LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: September 15th, 2014
Linux Security Week: September 8th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
RedHat: Important: freeradius security update Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
RedHat Linux Updated freeradius packages that fix an authentication weakness are now available. This update has been rated as having important security impact by the Red Hat Security Response Team.
- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Important: freeradius security update
Advisory ID:       RHSA-2006:0271-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2006-0271.html
Issue date:        2006-04-04
Updated on:        2006-04-04
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2006-1354 CVE-2005-4744 
- ---------------------------------------------------------------------

1. Summary:

Updated freeradius packages that fix an authentication weakness are now
available.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64

3. Problem description:

FreeRADIUS is a high-performance and highly configurable free RADIUS server
designed to allow centralized authentication and authorization for a network. 

A bug was found in the way FreeRADIUS authenticates users via the MSCHAP V2
protocol. It is possible for a remote attacker to authenticate as a victim
by sending a malformed MSCHAP V2 login request to the FreeRADIUS server.
(CVE-2006-1354)

Please note that FreeRADIUS installations not using the MSCHAP V2 protocol
for authentication are not vulnerable to this issue.

A bug was also found in the way FreeRADIUS logs SQL errors from the
sql_unixodbc module. It may be possible for an attacker to cause FreeRADIUS
to crash or execute arbitrary code if they are able to manipulate the SQL
database FreeRADIUS is connecting to. (CVE-2006-4744)

Users of FreeRADIUS should update to these erratum packages, which contain
backported patches and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

167676 - CVE-2005-4744 Multiple freeradius security issues
186083 - CVE-2006-1354 FreeRADIUS authentication bypass

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/freeradius-1.0.1-2.RHEL3.2.src.rpm
bfc9e019ba3dd3ee67a4156ff37f467c  freeradius-1.0.1-2.RHEL3.2.src.rpm

i386:
b4969ec213ec03c6fc693a1d84f2029c  freeradius-1.0.1-2.RHEL3.2.i386.rpm
a3b76846db699edcd0a00ce5723e3bfd  freeradius-debuginfo-1.0.1-2.RHEL3.2.i386.rpm

ia64:
734b8d8314d7bcd9fa122053bf1d495d  freeradius-1.0.1-2.RHEL3.2.ia64.rpm
072278ec4c02c3994d318f24908d5694  freeradius-debuginfo-1.0.1-2.RHEL3.2.ia64.rpm

ppc:
21188abdd2a98f81d806a29a77fea928  freeradius-1.0.1-2.RHEL3.2.ppc.rpm
ca378b1cacd1fb47ceaff217a3625dad  freeradius-debuginfo-1.0.1-2.RHEL3.2.ppc.rpm

s390:
8429b0806d6e2baadca6ac94312dad8b  freeradius-1.0.1-2.RHEL3.2.s390.rpm
fed9502492f13e76f59d6c14d53fa315  freeradius-debuginfo-1.0.1-2.RHEL3.2.s390.rpm

s390x:
0ac7a21d7bedba7d6b1cf63861a02e31  freeradius-1.0.1-2.RHEL3.2.s390x.rpm
28565d24dd125bc6accd5be4e3f37085  freeradius-debuginfo-1.0.1-2.RHEL3.2.s390x.rpm

x86_64:
7eaf8db1f720773cf28479dd6f57fdb0  freeradius-1.0.1-2.RHEL3.2.x86_64.rpm
c5159f20497806db6ec077c101487991  freeradius-debuginfo-1.0.1-2.RHEL3.2.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/freeradius-1.0.1-2.RHEL3.2.src.rpm
bfc9e019ba3dd3ee67a4156ff37f467c  freeradius-1.0.1-2.RHEL3.2.src.rpm

i386:
b4969ec213ec03c6fc693a1d84f2029c  freeradius-1.0.1-2.RHEL3.2.i386.rpm
a3b76846db699edcd0a00ce5723e3bfd  freeradius-debuginfo-1.0.1-2.RHEL3.2.i386.rpm

ia64:
734b8d8314d7bcd9fa122053bf1d495d  freeradius-1.0.1-2.RHEL3.2.ia64.rpm
072278ec4c02c3994d318f24908d5694  freeradius-debuginfo-1.0.1-2.RHEL3.2.ia64.rpm

x86_64:
7eaf8db1f720773cf28479dd6f57fdb0  freeradius-1.0.1-2.RHEL3.2.x86_64.rpm
c5159f20497806db6ec077c101487991  freeradius-debuginfo-1.0.1-2.RHEL3.2.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/freeradius-1.0.1-3.RHEL4.3.src.rpm
c6917a0d98ac04e34db4294217a389fb  freeradius-1.0.1-3.RHEL4.3.src.rpm

i386:
1121b8e53033f5580889eaab5fbd822e  freeradius-1.0.1-3.RHEL4.3.i386.rpm
f81fc257899d8ed95396af67215ffbe3  freeradius-debuginfo-1.0.1-3.RHEL4.3.i386.rpm
6b1ed7b9c10178db478963f9b4b5986a  freeradius-mysql-1.0.1-3.RHEL4.3.i386.rpm
791f052034f7a13f2b07f384e83795f2  freeradius-postgresql-1.0.1-3.RHEL4.3.i386.rpm
046fb51db100364dbe3dc856e7dca02c  freeradius-unixODBC-1.0.1-3.RHEL4.3.i386.rpm

