Skip to navigation

Security Advisory Low: freeradius2 security and bug fix update

Advisory: RHSA-2013:0134-1
Type: Security Advisory
Severity: Low
Issued on: 2013-01-08
Last updated on: 2013-01-08
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
CVEs (cve.mitre.org): CVE-2011-4966

Details

Updated freeradius2 packages that fix one security issue and multiple bugs
are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

FreeRADIUS is an open-source Remote Authentication Dial-In User Service
(RADIUS) server which allows RADIUS clients to perform authentication
against the RADIUS server. The RADIUS server may optionally perform
accounting of its operations using the RADIUS protocol.

It was found that the "unix" module ignored the password expiration
setting in "/etc/shadow". If FreeRADIUS was configured to use this module
for user authentication, this flaw could allow users with an expired
password to successfully authenticate, even though their access should have
been denied. (CVE-2011-4966)

This update also fixes the following bugs:

* After log rotation, the freeradius logrotate script failed to reload the
radiusd daemon and log messages were lost. This update has added a command
to the freeradius logrotate script to reload the radiusd daemon and the
radiusd daemon re-initializes and reopens its log files after log rotation
as expected. (BZ#787111)

* The radtest script with the "eap-md5" option failed because it passed the
IP family argument when invoking the radeapclient utility and the
radeapclient utility did not recognize the IP family. The radeapclient
utility now recognizes the IP family argument and radtest now works with
eap-md5 as expected. (BZ#846476)

* Previously, freeradius was compiled without the "--with-udpfromto"
option. Consequently, with a multihomed server and explicitly specifying
the IP address, freeradius sent the reply with the wrong IP source address.
With this update, freeradius has been built with the "--with-udpfromto"
configuration option and the RADIUS reply is always sourced from the IP
address the request was sent to. (BZ#846471)

* Due to invalid syntax in the PostgreSQL admin schema file, the FreeRADIUS
PostgreSQL tables failed to be created. With this update, the syntax has
been adjusted and the tables are created as expected. (BZ#818885)

* FreeRADIUS has a thread pool that dynamically grows based on load. If
multiple threads using the "rlm_perl()" function are spawned in quick
succession, the FreeRADIUS server sometimes terminated unexpectedly with a
segmentation fault due to parallel calls to the "rlm_perl_clone()"
function. With this update, a mutex for the threads has been added and the
problem no longer occurs. (BZ#846475)

* The man page for "rlm_dbm_parser" was incorrectly installed as
"rlm_dbm_parse", omitting the trailing "r". The man page now correctly
appears as rlm_dbm_parser. (BZ#781877)

All users of freeradius2 are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. They are also
advised to check for RPM backup files ending in ".rpmnew" or ".rpmsave"
under the /etc/raddb/ directory after the update because the FreeRADIUS
server will attempt to load every file it finds in its configuration
directory. The extra files will often cause the wrong configuration values
to be applied resulting in either unpredictable behavior or the failure of
the server to initialize and run.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Users are also advised to check for RPM backup files ending in ".rpmnew" or
".rpmsave" under the /etc/raddb/ directory after the update because the
FreeRADIUS server will attempt to load every file it finds in its
configuration directory. The extra files will often cause the wrong
configuration values to be applied resulting in either unpredictable
behavior or the failure of the server to initialize and run.

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
freeradius2-2.1.12-5.el5.src.rpm     MD5: 70621e0bd375ec66b8fb00e4572bfed0
SHA-256: 950e9771f51261258d08d5600519eff7d6ebbd84f887dadeb390ea83b6122255
 
