CVE-2017-9148

Priority
Medium
Description
The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before
3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to
reliably prevent resumption of an unauthenticated session, which allows
remote attackers (such as malicious 802.1X supplicants) to bypass
authentication via PEAP or TTLS.
References
Bugs
Notes
 mdeslaur> only affects 2.1.1 to 2.1.7 and 3.0 to 3.0.13
Assigned-to
mdeslaur
Package
Upstream:released (3.0.12+dfsg-5)
Ubuntu 17.10 (Artful Aardvark):not-affected (3.0.12+dfsg-5ubuntu1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (2.1.12+dfsg-1.2ubuntu8.1)
Ubuntu Touch 15.04:DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (2.2.8+dfsg-0.1build2)
Ubuntu 16.10 (Yakkety Yak):not-affected (2.2.8+dfsg-0.1build2)
Ubuntu 17.04 (Zesty Zapus):released (3.0.12+dfsg-4ubuntu1.1)
Patches:
Vendor:https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/commit/?id=8d681449aa95ee4388b5e3c266bdb070a264f563
More Information

Updated: 2017-06-14 22:14:42 UTC (commit 12736)