Bug Fix Advisory freeradius bug fix update

Advisory: RHBA-2008:0845-6
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2009-01-20
Last updated on: 2009-01-20
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
OVAL: N/A

Details

Updated freeradius packages that fix various bugs are now available.

FreeRADIUS is a high-performance and highly-configurable free Remote
Authentication Dial In User Service (RADIUS) server, designed to allow
centralized authentication and authorization for a network.

These updated packages fix the following bugs:

* previously, FreeRADIUS sent empty fragments in EAP-TLS transactions.
Although most clients accepted the empty fragments, in certain situations,
Windows Vista® clients did not. This may have caused authentication to
fail. The SSL configuration parameters that FreeRADIUS uses have been
updated to no longer send empty fragments, allowing EAP-TLS with Windows
Vista clients.

* setting the "tls_require_cert" parameter in the radius.conf configuration
file to any valid value resulted in the following error message in the
/var/log/radius/radius.log file: "Error: rlm_ldap: could not set
LDAP_OPT_X_TLS_REQUIRE_CERT option to allow". In these updated packages,
setting the "tls_require_cert" parameter in radius.conf works as expected,
and does not provoke an error, thus resolving this issue.

* the freeradius RPM spec files had "%{dist}" on the "Release" line,
instead of "%{?dist}".

* FreeRADIUS has SNMP functionality that permits RADIUS authentication and
authorization statistics to be queried and set via SNMP; however, on 64-bit
systems, a persistent connection between FreeRADIUS and the SNMP daemon
(snmpd) could not be established, nor could the SNMP variables in the SNMP
MIB be accessed due to coding errors in the FreeRADIUS SNMP support.
Commands such as "snmpwalk" may have caused snmpd to hang. These updated
packages correct these errors, and permit the FreeRADIUS daemon (radiusd)
to establish a connection -- using the SMUX protocol -- with snmpd, and
permits access to the FreeRADIUS MIB variables via tools such as "snmpwalk"
and "snmpget".

Users of freeradius are advised to upgrade to these updated packages, which
resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
freeradius-1.1.3-1.4.el5.src.rpm     3f8a2592df3353ab2e0221d85812aaf6
 
IA-32:
freeradius-1.1.3-1.4.el5.i386.rpm     5559d6a6a9d48bb40b8be434a0933805
freeradius-mysql-1.1.3-1.4.el5.i386.rpm     c03948b013b00b58fbae460c80da01d9
freeradius-postgresql-1.1.3-1.4.el5.i386.rpm     08ae6d0c93ad409384a6f336f378c2db
freeradius-unixODBC-1.1.3-1.4.el5.i386.rpm     be7dc73cea80a40dcc47131e09a5b322
 
x86_64:
freeradius-1.1.3-1.4.el5.x86_64.rpm     58a0127333b104502a56b83cbb76424e
freeradius-mysql-1.1.3-1.4.el5.x86_64.rpm     cf5789170f2d8cb7826f55b1038ae2e5
freeradius-postgresql-1.1.3-1.4.el5.x86_64.rpm     c929fbe3f57e2f9683e2c2182b4b3fe8
freeradius-unixODBC-1.1.3-1.4.el5.x86_64.rpm     bb713a85ee31e449d8b6d7e62c884283
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
freeradius-1.1.3-1.4.el5.src.rpm     3f8a2592df3353ab2e0221d85812aaf6
 
IA-32:
freeradius-1.1.3-1.4.el5.i386.rpm     5559d6a6a9d48bb40b8be434a0933805
freeradius-mysql-1.1.3-1.4.el5.i386.rpm     c03948b013b00b58fbae460c80da01d9
freeradius-postgresql-1.1.3-1.4.el5.i386.rpm     08ae6d0c93ad409384a6f336f378c2db
freeradius-unixODBC-1.1.3-1.4.el5.i386.rpm     be7dc73cea80a40dcc47131e09a5b322
 
IA-64:
freeradius-1.1.3-1.4.el5.ia64.rpm     39d0d88cbc387ae14b377a404366c562
freeradius-mysql-1.1.3-1.4.el5.ia64.rpm     20cca362e4d227bb0f22ac37c160becc
freeradius-postgresql-1.1.3-1.4.el5.ia64.rpm     54fd665ce4afa715e20c8ee028c269d4
freeradius-unixODBC-1.1.3-1.4.el5.ia64.rpm     855ba95a96713df009c1b6f00e8c247b
 
PPC:
freeradius-1.1.3-1.4.el5.ppc.rpm     b7cbfd2e0147a703c391183705079f70
freeradius-mysql-1.1.3-1.4.el5.ppc.rpm     284e3a3b5dcdda67374584bc209bf6a0
freeradius-postgresql-1.1.3-1.4.el5.ppc.rpm     5dd3a4bb84428db09813e8521148eabe
freeradius-unixODBC-1.1.3-1.4.el5.ppc.rpm     ef98d8a2ce3df4c12a0931d42192bb59
 
s390x:
freeradius-1.1.3-1.4.el5.s390x.rpm     b08b9e16e78d83188badb29017bc16c0
freeradius-mysql-1.1.3-1.4.el5.s390x.rpm     2d6cf6a64f40c3acdd71bad79e0cb57c
freeradius-postgresql-1.1.3-1.4.el5.s390x.rpm     5dc22f676e4229053e7705b7f30c0a82
freeradius-unixODBC-1.1.3-1.4.el5.s390x.rpm     ca55dc8c039206f2377ca2c71bcaf410
 
x86_64:
freeradius-1.1.3-1.4.el5.x86_64.rpm     58a0127333b104502a56b83cbb76424e
freeradius-mysql-1.1.3-1.4.el5.x86_64.rpm     cf5789170f2d8cb7826f55b1038ae2e5
freeradius-postgresql-1.1.3-1.4.el5.x86_64.rpm     c929fbe3f57e2f9683e2c2182b4b3fe8
freeradius-unixODBC-1.1.3-1.4.el5.x86_64.rpm     bb713a85ee31e449d8b6d7e62c884283
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

249308 - freeradius (prior to 1.1.4) won't work with vista clients
287381 - rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
440626 - there should be %{?dist} instead of %{dist} in the *.spec on the Release: line


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/