oss-sec mailing list archives

Re: CVE Request: freeradius: the EAP-PWD module performs insufficient validation on packets received from an EAP peer

From: Moritz Muehlenhoff <jmm () debian org>
Date: Fri, 8 Jan 2016 17:22:59 +0100

On Tue, Aug 04, 2015 at 10:41:52AM +0530, Huzaifa Sidhpurwala wrote:

On 07/31/2015 12:04 PM, Huzaifa Sidhpurwala wrote:

The FreeRADIUS project has reported a flaw that affects the EAP-PWD
module of the freeradius package versions 3.0 up to 3.0.8. This module
is not enabled by default, so administrators must have manually enabled
it for their servers to be vulnerable.

Reference:
http://freeradius.org/security.html#eap-pwd-2015

Can a CVE id be please assigned to this flaw?

Copying cve-assign this time to see if this gets picked up :)


This seems to have fallen through the cracks?

Cheers,
        Moritz

Current thread:

Re: CVE Request: freeradius: the EAP-PWD module performs insufficient validation on packets received from an EAP peer Moritz Muehlenhoff (Jan 08)
- <Possible follow-ups>
- Re: CVE Request: freeradius: the EAP-PWD module performs insufficient validation on packets received from an EAP peer cve-assign (Jan 08)