.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): freeradius-server-3.0.3-17.4.1 SUSE Linux Enterprise Server 12-SP2 (src): freeradius-server-3.0.3-17.4.1
SUSE-SU-2017:1777-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1041445,912873,935573 CVE References: CVE-2015-4680,CVE-2017-9148 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): freeradius-server-2.1.1-7.24.1 SUSE Linux Enterprise Server 11-SP4 (src): freeradius-server-2.1.1-7.24.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): freeradius-server-2.1.1-7.24.1
released