DFN-CERT reported  a vulnerability in the OCSP feature in FreeRADIUS 2.1.11 where it does not verify the status of a certificate (e.g. if the certificate was revoked).
No further details, or a patch, were provided. According to the changelog on the FreeRADIUS site , OCSP support was added in version 2.1.11:
* OCSP support from Alex Bergmann. See raddb/eap.conf, "ocsp" section.
Therefore earlier versions of FreeRADIUS are not affected by this flaw.
Not vulnerable. This issue did not affect the versions of freeradius as shipped with Red Hat Enterprise Linux 4, 5, or 6.
Created freeradius tracking bugs for this issue
Affects: fedora-all [bug 724816]
Created attachment 514686 [details]
proposed patch from upstream
The DFN-CERT advisory is now available: https://www.dfn-cert.de/informationen/Sicherheitsbulletins/dsb-2011-01.html