DFN-CERT reported [1] a vulnerability in the OCSP feature in FreeRADIUS 2.1.11 where it does not verify the status of a certificate (e.g. if the certificate was revoked). No further details, or a patch, were provided. According to the changelog on the FreeRADIUS site [2], OCSP support was added in version 2.1.11: * OCSP support from Alex Bergmann. See raddb/eap.conf, "ocsp" section. Therefore earlier versions of FreeRADIUS are not affected by this flaw. [1] http://seclists.org/oss-sec/2011/q3/105 [2] http://freeradius.org/ Statement: Not vulnerable. This issue did not affect the versions of freeradius as shipped with Red Hat Enterprise Linux 4, 5, or 6.
Created freeradius tracking bugs for this issue Affects: fedora-all [bug 724816]
Created attachment 514686 [details] proposed patch from upstream
The DFN-CERT advisory is now available: https://www.dfn-cert.de/informationen/Sicherheitsbulletins/dsb-2011-01.html