FreeBSD Information for VU#589523

Multiple implementations of the RADIUS protocol contain a digest calculation buffer overflow



Vendor Statement

FreeBSD versions prior to 4.5-RELEASE (which is shipping today or tomorrow or so) do contain some of the RADIUS packages mentioned below: radiusd-cistron, freeradius, ascend-radius, icradius, and radiusclient.

However, 4.5-RELEASE will not ship with any of these RADIUS packages, except radiusclient. Also, note that the information you [CERT/CC] have forwarded previously indicates that neither Merit RADIUS (radius-basic) nor radiusclient are vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



Note that RADIUSClient is vulnerable and an update was released to address this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.