LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Red Hat alert RHSA-2004:609-01 (freeradius)



From:
    	      bugzilla@redhat.com


To:
    	      enterprise-watch-list@redhat.com


Subject:
    	      [RHSA-2004:609-01] Updated freeradius packages fix security flaws


Date:
    	      Fri, 12 Nov 2004 12:04 -0500



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated freeradius packages fix security flaws
Advisory ID:       RHSA-2004:609-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2004-609.html
Issue date:        2004-11-12
Updated on:        2004-11-12
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
- ---------------------------------------------------------------------

1. Summary:

Updated freeradius packages that fix a number of denial of service
vulnerabilities as well as minor bugs are now available for Red Hat
Enterprise Linux 3.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64

3. Problem description:

FreeRADIUS is a high-performance and highly configurable free RADIUS server
designed to allow centralized authentication and authorization for a network.

A number of flaws were found in FreeRADIUS versions prior to 1.0.1.  An
attacker who is able to send packets to the server could construct
carefully constructed packets in such a way as to cause the server to
consume memory or crash.  The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CAN-2004-0938, CAN-2004-0960, and
CAN-2004-0961 to these issues.

Users of FreeRADIUS should update to these erratum packages that contain
FreeRADIUS 1.0.1, which is not vulnerable to these issues and also corrects
a number of bugs.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

127168 - rebuilding freeradius picks up system libeap rather than package
libeap
127162 - zlib-devel is missing from BuildRequires in spec file
130606 - Missing buildrequires in freediag
130613 - radiusd.conf specifies other pam-auth than file installed in
/etc/pam.d
135825 - CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960,
CAN-2004-0961)

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/freer...
621656bce9be62e733c090dd0bc81059  freeradius-1.0.1-1.RHEL3.src.rpm

i386:
d455913a52551fff9996afe88d80f938  freeradius-1.0.1-1.RHEL3.i386.rpm

ia64:
f7ee2516c9be633615450308ed855ac3  freeradius-1.0.1-1.RHEL3.ia64.rpm

ppc:
5acba566ecb5a125c39348d7d7055115  freeradius-1.0.1-1.RHEL3.ppc.rpm

s390:
9f5b97aeb4e992d5dcba4af94e2b1cc0  freeradius-1.0.1-1.RHEL3.s390.rpm

s390x:
48c5fded9dee50eba358a0656f424ba4  freeradius-1.0.1-1.RHEL3.s390x.rpm

x86_64:
c21c18f9eb81bf3c875f0f9ee7b11e64  freeradius-1.0.1-1.RHEL3.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/freer...
621656bce9be62e733c090dd0bc81059  freeradius-1.0.1-1.RHEL3.src.rpm

i386:
d455913a52551fff9996afe88d80f938  freeradius-1.0.1-1.RHEL3.i386.rpm

ia64:
f7ee2516c9be633615450308ed855ac3  freeradius-1.0.1-1.RHEL3.ia64.rpm

x86_64:
c21c18f9eb81bf3c875f0f9ee7b11e64  freeradius-1.0.1-1.RHEL3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key.html#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0961

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBlO0LXlSAg2UNWIIRAvWJAJ98QJSH+nBu0iJgrMescjXmsOXkVQCdEHFC
o3z0NqmIzLOmdA3VVULKMdE=
=zp1s
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds