Date: Sat, 15 Feb 2014 21:14:39 +0100 From: Florian Weimer <fw@deneb.enyo.de> To: Alan DeKok <aland@freeradius.org> Cc: Pierre Carrier <pierre.carrier@airbnb.com>, secalert <secalert@redhat.com>, pkgsrc-security <pkgsrc-security@netbsd.org>, security@ubuntu.com, security@freeradius.org, pupykin.s+arch@gmail.com, security@debian.org, bugbusters <bugbusters@freebsd.org>, product.security@airbnb.com Subject: Re: freeradius denial of service in authentication flow Message-ID: <87sirkm8uo.fsf@mid.deneb.enyo.de> In-Reply-To: <52FC1916.4060501@freeradius.org> (Alan DeKok's message of "Wed, 12 Feb 2014 20:00:06 -0500") References: <CAM7LUF55w4g7=GqhfFyys0fhJNKQtX-Pp804YWRW57GxbO9WDw@mail.gmail.com> <52FC1916.4060501@freeradius.org>
next in thread | previous in thread | raw e-mail | index | archive | help
* Alan DeKok: > That's an issue, but a rare one IMHO. The user has to exist on the > system. So this isn't a remote DoS. Could you elaborate on this assessment? Is this because typical data sources for SSHA passwords limit the length of the salt and thus the length of the SSHA hash? Florian (Debian security team)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87sirkm8uo.fsf>