freeradius-3.0.13-8.el7

エラータID: AXSA:2017-1905:03

Release date: 
Monday, August 28, 2017 - 04:27
Subject: 
freeradius-3.0.13-8.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The FreeRADIUS Server Project is a high performance and highly configurable
GPL'd free RADIUS server. The server is similar in some respects to
Livingston's 2.0 server. While FreeRADIUS started as a variant of the
Cistron RADIUS server, they don't share a lot in common any more. It now has
many more features than Cistron or Livingston, and is much more configurable.

FreeRADIUS is an Internet authentication daemon, which implements the RADIUS
protocol, as defined in RFC 2865 (and others). It allows Network Access
Servers (NAS boxes) to perform authentication for dial-up users. There are
also RADIUS clients available for Web servers, firewalls, Unix logins, and
more. Using RADIUS allows authentication and authorization for a network to
be centralized, and minimizes the amount of re-configuration which has to be
done when adding or deleting new users.

CVE-2017-1097
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-1098
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Solution: 

Update packages.

CVEs: 
CVE-2017-10978
An FR-GV-201 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before 3.0.15 allows "Read / write overflow in make_secret()" and a denial of service.
CVE-2017-10983
An FR-GV-206 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before 3.0.15 allows "DHCP - Read overflow when decoding option 63" and a denial of service.
CVE-2017-10984
An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overflow in data2vp_wimax()" - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code.
CVE-2017-10985
An FR-GV-302 issue in FreeRADIUS 3.x before 3.0.15 allows "Infinite loop and memory exhaustion with 'concat' attributes" and a denial of service.
CVE-2017-10986
An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infinite read in dhcp_attr2vp()" and a denial of service.
CVE-2017-10987
An FR-GV-304 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Buffer over-read in fr_dhcp_decode_suboptions()" and a denial of service.
Additional Info: 

N/A

Download: 

SRPMS
  1. freeradius-3.0.13-8.el7.src.rpm
    MD5: 5a8530a4c62c00c0f6ae301de46a0215
    SHA-256: 35b5e90795aafe63197f8fa4cb3c0783d30598b378ded09b5e6acf928e631620
    Size: 3.01 MB

Asianux Server 7 for x86_64
  1. freeradius-3.0.13-8.el7.x86_64.rpm
    MD5: 3f46845aa734d23269afe224d08cb59f
    SHA-256: 19a75e1df35a53451c69054cc16687bcf15049786e22cb9ee40356b943a5c716
    Size: 1.06 MB