Re: CVE request: vulnerability in FreeRADIUS (OCSP)

[Tim Zingelman <tez () netbsd org>]

On Mon, Jul 18, 2011 at 5:37 PM, Solar Designer <solar () openwall com> wrote:
> dfncert () dfn-cert de wrote:
> > > We would be willing to provide the patch to all Linux distributors
> > > but we do not want to release the patch publicly and wait for the
> > > official patch by the packet maintainer of FreeRADIUS.
>
> For FreeRADIUS specifically, it sounds like non-Linux vendors could be
> interested as well.  DFN-CERT did mention Linux distros specifically in
> the quote above, so the suggestion to use the list was appropriate, but
> perhaps requests from other distros shipping FreeRADIUS should be
> accommodated as well.  If something like this arrived to the Linux
> distros list without prior discussion on oss-security, I would bring
> this up and suggest that we contact *BSD's at least.  Since this is
> already on oss-security, I assume that interested *BSD's and others may
> ask DFN-CERT themselves. ;-)

NetBSD pkgsrc security team would be interested in the patch, as
FreeRADIUS is included in pkgsrc.
You could send to me, or to pkgsrc-security () netbsd org in either case
the message could be encrypted using
this key  http://ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security () NetBSD org asc

Thanks,

- Tim