IA-32:
freeradius2-2.1.12-5.el5.i386.rpm     MD5: bae32ce4b30a6c7d5305d3fdc82562eb
SHA-256: 4214d9744506066559e9a797c1f4c227a96e7526fc4d7bb583fda28820021ccf
freeradius2-debuginfo-2.1.12-5.el5.i386.rpm     MD5: 4a2bb769dbd174510688aba855df4dbd
SHA-256: 501848e75dbc90ff559b5d364586666b98a43fa7eda70e1fda9575ca3dcd8c0f
freeradius2-krb5-2.1.12-5.el5.i386.rpm     MD5: 63ef0b37d918d116d32c01a0e36c4635
SHA-256: e8cc4c1db42d4c03840b353b84a9456912572981d1acdaf970c24b03f1f9e8dc
freeradius2-ldap-2.1.12-5.el5.i386.rpm     MD5: 725f7f036945f48b18365feb4e4d0f02
SHA-256: 72e67028596c753d7b23040e2ba7c182f7c94605b531f857fedd25d6293c0747
freeradius2-mysql-2.1.12-5.el5.i386.rpm     MD5: 6fe28dd436a389663f624fd19bd841a7
SHA-256: c0548a21a1ddfde3e2dd7d6bf8a32e06e77aac5b2e2dd9570271a435944b372f
freeradius2-perl-2.1.12-5.el5.i386.rpm     MD5: 44311cf22659d6590323b07bc80444dc
SHA-256: b8214526ffdcff9ffb300192a1e950a5559a5131a5cc54a03d8d491a250c39a4
freeradius2-postgresql-2.1.12-5.el5.i386.rpm     MD5: 5c5b7a396d849bfe023fd8ddff5b5105
SHA-256: 3e596389736ea024431955e6829a56e6f0f9cde8751d9b7aa9346831a0cdbe87
freeradius2-python-2.1.12-5.el5.i386.rpm     MD5: 64aad2b3207a28d4fbe525c5183bebf5
SHA-256: b2069685d114e42cb752975c23c154a9f1646cdf08093bec2f30f360ba8551a5
freeradius2-unixODBC-2.1.12-5.el5.i386.rpm     MD5: f01c6ff191d3b3d5c76fbc8e433922ad
SHA-256: e0ef94b8d483bd63784b609abb2822fe44c916ccf0e29cd4b8b4d1133ba52b1b
freeradius2-utils-2.1.12-5.el5.i386.rpm     MD5: c13a40f332eee0671e8ba512ee862bc6
SHA-256: d2e5211a2d7cd2f26d4814dc21330be16173db6d2ed871a3e174baa6c7219c63
 
x86_64:
freeradius2-2.1.12-5.el5.x86_64.rpm     MD5: 6caaf66c29a15110cc1852c04318cd6c
SHA-256: 1939d892480a31972accedeed4602e557164a1c21009ae7c6e1e4390ccde3be1
freeradius2-debuginfo-2.1.12-5.el5.x86_64.rpm     MD5: 5d2ad7e2bbf50c85637dbffcd1f5b48d
SHA-256: 0833fa8c2bddcbee37b0c5f60558829c8af3653862a1d7ed81069784f9b937ad
freeradius2-krb5-2.1.12-5.el5.x86_64.rpm     MD5: 631e071fcb0c5666d001c7e5dfb719ae
SHA-256: e2fe71813d1049e1d7f21026e66e76d8b3f0c78d7afe7d3cd87cfac3d830506a
freeradius2-ldap-2.1.12-5.el5.x86_64.rpm     MD5: 9d59d7b067a1063f6c766c73fc8d746a
SHA-256: b69c318480b0db7b3771d1c41f09ef7a2aebe0c1da115733484ca9a4bbf11c5a
freeradius2-mysql-2.1.12-5.el5.x86_64.rpm     MD5: 25406f7beb913c02b737186a45201bbc
SHA-256: 2e5156e403372b435fc4c0f548bcbfe272181e64ab71bc5d91c7e40438914f4a
freeradius2-perl-2.1.12-5.el5.x86_64.rpm     MD5: 4c20eea7c7ca753853fcaec6932f27cf
SHA-256: 01eab34c5cd2acf65bbc1a8492399a7937089d3f39ad7204e520d7620345cd44
freeradius2-postgresql-2.1.12-5.el5.x86_64.rpm     MD5: 27cf8002760a2732b5909af43193addf
SHA-256: 37e2eeb31b2b4c92b17c666ec12610a52fe655941d140acf4e6eac60c79b1219
freeradius2-python-2.1.12-5.el5.x86_64.rpm     MD5: 724592644310eedb43f1f68527214b9a
SHA-256: c28059dee9fbdf0613d0907afab3b7357cef32f3bbd59fa25bf59332fed9aebb
freeradius2-unixODBC-2.1.12-5.el5.x86_64.rpm     MD5: f8c9e9803c3030c2bd300147ac397995
SHA-256: 87ec09db99f58ee4e191479c979224310fe3c830076f5a6d9b6802fb37ee8119
freeradius2-utils-2.1.12-5.el5.x86_64.rpm     MD5: 825989180a45e887f7786c06a66304fc
SHA-256: c99b354c49e41c47fed42938e1365bb4e87a46cc53cc91c6b94133ad15b49c76
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
freeradius2-2.1.12-5.el5.src.rpm     MD5: 70621e0bd375ec66b8fb00e4572bfed0
SHA-256: 950e9771f51261258d08d5600519eff7d6ebbd84f887dadeb390ea83b6122255
 
