Skip to navigation

Security Advisory freeradius security update

Advisory: RHSA-2005:524-05
Type: Security Advisory
Severity: Moderate
Issued on: 2005-06-23
Last updated on: 2005-06-23
Affected Products: Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
CVEs (cve.mitre.org): CVE-2005-1454
CVE-2005-1455

Details

Updated freeradius packages that fix a buffer overflow and possible SQL
injection attacks in the sql module are now available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

FreeRADIUS is a high-performance and highly configurable free RADIUS server
designed to allow centralized authentication and authorization for a network.

A buffer overflow bug was found in the way FreeRADIUS escapes data in an
SQL query. An attacker may be able to crash FreeRADIUS if they cause
FreeRADIUS to escape a string containing three or less characters. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-1454 to this issue.

Additionally a bug was found in the way FreeRADIUS escapes SQL data. It is
possible that an authenticated user could execute arbitrary SQL queries by
sending a specially crafted request to FreeRADIUS. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-1455 to this issue.

Users of FreeRADIUS should update to these erratum packages, which contain
backported patches and are not vulnerable to these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Updated packages

Red Hat Enterprise Linux AS (v. 3)

SRPMS:
freeradius-1.0.1-1.1.RHEL3.src.rpm
File outdated by:  RHSA-2007:0338
    MD5: 1fd359fe09899c240dd58c6b1cba38b7
 
IA-32:
freeradius-1.0.1-1.1.RHEL3.i386.rpm
File outdated by:  RHSA-2007:0338
    MD5: 8fd519d93b3871849933b28f7e1bc2d9
 
IA-64:
freeradius-1.0.1-1.1.RHEL3.ia64.rpm
File outdated by:  RHSA-2007:0338
    MD5: 5442a3527c92a8d07d08acd77dace190
 
PPC:
freeradius-1.0.1-1.1.RHEL3.ppc.rpm
File outdated by:  RHSA-2007:0338
    MD5: fd51f53af3f1e45fe6c0dad9a68fbad0
 
s390:
freeradius-1.0.1-1.1.RHEL3.s390.rpm
File outdated by:  RHSA-2007:0338
    MD5: 536f28bdca07bf52391d5cae2e8f073c
 
s390x:
freeradius-1.0.1-1.1.RHEL3.s390x.rpm
File outdated by:  RHSA-2007:0338
    MD5: 209ec09aa78f6e0e4ab8f26f4b356182
 
x86_64:
freeradius-1.0.1-1.1.RHEL3.x86_64.rpm
File outdated by:  RHSA-2007:0338
    MD5: 4b1d9482db8d45cb79e6c522e72cb25a
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
freeradius-1.0.1-3.RHEL4.src.rpm
File outdated by:  RHBA-2010:0152
    MD5: 454ecaca99cdbbbd70d31b72aae7e682
 
IA-32:
freeradius-1.0.1-3.RHEL4.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: ff75a31027509f376c3706efaeb10305
freeradius-mysql-1.0.1-3.RHEL4.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: ff28f13e57713e277a74b789969bc583
freeradius-postgresql-1.0.1-3.RHEL4.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: 3dc1a74e7dd8ce755e60887ac4fd73cc
freeradius-unixODBC-1.0.1-3.RHEL4.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: eab011f77b2bce24d42e5608abcea1ed
 
IA-64:
freeradius-1.0.1-3.RHEL4.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 0eac053fe887cd2f8c805badd511b91e
freeradius-mysql-1.0.1-3.RHEL4.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: de0ccf2e0a508eba3062bfdd5b222835
freeradius-postgresql-1.0.1-3.RHEL4.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 0de26700a43c17adeec0498db847a5bc
freeradius-unixODBC-1.0.1-3.RHEL4.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: bcc8c5f0ea86f06cbb8f182e0b2e427f
 
PPC:
freeradius-1.0.1-3.RHEL4.ppc.rpm
File outdated by:  RHBA-2010:0152
    MD5: 0bdd63fef27bd242ed17f48598e25194
freeradius-mysql-1.0.1-3.RHEL4.ppc.rpm
File outdated by:  RHBA-2010:0152
    MD5: 68eadec552a9d1f1ec5bd15b90f91b3a
freeradius-postgresql-1.0.1-3.RHEL4.ppc.rpm
File outdated by:  RHBA-2010:0152
    MD5: 8be58c952be576172e7f5c50908a3fde
freeradius-unixODBC-1.0.1-3.RHEL4.ppc.rpm
File outdated by:  RHBA-2010:0152
    MD5: 76013d354aa7ad542685dc72d62edde5
 
