---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated freeradius packages fix security flaws
Advisory ID:       RHSA-2004:609-01
Advisory URL:      https://access.redhat.com/errata/RHSA-2004:609.html
Issue date:        2004-11-12
Updated on:        2004-11-12
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
---------------------------------------------------------------------

1. Summary:

Updated freeradius packages that fix a number of denial of service
vulnerabilities as well as minor bugs are now available for Red Hat
Enterprise Linux 3.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64

3. Problem description:

FreeRADIUS is a high-performance and highly configurable free RADIUS server
designed to allow centralized authentication and authorization for a network.

A number of flaws were found in FreeRADIUS versions prior to 1.0.1.  An
attacker who is able to send packets to the server could construct
carefully constructed packets in such a way as to cause the server to
consume memory or crash.  The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CAN-2004-0938, CAN-2004-0960, and
CAN-2004-0961 to these issues.

Users of FreeRADIUS should update to these erratum packages that contain
FreeRADIUS 1.0.1, which is not vulnerable to these issues and also corrects
a number of bugs.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

     http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed  (http://bugzilla.redhat.com/ for more info):

127168 - rebuilding freeradius picks up system libeap rather than package libeap
127162 - zlib-devel is missing from BuildRequires in spec file
130606 - Missing buildrequires in freediag
130613 - radiusd.conf specifies other pam-auth than file installed in /etc/pam.d
135825 - CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960, CAN-2004-0961)

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS: 

621656bce9be62e733c090dd0bc81059  freeradius-1.0.1-1.RHEL3.src.rpm

i386:
d455913a52551fff9996afe88d80f938  freeradius-1.0.1-1.RHEL3.i386.rpm

ia64:
f7ee2516c9be633615450308ed855ac3  freeradius-1.0.1-1.RHEL3.ia64.rpm

ppc:
5acba566ecb5a125c39348d7d7055115  freeradius-1.0.1-1.RHEL3.ppc.rpm

s390:
9f5b97aeb4e992d5dcba4af94e2b1cc0  freeradius-1.0.1-1.RHEL3.s390.rpm

s390x:
48c5fded9dee50eba358a0656f424ba4  freeradius-1.0.1-1.RHEL3.s390x.rpm

x86_64:
c21c18f9eb81bf3c875f0f9ee7b11e64  freeradius-1.0.1-1.RHEL3.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS: 

621656bce9be62e733c090dd0bc81059  freeradius-1.0.1-1.RHEL3.src.rpm

i386:
d455913a52551fff9996afe88d80f938  freeradius-1.0.1-1.RHEL3.i386.rpm

ia64:
f7ee2516c9be633615450308ed855ac3  freeradius-1.0.1-1.RHEL3.ia64.rpm

x86_64:
c21c18f9eb81bf3c875f0f9ee7b11e64  freeradius-1.0.1-1.RHEL3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
 

7. References:
 
CVE -CVE-2004-0938 
CVE -CVE-2004-0960 
CVE -CVE-2004-0961

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at  

Copyright 2004 Red Hat, Inc.

Red Hat: freeradius security flaws fix

Updated freeradius packages that fix a number of denial of service vulnerabilities as well as minor bugs are now available for Red Hat Enterprise Linux 3.

Summary



Summary

FreeRADIUS is a high-performance and highly configurable free RADIUS serverdesigned to allow centralized authentication and authorization for a network.A number of flaws were found in FreeRADIUS versions prior to 1.0.1. Anattacker who is able to send packets to the server could constructcarefully constructed packets in such a way as to cause the server toconsume memory or crash. The Common Vulnerabilities and Exposures project(cve.mitre.org) has assigned the names CAN-2004-0938, CAN-2004-0960, andCAN-2004-0961 to these issues.Users of FreeRADIUS should update to these erratum packages that containFreeRADIUS 1.0.1, which is not vulnerable to these issues and also correctsa number of bugs.


Solution

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):
127168 - rebuilding freeradius picks up system libeap rather than package libeap 127162 - zlib-devel is missing from BuildRequires in spec file 130606 - Missing buildrequires in freediag 130613 - radiusd.conf specifies other pam-auth than file installed in /etc/pam.d 135825 - CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960, CAN-2004-0961)
6. RPMs required:
Red Hat Enterprise Linux AS version 3:
SRPMS:
621656bce9be62e733c090dd0bc81059 freeradius-1.0.1-1.RHEL3.src.rpm
i386: d455913a52551fff9996afe88d80f938 freeradius-1.0.1-1.RHEL3.i386.rpm
ia64: f7ee2516c9be633615450308ed855ac3 freeradius-1.0.1-1.RHEL3.ia64.rpm
ppc: 5acba566ecb5a125c39348d7d7055115 freeradius-1.0.1-1.RHEL3.ppc.rpm
s390: 9f5b97aeb4e992d5dcba4af94e2b1cc0 freeradius-1.0.1-1.RHEL3.s390.rpm
s390x: 48c5fded9dee50eba358a0656f424ba4 freeradius-1.0.1-1.RHEL3.s390x.rpm
x86_64: c21c18f9eb81bf3c875f0f9ee7b11e64 freeradius-1.0.1-1.RHEL3.x86_64.rpm
Red Hat Enterprise Linux ES version 3:
SRPMS:
621656bce9be62e733c090dd0bc81059 freeradius-1.0.1-1.RHEL3.src.rpm
i386: d455913a52551fff9996afe88d80f938 freeradius-1.0.1-1.RHEL3.i386.rpm
ia64: f7ee2516c9be633615450308ed855ac3 freeradius-1.0.1-1.RHEL3.ia64.rpm
x86_64: c21c18f9eb81bf3c875f0f9ee7b11e64 freeradius-1.0.1-1.RHEL3.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from

References

CVE -CVE-2004-0938 CVE -CVE-2004-0960 CVE -CVE-2004-0961

Package List


Severity
Advisory ID: RHSA-2004:609-01
Advisory URL: https://access.redhat.com/errata/RHSA-2004:609.html
Issued Date: : 2004-11-12
Updated on: 2004-11-12
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0938 CAN-2004-0960 CAN-2004-0961

Topic

Updated freeradius packages that fix a number of denial of servicevulnerabilities as well as minor bugs are now available for Red HatEnterprise Linux 3.


Topic


 

Relevant Releases Architectures

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64

Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64


Bugs Fixed


Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved