Bug 852752 (CVE-2012-3547)
Summary: | CVE-2012-3547 freeradius: stack-based buffer overflow via long expiration date fields in client X509 certificates | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | anshockm, dpal, jdennis, lnovy, pkis, ppandit, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | freeradius 2.2.0 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-10-02 18:07:05 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 855308, 855315, 855316, 855317, 855909 | ||||||
Bug Blocks: | 852759 | ||||||
Attachments: |
|
Description
Jan Lieskovsky
2012-08-29 13:43:56 UTC
Preliminary embargo date for this issue has been set up to Monday, 10-th of September, 2012. This issue did NOT affect the version of the freeradius package, as shipped with Red Hat Enterprise Linux 5 as it did not include the upstream a368a6f4f4aaf commit, which introduced the issue, yet. -- This issue affects the version of the freeradius2 package, as shipped with Red Hat Enterprise Linux 5. -- This issue affects the version of the freeradius package, as shipped with Red Hat Enterprise Linux 6. Created attachment 607916 [details]
Proposed patch to correct this from Alan DeKok from FreeRADIUS upstream
This is now public: http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt http://seclists.org/fulldisclosure/2012/Sep/83 Created freeradius tracking bugs for this issue Affects: fedora-all [bug 855909] (In reply to comment #5) > Created attachment 607916 [details] > Proposed patch to correct this from Alan DeKok from FreeRADIUS upstream Committed upstream in: https://github.com/alandekok/freeradius-server/commit/78e5aed56c36a9231bc91ea5f55b3edf88a9d2a4 This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1327 https://rhn.redhat.com/errata/RHSA-2012-1327.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1326 https://rhn.redhat.com/errata/RHSA-2012-1326.html |