freeradius-3.0.21-37.el9

エラータID: AXSA:2023-5499:02

Release date: 
Wednesday, May 24, 2023 - 03:00
Subject: 
freeradius-3.0.21-37.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network.

Security Fix(es):

* freeradius: Information leakage in EAP-PWD (CVE-2022-41859)
* freeradius: Crash on unknown option in EAP-SIM (CVE-2022-41860)
* freeradius: Crash on invalid abinary data (CVE-2022-41861)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the MIRACLE LINUX 9.2 Release Notes linked from the References section.

CVE-2022-41859
In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack.
CVE-2022-41860
In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.
CVE-2022-41861
A flaw was found in freeradius. A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash.

Solution: 

Update packages.

CVEs: 
CVE-2022-41859
In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack.
CVE-2022-41860
In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.
CVE-2022-41861
A flaw was found in freeradius. A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash.
Additional Info: 

N/A

Download: 

SRPMS
  1. freeradius-3.0.21-37.el9.src.rpm
    MD5: 0cfe345be0f57c2716d97d05780ecc8a
    SHA-256: 08367fce9e26e32ddfdb060f871ba5a2bf4c97668518d5ddfa11dd13eb2afa47
    Size: 3.18 MB

Asianux Server 9 for x86_64
  1. freeradius-3.0.21-37.el9.x86_64.rpm
    MD5: 8e9bd9c26f3a224c6395c6fa455ba994
    SHA-256: 6abd18aa17b07f8716c09adf06ea42e3ae21c0d41888695742b53c797f274c87
    Size: 1.05 MB
  2. freeradius-devel-3.0.21-37.el9.x86_64.rpm
    MD5: 307a298893ba96224fc408bc021952a8
    SHA-256: 389e535b65d25186878919b64df35427a89eaecb4f4f7edc708613d7919f3a08
    Size: 69.44 kB
  3. freeradius-doc-3.0.21-37.el9.x86_64.rpm
    MD5: 1399883a01b7c41652becd89eff88983
    SHA-256: eb3fb9f1c6aeed0da4680c017f4b7460d3e992c50a59f216eba9020639a67490
    Size: 781.36 kB
  4. freeradius-krb5-3.0.21-37.el9.x86_64.rpm
    MD5: c8701fc4d5a013349939cba451cc3964
    SHA-256: ac8c137aace0a7db5f906765f4f70903848aba3593617e73ddab05a0aeea1fcd
    Size: 19.36 kB
  5. freeradius-ldap-3.0.21-37.el9.x86_64.rpm
    MD5: 0aff5ab42578df52ef97d150d72b0745
    SHA-256: 0ab5af3272aa35122c588a322a1a29aab067db22746a21a96121eaef84e97ba0
    Size: 51.47 kB
  6. freeradius-mysql-3.0.21-37.el9.x86_64.rpm
    MD5: 3ca15e4d7e085cd66a7f54709461a4ee
    SHA-256: f0941b4abeecd0c5c719cd997b7d8124ce8278642345f44397d8c04a78d5b790
    Size: 34.48 kB
  7. freeradius-perl-3.0.21-37.el9.x86_64.rpm
    MD5: 2ca6ba804e006108f2d93473ec104c73
    SHA-256: c7257c016da2176348eb92f65608dbb955cbb45428245d2bfab79b90e2081934
    Size: 28.76 kB
  8. freeradius-postgresql-3.0.21-37.el9.x86_64.rpm
    MD5: 2ad5e8cae4d89af380d2dbb77c2038d5
    SHA-256: 36f4ad8c55250dfadc27151c7684037aa735590275ef6999ff08949e9621ad23
    Size: 41.46 kB
  9. freeradius-rest-3.0.21-37.el9.x86_64.rpm
    MD5: 912e5a9ab085ec704abeab137c94d51a
    SHA-256: 0e5d6c4b5419d4ee5cfa41431d876e2e74d3ba70387341962e282f896bed4e56
    Size: 35.15 kB
  10. freeradius-sqlite-3.0.21-37.el9.x86_64.rpm
    MD5: 88e093d7f2efa0a50a12b49b931f87cf
    SHA-256: 71d2fd9c3ea732991cbb566cec7cc76905e15a6dd2e9e4ab40946bae69765be1
    Size: 31.90 kB
  11. freeradius-unixODBC-3.0.21-37.el9.x86_64.rpm
    MD5: 1ab630b76d29dcda8f9317ef807b221f
    SHA-256: bf9a6aa258c752bbb7f112ae4a6f6cd5eceae0b31e7683a22e0fb95f8ed3f9ce
    Size: 17.21 kB
  12. freeradius-utils-3.0.21-37.el9.x86_64.rpm
    MD5: f3cc77d4a9cab4c1d058dfe204e50533
    SHA-256: 984d6aa656705afb40bcb422c06b013c4a35bb7eed721c1ca5a3b2ecc1ee761b
    Size: 181.46 kB
  13. python3-freeradius-3.0.21-37.el9.x86_64.rpm
    MD5: 71e177166598276e45e2814aea00387a
    SHA-256: 2384160b46075b03241bf10c4e32d6e3770e82ee9dba5c908ed5f77075eae3d7
    Size: 26.45 kB