On Sat, 21 Feb 1998, Phillip R. Jaenke wrote: > So far, tested servers are: > Livingston 1.16 to 2.01 > RadiusNT v2.x > Merit > > So far, the only one NOT vulnerable is Merit. Cistron is untested, so I've > got not idea whether or not it is. Best way to test is to telnet to a > terminal server, and login with a valid username, with 40 or more spaces > after it. This problem should be non-fatal as long as you are NOT using the "-s" option. The process that was forked off to handle the offending name will die causing that one login attempt to fail, but radiusd should continue to run. At least, that's what happens with ESVAnet radiusd. Note: When tested with the Livingston Portmaster 2, you cannot simply telnet to the NAS to test this. It is necessary to dial in. I'll take a look at the code Monday morning, but this doesn't look to me like anything to worry about. At least, not as long as you don't use single-threaded mode.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:43:09 PDT