CVE-2012-3547

Publication date 18 September 2012

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS 2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via a long "not after" timestamp in a client certificate.

Read the notes from the security team

Status

Package Ubuntu Release Status
freeradius 12.04 LTS precise
Fixed 2.1.10+dfsg-3ubuntu0.12.04.1
11.10 oneiric
Fixed 2.1.10+dfsg-3ubuntu0.11.10.1
11.04 natty
Fixed 2.1.10+dfsg-2ubuntu2.1
10.04 LTS lucid
Not affected
8.04 LTS hardy Ignored end of life

Notes

sbeattie

possibly mitigated by -fstack-protector upstream report claims 2.1.10-2.1.12 are only affected

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
freeradius

References

Related Ubuntu Security Notices (USN)

    • USN-1585-1
    • FreeRADIUS vulnerability
    • 26 September 2012

Other references