Hi Jeremy

I'm sorry there was some confusion regarding #700669 related CVE's.
The original advisory contained two vulnerabilities, where the second
CVE was afterwards rejected.

According to [1] now, the second "CreateID() creates serialized packet
IDs for RADIUS" is still open, thus creating this bugreport.

See also Red Hat Bugreport[2], see specifically Comment 5[3].

 [1]: http://marc.info/?l=oss-security&m=136151128112754&w=2
 [2]: https://bugzilla.redhat.com/show_bug.cgi?id=911685
 [3]: https://bugzilla.redhat.com/show_bug.cgi?id=911685#c5

Regards,
Salvatore

Sent

We believe that the bug you reported is fixed in the latest version of
pyrad, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 701151@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexandre Detiste <tchet@debian.org> (supplier of updated pyrad package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 31 Jul 2024 00:37:55 +0200
Source: pyrad
Architecture: source
Version: 2.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Alexandre Detiste <tchet@debian.org>
Closes: 701151
Changes:
 pyrad (2.4-1) unstable; urgency=medium
 .
   * Team Upload
   * New upstream version 2.4
   * Fix CVE-2013-0342 (Closes: #701151)
   * Set DPT as Maintainer by Team Policy
   * Use new dh-sequence-python3
   * Set Rules-Requires-Root: no
Checksums-Sha1:
 1ec2ea35818c91213ff6d90b55329b347d6722f5 2002 pyrad_2.4-1.dsc
 5cb05fe2240d3cdcd2785307978cc8c5e49cb8ff 26580 pyrad_2.4.orig.tar.gz
 30d91446ac1e0d652669072f9133c134e271d371 3456 pyrad_2.4-1.debian.tar.xz
 7b5abde833db3ae761537d8ef1381802fb952ddc 6726 pyrad_2.4-1_source.buildinfo
Checksums-Sha256:
 e64aa5c6a34b068016e630a91697d4e4146b29a29d30f10cb9f9c5f62b169935 2002 pyrad_2.4-1.dsc
 8b3fef90f33e8eba4028cfee38ef59a1ec01a5a1a44a7d1b93cfd575228aeee5 26580 pyrad_2.4.orig.tar.gz
 b69d67d4997bddd0a6d8db229cbc0226d1e3fd501d95857c1ba492b8c29bf4d9 3456 pyrad_2.4-1.debian.tar.xz
 bb394267604f04813d696c8d1acf9ba89f1b10b33dd8e78271c6cf8ed13754aa 6726 pyrad_2.4-1_source.buildinfo
Files:
 48728b0e979d86b49048248d64cdfabf 2002 python optional pyrad_2.4-1.dsc
 0478f9b265d23dcb7091c10f4eaf76ec 26580 python optional pyrad_2.4.orig.tar.gz
 1e310060768e36622173720f763b3f24 3456 python optional pyrad_2.4-1.debian.tar.xz
 c8cd8002b6b51ccc4fc7ec14193d753c 6726 python optional pyrad_2.4-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEj23hBDd/OxHnQXSHMfMURUShdBoFAmapbO4RHHRjaGV0QGRl
Ymlhbi5vcmcACgkQMfMURUShdBqbyw/6Au4RNntRJaWBvOrepS/fmneRnkfqqItB
RVMCSpQFePdpDWTRXtBIQgAm6ssTSvOFYzgxMkG7ERbBNPI53eOw3V0LKJMf4TIQ
W0Ddyl3aPle3DTwZb4U6KMfY5d6IPeIBH4skMVfRC5T+NfZxepLYxzvVRetXi8zu
sWuS5wEuBSeqd/9ZGy3ilYACsSccmHVJ/J4vz1YnBytQDqAmqVJvRrsfkp66Gs+u
Rv0jtYT5HwiMwDOxcoO3D6BAQoQCL6dusL8Vu1o4d0OcqNOFCA6TvlT5wxoIx3xN
f71f/Nhfou7pGzdwbpvUfTnUW9cg83by162UDBqm5Vw5nqAhKsXtd3vQ9tBHwSNf
TSClVjLaIVRh87IN/ZxK9MM38MiWgAyXwCqQb9hFVNkAy+/cPxaNMeYGT50Ti0Mg
vcBbx44ecB0l7pPzf4g86K+CIw31k6XuEX4x60IA46gjenez4d/3nnZMY9AcgqRQ
ZRt0CYvRNrUh3QO3IzFMORVDljaWrAHskOEpRy7NZ69p3oGimV+AtO+NEqz1uWaW
Gp5s7S+0+iJDQJm8L81oUM9vxw8NpluD2eKsgSjMljFC0uZUObvkJ0lSPwoArLA3
bO4NQ3QXuhnY42nLv7AKjD8gvqKjtJGXSDVkEnPw2VbzzifSpJbss1ncRn0SVAkR
5HUjbzNTPBs=
=RAww
-----END PGP SIGNATURE-----

Hi,

This is afaics still not fixed in 2.4-1. See the different scope of
CVE-2013-0342. The most detaailed explanation is found in the Red Hat
bugzilla.

I have for now reopened it, but will re-check if I have a
missunderstanding from back then.

Regards,
Salvatore

Thank you.

Le mer. 31 juil. 2024 à 07:41, Salvatore Bonaccorso
<carnil@debian.org> a écrit :

Hi Alexandre,

Looking at the code I think the issue is basically still there for the
part of CVE-2013-0342, but it's likely that it won't get fixed further
given the first issue already fixed in 2.0-2.

This was then the reason we have made this <ignored> for any security
supported suites back to stretch already.

maybe it is worth asking upstream if they plan to handle it as well
still, but from Debian perspective I guess we can continue to keep it
tracking as unfixed, but "ignore" it in older releases as the time
beeing.

It might be as well an option to mark it unimportant as "negligible
security impact" in the security-tracker.

Again, I might be wrong, sometimes it is hard to get again into an
unfixed issue after a few years ;-) (here almost 11 years later? :))

Let me know how you think about it.

Regards,
Salvatore