Disabled session caching in raddb/mods-available/eap in response to CVE-2017-9148.

author Dan Breslau <dbreslau@painless-security.com>

Fri, 2 Jun 2017 15:29:40 +0000 (11:29 -0400)

committer Dan Breslau <dbreslau@painless-security.com>

Fri, 2 Jun 2017 15:29:40 +0000 (11:29 -0400)
author Dan Breslau <dbreslau@painless-security.com>
Fri, 2 Jun 2017 15:29:40 +0000 (11:29 -0400)
committer Dan Breslau <dbreslau@painless-security.com>
Fri, 2 Jun 2017 15:29:40 +0000 (11:29 -0400)
diff --git a/debian/changelog b/debian/changelog

index 60f0030..ccb644d 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+freeradius (3.0.13+moonshot3-6) unstable; urgency=medium
+
+  * Disabled session caching in EAP in response to CVE-2017-9148.
+
+ -- Painless Security <build@painless-security.com>  Fri, 02 Jun 2017 15:29:00 -0400
+
  freeradius (3.0.13+moonshot3-5) unstable; urgency=medium
  
    * Fixed deleted links when upgrading to 3.0.13 on debian/ubuntu
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap

index 427016c..5cc4ac5 100644 (file)
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -390,7 +390,7 @@ eap {
                         #  If "enable = no" below, you CANNOT enable resumption for just one
                         #  user by setting the above attribute to "yes".
                         #
-                       enable = yes
+                       enable = no
  
                         #
                         #  Lifetime of the cached entries, in hours. The sessions will be
author	Dan Breslau <dbreslau@painless-security.com>
	Fri, 2 Jun 2017 15:29:40 +0000 (11:29 -0400)
committer	Dan Breslau <dbreslau@painless-security.com>
	Fri, 2 Jun 2017 15:29:40 +0000 (11:29 -0400)
debian/changelog		patch \| blob \| history
raddb/mods-available/eap		patch \| blob \| history