IA-32:
freeradius2-2.1.12-5.el5.i386.rpm     MD5: bae32ce4b30a6c7d5305d3fdc82562eb
SHA-256: 4214d9744506066559e9a797c1f4c227a96e7526fc4d7bb583fda28820021ccf
freeradius2-debuginfo-2.1.12-5.el5.i386.rpm     MD5: 4a2bb769dbd174510688aba855df4dbd
SHA-256: 501848e75dbc90ff559b5d364586666b98a43fa7eda70e1fda9575ca3dcd8c0f
freeradius2-krb5-2.1.12-5.el5.i386.rpm     MD5: 63ef0b37d918d116d32c01a0e36c4635
SHA-256: e8cc4c1db42d4c03840b353b84a9456912572981d1acdaf970c24b03f1f9e8dc
freeradius2-ldap-2.1.12-5.el5.i386.rpm     MD5: 725f7f036945f48b18365feb4e4d0f02
SHA-256: 72e67028596c753d7b23040e2ba7c182f7c94605b531f857fedd25d6293c0747
freeradius2-mysql-2.1.12-5.el5.i386.rpm     MD5: 6fe28dd436a389663f624fd19bd841a7
SHA-256: c0548a21a1ddfde3e2dd7d6bf8a32e06e77aac5b2e2dd9570271a435944b372f
freeradius2-perl-2.1.12-5.el5.i386.rpm     MD5: 44311cf22659d6590323b07bc80444dc
SHA-256: b8214526ffdcff9ffb300192a1e950a5559a5131a5cc54a03d8d491a250c39a4
freeradius2-postgresql-2.1.12-5.el5.i386.rpm     MD5: 5c5b7a396d849bfe023fd8ddff5b5105
SHA-256: 3e596389736ea024431955e6829a56e6f0f9cde8751d9b7aa9346831a0cdbe87
freeradius2-python-2.1.12-5.el5.i386.rpm     MD5: 64aad2b3207a28d4fbe525c5183bebf5
SHA-256: b2069685d114e42cb752975c23c154a9f1646cdf08093bec2f30f360ba8551a5
freeradius2-unixODBC-2.1.12-5.el5.i386.rpm     MD5: f01c6ff191d3b3d5c76fbc8e433922ad
SHA-256: e0ef94b8d483bd63784b609abb2822fe44c916ccf0e29cd4b8b4d1133ba52b1b
freeradius2-utils-2.1.12-5.el5.i386.rpm     MD5: c13a40f332eee0671e8ba512ee862bc6
SHA-256: d2e5211a2d7cd2f26d4814dc21330be16173db6d2ed871a3e174baa6c7219c63
 
IA-64:
freeradius2-2.1.12-5.el5.ia64.rpm     MD5: 9833fbe8b00ebcddd8bddf11b653c3a1
SHA-256: 5c8745f56084fa964fc42acc78dbd2bf6730b53e434de60281d55485d962bcb3
freeradius2-debuginfo-2.1.12-5.el5.ia64.rpm     MD5: 87f122f621382898e11e6d1189fed057
SHA-256: c21b42b78f0c065e7a116158d8a3263abff4159771f12c34146e6ae029ca1861
freeradius2-krb5-2.1.12-5.el5.ia64.rpm     MD5: 1be72aa0607754b6b6c2695b73bb7805
SHA-256: 9ddeef080a6497a34c1afa2153771fa8374758c9deabb6d3562b2f3f0bdffbfe
freeradius2-ldap-2.1.12-5.el5.ia64.rpm     MD5: 578c266e8bea2535a54bc8e8d3026f87
SHA-256: 691d27f6c30e6e9c244f00363b615ff7b698f8e3038727767898a531ef49002a
freeradius2-mysql-2.1.12-5.el5.ia64.rpm     MD5: d45c4a96a2d952ddb9a4d6dc7ea0fbe1
SHA-256: a3e4958d5b96662a783b6c2a6741eb086cbc4f34b202a0ec29d00d9dc0edff10
freeradius2-perl-2.1.12-5.el5.ia64.rpm     MD5: 200fd93ed9e3351e45daa96467665584
SHA-256: f2ae7bf343e9964c61ba3b14201eb44e6ecc10442a2eb085a10be721bb2525db
freeradius2-postgresql-2.1.12-5.el5.ia64.rpm     MD5: f56ed4b19cbc7a0c84bf2b878f930274
SHA-256: 8b07a07bfab0eeb8af2d291e71f2e2c039a365b60a414d123347ce0c4f89ad03
freeradius2-python-2.1.12-5.el5.ia64.rpm     MD5: 93381769d41d04a19988514189e64fc7
SHA-256: d3e18d0feaeccbd1b16289d0723e810b5f5d26aacc94c95b157d2ec402c909e2
freeradius2-unixODBC-2.1.12-5.el5.ia64.rpm     MD5: af0994b33f8e22ad88ca58f9ee8a609e
SHA-256: 9df601d751c9a22b4081162aa5aabaa94a7bf6ec9b6e92b1cbc37a17514ed33c
freeradius2-utils-2.1.12-5.el5.ia64.rpm     MD5: 826df2c4feea87741660102b5d4817cf
SHA-256: ce7df1f48b407930e90b0384a4efecb724b9b51c7547f008a1f894e6c8283e2f
 
