diff --git a/net/freeradius2/Makefile b/net/freeradius2/Makefile
index f1ac40d60d..89619cc837 100644
--- a/net/freeradius2/Makefile
+++ b/net/freeradius2/Makefile
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2008-2014 OpenWrt.org
+# Copyright (C) 2008-2015 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=freeradius2
 PKG_VERSION:=2.2.5
-PKG_RELEASE:=2
+PKG_RELEASE:=2.1
 
 PKG_SOURCE:=freeradius-server-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=\
diff --git a/net/freeradius2/patches/012-CVE-2015-4680.patch b/net/freeradius2/patches/012-CVE-2015-4680.patch
new file mode 100644
index 0000000000..19e92fc2da
--- /dev/null
+++ b/net/freeradius2/patches/012-CVE-2015-4680.patch
@@ -0,0 +1,71 @@
+From 5e698b407dcac2bc45cf03484bac4398109d25c3 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Mon, 22 Jun 2015 15:27:32 -0400
+Subject: [PATCH] Set X509_V_FLAG_CRL_CHECK_ALL
+
+---
+ raddb/eap.conf                                      |  6 +++++-
+ src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c | 10 ++++++++++
+ src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h |  1 +
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/raddb/eap.conf
++++ b/raddb/eap.conf
+@@ -232,9 +232,13 @@
+ 			#  1) Copy CA certificates and CRLs to same directory.
+ 			#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
+ 			#    'c_rehash' is OpenSSL's command.
+-			#  3) uncomment the line below.
++			#  3) uncomment the lines below.
+ 			#  5) Restart radiusd
+ 		#	check_crl = yes
++
++			# Check if intermediate CAs have been revoked.
++		#	check_all_crl = yes
++
+ 			CA_path = ${cadir}
+ 
+ 		       #
+--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
++++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+@@ -120,6 +120,8 @@ static CONF_PARSER module_config[] = {
+ 	  offsetof(EAP_TLS_CONF, include_length), NULL, "yes" },
+ 	{ "check_crl", PW_TYPE_BOOLEAN,
+ 	  offsetof(EAP_TLS_CONF, check_crl), NULL, "no"},
++	{ "check_all_crl", PW_TYPE_BOOLEAN,
++	  offsetof(EAP_TLS_CONF, check_all_crl), NULL, "no"},
+ 	{ "allow_expired_crl", PW_TYPE_BOOLEAN,
+ 	  offsetof(EAP_TLS_CONF, allow_expired_crl), NULL, NULL},
+ 	{ "check_cert_cn", PW_TYPE_STRING_PTR,
+@@ -947,6 +949,10 @@ static X509_STORE *init_revocation_store
+ 	if (conf->check_crl)
+ 		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
+ #endif
++#ifdef X509_V_FLAG_CRL_CHECK_ALL
++	if (conf->check_all_crl)
++		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
++#endif
+ 	return store;
+ }
+ #endif	/* HAVE_OPENSSL_OCSP_H */
+@@ -1203,6 +1209,10 @@ static SSL_CTX *init_tls_ctx(EAP_TLS_CON
+ 	    return NULL;
+ 	  }
+ 	  X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
++
++	  if (conf->check_all_crl) {
++		  X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
++	  }
+ 	}
+ #endif
+ 
+--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
++++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
+@@ -57,6 +57,7 @@ typedef struct eap_tls_conf {
+ 	 */
+ 	int		fragment_size;
+ 	int		check_crl;
++	int		check_all_crl;
+ 	int		allow_expired_crl;
+ 	char		*check_cert_cn;
+ 	char		*cipher_list;