PublicDateAtUSN: 2009-09-09
Candidate: CVE-2009-3111
PublicDate: 2009-09-09 18:30:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3111
 https://ubuntu.com/security/notices/USN-832-1
Description:
 The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers
 to cause a denial of service (radiusd crash) via zero-length
 Tunnel-Password attributes, as demonstrated by a certain module in
 VulnDisco Pack Professional 7.6 through 8.11.  NOTE: this is a regression
 error related to CVE-2003-0967.
Ubuntu-Description:
Notes:
 kees> oss-security: "Version 2.X is not affected by this issue."
 mdeslaur> PoC for CVE-2003-0967: http://marc.info/?l=bugtraq&m=106944220426970
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_freeradius:
 upstream: http://github.com/alandekok/freeradius-server/commit/860cad9e02ba344edb0038419e415fe05a9a01f4
upstream_freeradius: released (1.1.8)
dapper_freeradius: ignored (reached end-of-life)
hardy_freeradius: released (1.1.7-1ubuntu0.2)
intrepid_freeradius: not-affected
jaunty_freeradius: not-affected
karmic_freeradius: not-affected
devel_freeradius: not-affected