UbuntuUpdates.org

Package "freeradius"

Name: freeradius

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • iODBC module for FreeRADIUS server
  • kerberos module for FreeRADIUS server
  • LDAP module for FreeRADIUS server
  • Memcached module for FreeRADIUS server

Latest version: 3.0.16+dfsg-1ubuntu3.2
Release: bionic (18.04)
Level: updates
Repository: universe

Links



Other versions of "freeradius" in Bionic

Repository Area Version
base main 3.0.16+dfsg-1ubuntu3
base universe 3.0.16+dfsg-1ubuntu3
security main 3.0.16+dfsg-1ubuntu3.2
security universe 3.0.16+dfsg-1ubuntu3.2
updates main 3.0.16+dfsg-1ubuntu3.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.0.16+dfsg-1ubuntu3.2 2023-01-04 14:07:25 UTC

  freeradius (3.0.16+dfsg-1ubuntu3.2) bionic-security; urgency=medium

  * SECURITY UPDATE: DoS when using concurrent EAP-pwd handshakes
    - debian/patches/CVE-2019-17185.patch: fix DoS due to multithreaded
      BN_CTX access
    - CVE-2019-17185
  * SECURITY UPDATE: null pointer dereference in eap-sim module
    - debian/patches/CVE-2022-41860.patch: add sanity checks in
      eapsimlib.c
    - CVE-2022-41860
  * SECURITY UDPATE: DoS using abinary attribute
    - debian/patches/CVE-2022-41861.patch: fix abinary attribute checks
    - CVE-2022-41861

 -- Nishit Majithia <email address hidden> Wed, 04 Jan 2023 08:48:42 +0530

Source diff to previous version
CVE-2019-17185 In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes. This mean multiple threads use
CVE-2022-41860 RESERVED
CVE-2022-41861 RESERVED

Version: 3.0.16+dfsg-1ubuntu3.1 2019-04-24 14:07:13 UTC

  freeradius (3.0.16+dfsg-1ubuntu3.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Bypass authentication
    - debian/patches/CVE-2019-11234-and-2019-11235-*.patch: fix
      by assuring the received scalar lies within the valid
      range, and by checking that the received element is not the
      point at infinity and lies on the elliptic curve being used
      in src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c.
    - CVE-2019-11234
    - CVE-2019-11235

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 17 Apr 2019 09:59:55 -0300

CVE-2019-11234 FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.
CVE-2019-11235 FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is



About   -   Send Feedback to @ubuntu_updates