Skip to navigation

Security Advisory freeradius security update

Advisory: RHSA-2006:0271-12
Type: Security Advisory
Severity: Important
Issued on: 2006-04-04
Last updated on: 2006-04-13
Affected Products: Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
CVEs (cve.mitre.org): CVE-2005-4744
CVE-2006-1354

Details

Updated freeradius packages that fix an authentication weakness are now
available.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

FreeRADIUS is a high-performance and highly configurable free RADIUS server
designed to allow centralized authentication and authorization for a network.

A bug was found in the way FreeRADIUS authenticates users via the MSCHAP V2
protocol. It is possible for a remote attacker to authenticate as a victim
by sending a malformed MSCHAP V2 login request to the FreeRADIUS server.
(CVE-2006-1354)

Please note that FreeRADIUS installations not using the MSCHAP V2 protocol
for authentication are not vulnerable to this issue.

A bug was also found in the way FreeRADIUS logs SQL errors from the
sql_unixodbc module. It may be possible for an attacker to cause FreeRADIUS
to crash or execute arbitrary code if they are able to manipulate the SQL
database FreeRADIUS is connecting to. (CVE-2005-4744)

Users of FreeRADIUS should update to these erratum packages, which contain
backported patches and are not vulnerable to these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Enterprise Linux AS (v. 3)

SRPMS:
freeradius-1.0.1-2.RHEL3.2.src.rpm
File outdated by:  RHSA-2007:0338
    MD5: bfc9e019ba3dd3ee67a4156ff37f467c
 
IA-32:
freeradius-1.0.1-2.RHEL3.2.i386.rpm
File outdated by:  RHSA-2007:0338
    MD5: b4969ec213ec03c6fc693a1d84f2029c
 
IA-64:
freeradius-1.0.1-2.RHEL3.2.ia64.rpm
File outdated by:  RHSA-2007:0338
    MD5: 734b8d8314d7bcd9fa122053bf1d495d
 
PPC:
freeradius-1.0.1-2.RHEL3.2.ppc.rpm
File outdated by:  RHSA-2007:0338
    MD5: 21188abdd2a98f81d806a29a77fea928
 
s390:
freeradius-1.0.1-2.RHEL3.2.s390.rpm
File outdated by:  RHSA-2007:0338
    MD5: 8429b0806d6e2baadca6ac94312dad8b
 
s390x:
freeradius-1.0.1-2.RHEL3.2.s390x.rpm
File outdated by:  RHSA-2007:0338
    MD5: 0ac7a21d7bedba7d6b1cf63861a02e31
 
x86_64:
freeradius-1.0.1-2.RHEL3.2.x86_64.rpm
File outdated by:  RHSA-2007:0338
    MD5: 7eaf8db1f720773cf28479dd6f57fdb0
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
freeradius-1.0.1-3.RHEL4.3.src.rpm
File outdated by:  RHBA-2010:0152
    MD5: c6917a0d98ac04e34db4294217a389fb
 
IA-32:
freeradius-1.0.1-3.RHEL4.3.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: 1121b8e53033f5580889eaab5fbd822e
freeradius-mysql-1.0.1-3.RHEL4.3.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: 6b1ed7b9c10178db478963f9b4b5986a
freeradius-postgresql-1.0.1-3.RHEL4.3.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: 791f052034f7a13f2b07f384e83795f2
freeradius-unixODBC-1.0.1-3.RHEL4.3.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: 046fb51db100364dbe3dc856e7dca02c
 
IA-64:
freeradius-1.0.1-3.RHEL4.3.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 15db5d25efd4ecf030615ccf2552b04d
freeradius-mysql-1.0.1-3.RHEL4.3.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 9fd7df598cffcfdc21012296d3e5eca9
freeradius-postgresql-1.0.1-3.RHEL4.3.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 6e813082c69c2c494daa435767e54dbd
freeradius-unixODBC-1.0.1-3.RHEL4.3.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 8d1bcdc20817ac37be901cd2c7fe7088
 
PPC:
freeradius-1.0.1-3.RHEL4.3.ppc.rpm
File outdated by:  RHBA-2010:0152
    MD5: 0a3d9b8f2d09b1b13259ea99acff91b7
freeradius-mysql-1.0.1-3.RHEL4.3.ppc.rpm
File outdated by:  RHBA-2010:0152
    MD5: e4a7578d745c69f656d8d840307c139f
freeradius-postgresql-1.0.1-3.RHEL4.3.ppc.rpm
File outdated by:  RHBA-2010:0152
    MD5: e45ba7af692792d8bc52db7e0f6e0deb
freeradius-unixODBC-1.0.1-3.RHEL4.3.ppc.rpm
File outdated by:  RHBA-2010:0152
    MD5: 9d693f9e452fd06d73aed9a1d5740ddf
 
