Linus Nordberg

**Name of the Vulnerable Software and Affected Versions** radsecproxy versions prior to 1.6.1 **Description** The issue concerns multiple vulnerabilities in the radsecproxy package of the Debian GNU/Linux operating system. These vulnerabilities can be exploited remotely, potentially leading to breaches of confidentiality and integrity of protected information. Specifically, radsecproxy before version 1.6.1 does not properly verify certificates when there are configuration blocks with CA settings unrelated to the block being used for verifying the certificate chain. This might allow remote attackers to bypass intended access restrictions and spoof clients. **Recommendations** For versions prior to 1.6.1, update to version 1.6.1 or later to resolve the issue. As a temporary workaround, consider reviewing and adjusting the configuration blocks with CA settings to ensure they are properly related to the block being used for verifying the certificate chain, thereby minimizing the risk of exploitation.