s390:
freeradius-1.0.1-3.RHEL4.s390.rpm
File outdated by:  RHBA-2010:0152
    MD5: d42b57021c61dbfea75314cf7a947f8b
freeradius-mysql-1.0.1-3.RHEL4.s390.rpm
File outdated by:  RHBA-2010:0152
    MD5: 0a86a8b88be9aff82f04ea734b1e43eb
freeradius-postgresql-1.0.1-3.RHEL4.s390.rpm
File outdated by:  RHBA-2010:0152
    MD5: cdf1a574f93ade40e99e086f28c81b14
freeradius-unixODBC-1.0.1-3.RHEL4.s390.rpm
File outdated by:  RHBA-2010:0152
    MD5: 8441481b5543541d5aae8a3d7bd896cc
 
s390x:
freeradius-1.0.1-3.RHEL4.s390x.rpm
File outdated by:  RHBA-2010:0152
    MD5: 67feac31092680e592c0c0ed7e31ee0c
freeradius-mysql-1.0.1-3.RHEL4.s390x.rpm
File outdated by:  RHBA-2010:0152
    MD5: a369980828701e0694200269c6fd8777
freeradius-postgresql-1.0.1-3.RHEL4.s390x.rpm
File outdated by:  RHBA-2010:0152
    MD5: 5d43a5e4ea7b32c74c9b5488172781f7
freeradius-unixODBC-1.0.1-3.RHEL4.s390x.rpm
File outdated by:  RHBA-2010:0152
    MD5: 19d3425135a11bfe28fcf09438d298f6
 
x86_64:
freeradius-1.0.1-3.RHEL4.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 216dcc841b3ef864f866d0536d2e4769
freeradius-mysql-1.0.1-3.RHEL4.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 3a709b00d74cd9e89f1bf1d82f0874a4
freeradius-postgresql-1.0.1-3.RHEL4.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: a41378ac35d1b3ab52b9f0217812aef2
freeradius-unixODBC-1.0.1-3.RHEL4.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 422c04328234167649bb811f882cb774
 
Red Hat Enterprise Linux ES (v. 3)

SRPMS:
freeradius-1.0.1-1.1.RHEL3.src.rpm
File outdated by:  RHSA-2007:0338
    MD5: 1fd359fe09899c240dd58c6b1cba38b7
 
IA-32:
freeradius-1.0.1-1.1.RHEL3.i386.rpm
File outdated by:  RHSA-2007:0338
    MD5: 8fd519d93b3871849933b28f7e1bc2d9
 
IA-64:
freeradius-1.0.1-1.1.RHEL3.ia64.rpm
File outdated by:  RHSA-2007:0338
    MD5: 5442a3527c92a8d07d08acd77dace190
 
x86_64:
freeradius-1.0.1-1.1.RHEL3.x86_64.rpm
File outdated by:  RHSA-2007:0338
    MD5: 4b1d9482db8d45cb79e6c522e72cb25a
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
freeradius-1.0.1-3.RHEL4.src.rpm
File outdated by:  RHBA-2010:0152
    MD5: 454ecaca99cdbbbd70d31b72aae7e682
 
IA-32:
freeradius-1.0.1-3.RHEL4.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: ff75a31027509f376c3706efaeb10305
freeradius-mysql-1.0.1-3.RHEL4.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: ff28f13e57713e277a74b789969bc583
freeradius-postgresql-1.0.1-3.RHEL4.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: 3dc1a74e7dd8ce755e60887ac4fd73cc
freeradius-unixODBC-1.0.1-3.RHEL4.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: eab011f77b2bce24d42e5608abcea1ed
 
IA-64:
freeradius-1.0.1-3.RHEL4.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 0eac053fe887cd2f8c805badd511b91e
freeradius-mysql-1.0.1-3.RHEL4.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: de0ccf2e0a508eba3062bfdd5b222835
freeradius-postgresql-1.0.1-3.RHEL4.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 0de26700a43c17adeec0498db847a5bc
freeradius-unixODBC-1.0.1-3.RHEL4.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: bcc8c5f0ea86f06cbb8f182e0b2e427f
 
x86_64:
freeradius-1.0.1-3.RHEL4.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 216dcc841b3ef864f866d0536d2e4769
freeradius-mysql-1.0.1-3.RHEL4.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 3a709b00d74cd9e89f1bf1d82f0874a4
freeradius-postgresql-1.0.1-3.RHEL4.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: a41378ac35d1b3ab52b9f0217812aef2
freeradius-unixODBC-1.0.1-3.RHEL4.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 422c04328234167649bb811f882cb774
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

156941 - CAN-2005-1454 Multiple issues in freeradius (CAN-2005-1455)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/