CVE-2017-9148

NameCVE-2017-9148
DescriptionThe TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before 3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-977-1
NVD severityhigh
Debian Bugs863673

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
freeradius (PTS)stretch (security), stretch3.0.12+dfsg-5+deb9u1fixed
buster3.0.17+dfsg-1.1fixed
bullseye3.0.21+dfsg-2.2fixed
bookworm, sid3.0.21+dfsg-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
freeradiussourcewheezy2.1.12+dfsg-1.2+deb7u1DLA-977-1
freeradiussourcejessie(not affected)
freeradiussource(unstable)3.0.12+dfsg-5863673

Notes

[jessie] - freeradius <not-affected> (Only affects 2.1.1 to 2.1.7 and 3.0 to 3.0.13)
https://www.openwall.com/lists/oss-security/2017/05/29/1
http://freeradius.org/security.html#session-resumption-2017
https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/commit/?id=8d681449aa95ee4388b5e3c266bdb070a264f563

Search for package or bug name: Reporting problems