1
PublicDateAtUSN: 2012-09-18
2
Candidate: CVE-2012-3547
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3547
6
http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt
7
http://seclists.org/fulldisclosure/2012/Sep/83
8
https://usn.ubuntu.com/usn/usn-1585-1
10
Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS
11
2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote
12
attackers to cause a denial of service (server crash) and possibly execute
13
arbitrary code via a long "not after" timestamp in a client certificate.
16
sbeattie> possibly mitigated by -fstack-protector
17
sbeattie> upstream report claims 2.1.10-2.1.12 are only affected
19
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687175
20
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3547
22
Discovered-by: Timo Warns
26
upstream: https://github.com/alandekok/freeradius-server/commit/78e5aed56c36a9231bc91ea5f55b3edf88a9d2a4
27
Tags_freeradius: stack-protector
28
upstream_freeradius: released (2.2.0)
29
hardy_freeradius: ignored (reached end-of-life)
30
lucid_freeradius: not-affected (code not present)
31
natty_freeradius: released (2.1.10+dfsg-2ubuntu2.1)
32
oneiric_freeradius: released (2.1.10+dfsg-3ubuntu0.11.10.1)
33
precise_freeradius: released (2.1.10+dfsg-3ubuntu0.12.04.1)
34
devel_freeradius: not-affected (2.1.12+dfsg-1.1)