Date: Sun, 16 Feb 2014 10:39:27 +0100 From: Florian Weimer <fw@deneb.enyo.de> To: Alan DeKok <aland@freeradius.org> Cc: Pierre Carrier <pierre.carrier@airbnb.com>, secalert <secalert@redhat.com>, pkgsrc-security <pkgsrc-security@netbsd.org>, security@ubuntu.com, security@freeradius.org, pupykin.s+arch@gmail.com, security@debian.org, bugbusters <bugbusters@freebsd.org> Subject: Re: freeradius denial of service in authentication flow Message-ID: <87y51bwg4w.fsf@mid.deneb.enyo.de> In-Reply-To: <52FFD55C.5030408@freeradius.org> (Alan DeKok's message of "Sat, 15 Feb 2014 16:00:12 -0500") References: <CAM7LUF55w4g7=GqhfFyys0fhJNKQtX-Pp804YWRW57GxbO9WDw@mail.gmail.com> <52FC1916.4060501@freeradius.org> <87sirkm8uo.fsf@mid.deneb.enyo.de> <52FFD55C.5030408@freeradius.org>
next in thread | previous in thread | raw e-mail | index | archive | help
* Alan DeKok: > Florian Weimer wrote: >> * Alan DeKok: >> >>> That's an issue, but a rare one IMHO. The user has to exist on the >>> system. So this isn't a remote DoS. >> >> Could you elaborate on this assessment? Is this because typical data >> sources for SSHA passwords limit the length of the salt and thus the >> length of the SSHA hash? > > Partly. The typical use-case for a remote DoS is for an > unauthenticated user to take down the system. Here, the user has to be > known, *and* be able to create a long SSHA password. > > To me, this puts the issue into the category of "known users can do > bad things", which is very different from "unknown users can do bad things". Okay, fair enough. As this is already public via <http://lists.freebsd.org/pipermail/freebsd-bugbusters/2014-February/000610.html>; , I will request a CVE on oss-security.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87y51bwg4w.fsf>