PPC:
freeradius2-2.1.12-5.el5.ppc.rpm     MD5: 21bec53e2e6db7e58461288d31db9ecb
SHA-256: 26b0415a4d621581a69d18a5d03b41254c8554dede182b773e777d36eafc890d
freeradius2-debuginfo-2.1.12-5.el5.ppc.rpm     MD5: d18848db1bb092e4c29a85160051033f
SHA-256: a0c4d976cbd8d3cf9aa33fce889bce54ded01adc03dab188fe55353a796fbf92
freeradius2-krb5-2.1.12-5.el5.ppc.rpm     MD5: 87e8e545c2f96a3bb1e7df59712b4d5a
SHA-256: d6951f6ac7b342039745a199e9882fd515c646c821c71d3756c1869b75b0b1aa
freeradius2-ldap-2.1.12-5.el5.ppc.rpm     MD5: 966ba7b52c726cf38fd4d71f174507b7
SHA-256: 92995716fc15069177c79fe7f884915f88c7c4b742d878ff3c1e12785eeefc4f
freeradius2-mysql-2.1.12-5.el5.ppc.rpm     MD5: 4fdd137c271fabe3298a0413482287b5
SHA-256: 7f80352830c92c2cd99fd7babe62187a47e74bf2b8ca093c5af05ac99cc233d5
freeradius2-perl-2.1.12-5.el5.ppc.rpm     MD5: bf08063d6b0d2a53ecccfe8b6a117092
SHA-256: 30e1421e990af501bbefa9b540832e10c1ae1033f03afec69ebdd96aad7d9f63
freeradius2-postgresql-2.1.12-5.el5.ppc.rpm     MD5: 3dbe953ac5fc0ac45cd62c26ab4c33a5
SHA-256: 5cbfb0b0068d49116e8dd7fef63960def9a00604498caa4d823a8af3039fbdc9
freeradius2-python-2.1.12-5.el5.ppc.rpm     MD5: ee73b98730185562ef2899a86fd52f3f
SHA-256: 9f5a0f9310df5a0d302456044eca46242dd02ec0595e3317ef023d8bc7c0f4f8
freeradius2-unixODBC-2.1.12-5.el5.ppc.rpm     MD5: 05e2d9aa3da0dec815df55b400b05003
SHA-256: fa0d150fc390b30af873a09017cd937ce2566649aad1a7cff71744ec547920c2
freeradius2-utils-2.1.12-5.el5.ppc.rpm     MD5: c574b20437dfd137abe4006d0491aaa9
SHA-256: 708160ad7a9ba5a33d43365fd8648fd534a3d3988da0bbf4027b5bddb832b7bf
 
