Versions Affected : All versions prior to TrueNAS 12.0-U5

---

Description

The patch for FreeBSD-SA-21:12.libradius modified rad_get_attr(3) to verify that an attribute length smaller than the minimum required for the attribute type and length fields is disallowed.

This check may fail incorrectly for the final attribute in a RADIUS message. The bug may cause request validation to fail when it should succeed. This can result in errors in applications making using of libradius(3).

---

Workaround

No workaround is available. Systems not making use of libradius(3) are unaffected.

---

Mitigation

• Upgrade to TrueNAS 12.0-U5 or later.

---

Commit

• FreeBSD Revision : r369921
• TrueNAS Commit : 6a97246
• TrueNAS Commit : 08f09f7
• JIRA Ticket : NAS-111053

---

Further information

• FreeBSD Errata Notice Entry