s390:
freeradius-1.0.1-3.RHEL4.3.s390.rpm
File outdated by:  RHBA-2010:0152
    MD5: cc607bb4dfb35128ed7bef2a74e40aa8
freeradius-mysql-1.0.1-3.RHEL4.3.s390.rpm
File outdated by:  RHBA-2010:0152
    MD5: 42b226f640a1a4224ef0c27bc7bf5527
freeradius-postgresql-1.0.1-3.RHEL4.3.s390.rpm
File outdated by:  RHBA-2010:0152
    MD5: ebefbb200863e9bfeb775c7b104934cb
freeradius-unixODBC-1.0.1-3.RHEL4.3.s390.rpm
File outdated by:  RHBA-2010:0152
    MD5: 4b43bb86ba1d6dc6953bb6dc3d67a147
 
s390x:
freeradius-1.0.1-3.RHEL4.3.s390x.rpm
File outdated by:  RHBA-2010:0152
    MD5: 74d462262538062aad16e9d8cea6eb18
freeradius-mysql-1.0.1-3.RHEL4.3.s390x.rpm
File outdated by:  RHBA-2010:0152
    MD5: a722d74a53facc3b431ec2ed55481b61
freeradius-postgresql-1.0.1-3.RHEL4.3.s390x.rpm
File outdated by:  RHBA-2010:0152
    MD5: 53088f0fbfd0e9b9c1ccd7db0bcff0ad
freeradius-unixODBC-1.0.1-3.RHEL4.3.s390x.rpm
File outdated by:  RHBA-2010:0152
    MD5: 8b6856b542505d85320bf176beb623c9
 
x86_64:
freeradius-1.0.1-3.RHEL4.3.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: d04afcde9543c934bbb44b3a8cf1ad53
freeradius-mysql-1.0.1-3.RHEL4.3.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 9734492926441eddcd2740f1d19b537c
freeradius-postgresql-1.0.1-3.RHEL4.3.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: ab8051bbcb05c66af19e5a89a2349deb
freeradius-unixODBC-1.0.1-3.RHEL4.3.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 400250cfddddc9e095d581e2ae87b789
 
Red Hat Enterprise Linux ES (v. 3)

SRPMS:
freeradius-1.0.1-2.RHEL3.2.src.rpm
File outdated by:  RHSA-2007:0338
    MD5: bfc9e019ba3dd3ee67a4156ff37f467c
 
IA-32:
freeradius-1.0.1-2.RHEL3.2.i386.rpm
File outdated by:  RHSA-2007:0338
    MD5: b4969ec213ec03c6fc693a1d84f2029c
 
IA-64:
freeradius-1.0.1-2.RHEL3.2.ia64.rpm
File outdated by:  RHSA-2007:0338
    MD5: 734b8d8314d7bcd9fa122053bf1d495d
 
x86_64:
freeradius-1.0.1-2.RHEL3.2.x86_64.rpm
File outdated by:  RHSA-2007:0338
    MD5: 7eaf8db1f720773cf28479dd6f57fdb0
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
freeradius-1.0.1-3.RHEL4.3.src.rpm
File outdated by:  RHBA-2010:0152
    MD5: c6917a0d98ac04e34db4294217a389fb
 
IA-32:
freeradius-1.0.1-3.RHEL4.3.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: 1121b8e53033f5580889eaab5fbd822e
freeradius-mysql-1.0.1-3.RHEL4.3.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: 6b1ed7b9c10178db478963f9b4b5986a
freeradius-postgresql-1.0.1-3.RHEL4.3.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: 791f052034f7a13f2b07f384e83795f2
freeradius-unixODBC-1.0.1-3.RHEL4.3.i386.rpm
File outdated by:  RHBA-2010:0152
    MD5: 046fb51db100364dbe3dc856e7dca02c
 
IA-64:
freeradius-1.0.1-3.RHEL4.3.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 15db5d25efd4ecf030615ccf2552b04d
freeradius-mysql-1.0.1-3.RHEL4.3.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 9fd7df598cffcfdc21012296d3e5eca9
freeradius-postgresql-1.0.1-3.RHEL4.3.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 6e813082c69c2c494daa435767e54dbd
freeradius-unixODBC-1.0.1-3.RHEL4.3.ia64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 8d1bcdc20817ac37be901cd2c7fe7088
 
x86_64:
freeradius-1.0.1-3.RHEL4.3.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: d04afcde9543c934bbb44b3a8cf1ad53
freeradius-mysql-1.0.1-3.RHEL4.3.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 9734492926441eddcd2740f1d19b537c
freeradius-postgresql-1.0.1-3.RHEL4.3.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: ab8051bbcb05c66af19e5a89a2349deb
freeradius-unixODBC-1.0.1-3.RHEL4.3.x86_64.rpm
File outdated by:  RHBA-2010:0152
    MD5: 400250cfddddc9e095d581e2ae87b789
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

167676 - CVE-2005-4744 Multiple freeradius security issues
186083 - CVE-2006-1354 FreeRADIUS authentication bypass


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/