s390x:
freeradius2-2.1.12-5.el5.s390x.rpm     MD5: 85c819d9599e10931ec4b6be56d4717b
SHA-256: 10b340eac58f1a90d019ed567cdc9900f4ef71e1ef2e5b53183591daf67b3cef
freeradius2-debuginfo-2.1.12-5.el5.s390x.rpm     MD5: 5f41d233c90f23d7f0789ec67d6de923
SHA-256: 0d4c5245f7acd8c8768638c526febf2a92f630eabb71db70c1d91c02c030b004
freeradius2-krb5-2.1.12-5.el5.s390x.rpm     MD5: 61ca3fa89441e50d374ad58956a73bd5
SHA-256: 6249db95c466740fc1ee61c968404e17573a110f54fa581521be79739f672132
freeradius2-ldap-2.1.12-5.el5.s390x.rpm     MD5: a969aa8e065808f8618619b75fa7cbe9
SHA-256: 910e51a97f1fbab811e509238f7d2fda21265f3fb69b0d5c364f1ac52d2b24b8
freeradius2-mysql-2.1.12-5.el5.s390x.rpm     MD5: be46683689571736cb420e5d166040d9
SHA-256: 29ebc46cf8938b2bf85f6ecd8f96029924e59518785e6d9801adcddf6cd1f079
freeradius2-perl-2.1.12-5.el5.s390x.rpm     MD5: cf9d26d696b87ec2ab13625a03bfe490
SHA-256: 46dcde070ba7a57db651470bcd35d64569be0be25c243efe93857b51d7cb6273
freeradius2-postgresql-2.1.12-5.el5.s390x.rpm     MD5: eee96be3b6f66a46c3f12761cce3e0d2
SHA-256: ddf9ca99b970938dd30f1637f079adb03dda6f0d15c6da1583445af12b7d0c42
freeradius2-python-2.1.12-5.el5.s390x.rpm     MD5: 6dfe454d80f175ac89ac4351a1db19b3
SHA-256: c1d17081bb277649a4e34cf3d254d2b4172a198deffb785e7e121d2dcafdc011
freeradius2-unixODBC-2.1.12-5.el5.s390x.rpm     MD5: 13c3e91686c26e54e93440b720807b8e
SHA-256: 2b5911520a71105db3abc09e686214ca6d836c64d22f8a28c06993e6c75ee4f6
freeradius2-utils-2.1.12-5.el5.s390x.rpm     MD5: c6aaf201a0818457ebfa10bd40f3f3db
SHA-256: a5b1672321904a2cd38cfa745b44d478a484b094488dfcd5f816532e876bb67d
 
x86_64:
freeradius2-2.1.12-5.el5.x86_64.rpm     MD5: 6caaf66c29a15110cc1852c04318cd6c
SHA-256: 1939d892480a31972accedeed4602e557164a1c21009ae7c6e1e4390ccde3be1
freeradius2-debuginfo-2.1.12-5.el5.x86_64.rpm     MD5: 5d2ad7e2bbf50c85637dbffcd1f5b48d
SHA-256: 0833fa8c2bddcbee37b0c5f60558829c8af3653862a1d7ed81069784f9b937ad
freeradius2-krb5-2.1.12-5.el5.x86_64.rpm     MD5: 631e071fcb0c5666d001c7e5dfb719ae
SHA-256: e2fe71813d1049e1d7f21026e66e76d8b3f0c78d7afe7d3cd87cfac3d830506a
freeradius2-ldap-2.1.12-5.el5.x86_64.rpm     MD5: 9d59d7b067a1063f6c766c73fc8d746a
SHA-256: b69c318480b0db7b3771d1c41f09ef7a2aebe0c1da115733484ca9a4bbf11c5a
freeradius2-mysql-2.1.12-5.el5.x86_64.rpm     MD5: 25406f7beb913c02b737186a45201bbc
SHA-256: 2e5156e403372b435fc4c0f548bcbfe272181e64ab71bc5d91c7e40438914f4a
freeradius2-perl-2.1.12-5.el5.x86_64.rpm     MD5: 4c20eea7c7ca753853fcaec6932f27cf
SHA-256: 01eab34c5cd2acf65bbc1a8492399a7937089d3f39ad7204e520d7620345cd44
freeradius2-postgresql-2.1.12-5.el5.x86_64.rpm     MD5: 27cf8002760a2732b5909af43193addf
SHA-256: 37e2eeb31b2b4c92b17c666ec12610a52fe655941d140acf4e6eac60c79b1219
freeradius2-python-2.1.12-5.el5.x86_64.rpm     MD5: 724592644310eedb43f1f68527214b9a
SHA-256: c28059dee9fbdf0613d0907afab3b7357cef32f3bbd59fa25bf59332fed9aebb
freeradius2-unixODBC-2.1.12-5.el5.x86_64.rpm     MD5: f8c9e9803c3030c2bd300147ac397995
SHA-256: 87ec09db99f58ee4e191479c979224310fe3c830076f5a6d9b6802fb37ee8119
freeradius2-utils-2.1.12-5.el5.x86_64.rpm     MD5: 825989180a45e887f7786c06a66304fc
SHA-256: c99b354c49e41c47fed42938e1365bb4e87a46cc53cc91c6b94133ad15b49c76
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

781877 - rlm_dbm_parser has man pages in rlm_dbm_parse.8.gz
787111 - freeradius logrotate script does not reload running daemon, causing log files not written after logrotate
818885 - possible errors in /etc/raddb/sql/postgresql/admin.sql template
846471 - freeradius not compiled with --with-udpfromto
846474 - shadow password expiration does not work in freeradius 2.1.10
846475 - Segfault with freeradius-perl threading
846476 - radtest script is not working with eap-md5 option
879045 - CVE-2011-4966 freeradius: does not respect expired passwords when using the unix module


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/