ia64:
15db5d25efd4ecf030615ccf2552b04d  freeradius-1.0.1-3.RHEL4.3.ia64.rpm
b207735018793465ac84da5f47129835  freeradius-debuginfo-1.0.1-3.RHEL4.3.ia64.rpm
9fd7df598cffcfdc21012296d3e5eca9  freeradius-mysql-1.0.1-3.RHEL4.3.ia64.rpm
6e813082c69c2c494daa435767e54dbd  freeradius-postgresql-1.0.1-3.RHEL4.3.ia64.rpm
8d1bcdc20817ac37be901cd2c7fe7088  freeradius-unixODBC-1.0.1-3.RHEL4.3.ia64.rpm

ppc:
0a3d9b8f2d09b1b13259ea99acff91b7  freeradius-1.0.1-3.RHEL4.3.ppc.rpm
bd962301995130ca480ce2a237704d47  freeradius-debuginfo-1.0.1-3.RHEL4.3.ppc.rpm
e4a7578d745c69f656d8d840307c139f  freeradius-mysql-1.0.1-3.RHEL4.3.ppc.rpm
e45ba7af692792d8bc52db7e0f6e0deb  freeradius-postgresql-1.0.1-3.RHEL4.3.ppc.rpm
9d693f9e452fd06d73aed9a1d5740ddf  freeradius-unixODBC-1.0.1-3.RHEL4.3.ppc.rpm

s390:
cc607bb4dfb35128ed7bef2a74e40aa8  freeradius-1.0.1-3.RHEL4.3.s390.rpm
da8f3b3085092c5b33a392247274b44f  freeradius-debuginfo-1.0.1-3.RHEL4.3.s390.rpm
42b226f640a1a4224ef0c27bc7bf5527  freeradius-mysql-1.0.1-3.RHEL4.3.s390.rpm
ebefbb200863e9bfeb775c7b104934cb  freeradius-postgresql-1.0.1-3.RHEL4.3.s390.rpm
4b43bb86ba1d6dc6953bb6dc3d67a147  freeradius-unixODBC-1.0.1-3.RHEL4.3.s390.rpm

s390x:
74d462262538062aad16e9d8cea6eb18  freeradius-1.0.1-3.RHEL4.3.s390x.rpm
6e8cba4d1d60d307987b742bc1cb194a  freeradius-debuginfo-1.0.1-3.RHEL4.3.s390x.rpm
a722d74a53facc3b431ec2ed55481b61  freeradius-mysql-1.0.1-3.RHEL4.3.s390x.rpm
53088f0fbfd0e9b9c1ccd7db0bcff0ad  freeradius-postgresql-1.0.1-3.RHEL4.3.s390x.rpm
8b6856b542505d85320bf176beb623c9  freeradius-unixODBC-1.0.1-3.RHEL4.3.s390x.rpm

x86_64:
d04afcde9543c934bbb44b3a8cf1ad53  freeradius-1.0.1-3.RHEL4.3.x86_64.rpm
c7013e94ad0e12263c8d7d97d0441fa6  freeradius-debuginfo-1.0.1-3.RHEL4.3.x86_64.rpm
9734492926441eddcd2740f1d19b537c  freeradius-mysql-1.0.1-3.RHEL4.3.x86_64.rpm
ab8051bbcb05c66af19e5a89a2349deb  freeradius-postgresql-1.0.1-3.RHEL4.3.x86_64.rpm
400250cfddddc9e095d581e2ae87b789  freeradius-unixODBC-1.0.1-3.RHEL4.3.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/freeradius-1.0.1-3.RHEL4.3.src.rpm
c6917a0d98ac04e34db4294217a389fb  freeradius-1.0.1-3.RHEL4.3.src.rpm

i386:
1121b8e53033f5580889eaab5fbd822e  freeradius-1.0.1-3.RHEL4.3.i386.rpm
f81fc257899d8ed95396af67215ffbe3  freeradius-debuginfo-1.0.1-3.RHEL4.3.i386.rpm
6b1ed7b9c10178db478963f9b4b5986a  freeradius-mysql-1.0.1-3.RHEL4.3.i386.rpm
791f052034f7a13f2b07f384e83795f2  freeradius-postgresql-1.0.1-3.RHEL4.3.i386.rpm
046fb51db100364dbe3dc856e7dca02c  freeradius-unixODBC-1.0.1-3.RHEL4.3.i386.rpm

ia64:
15db5d25efd4ecf030615ccf2552b04d  freeradius-1.0.1-3.RHEL4.3.ia64.rpm
b207735018793465ac84da5f47129835  freeradius-debuginfo-1.0.1-3.RHEL4.3.ia64.rpm
9fd7df598cffcfdc21012296d3e5eca9  freeradius-mysql-1.0.1-3.RHEL4.3.ia64.rpm
6e813082c69c2c494daa435767e54dbd  freeradius-postgresql-1.0.1-3.RHEL4.3.ia64.rpm
8d1bcdc20817ac37be901cd2c7fe7088  freeradius-unixODBC-1.0.1-3.RHEL4.3.ia64.rpm

x86_64:
d04afcde9543c934bbb44b3a8cf1ad53  freeradius-1.0.1-3.RHEL4.3.x86_64.rpm
c7013e94ad0e12263c8d7d97d0441fa6  freeradius-debuginfo-1.0.1-3.RHEL4.3.x86_64.rpm
9734492926441eddcd2740f1d19b537c  freeradius-mysql-1.0.1-3.RHEL4.3.x86_64.rpm
ab8051bbcb05c66af19e5a89a2349deb  freeradius-postgresql-1.0.1-3.RHEL4.3.x86_64.rpm
400250cfddddc9e095d581e2ae87b789  freeradius-unixODBC-1.0.1-3.RHEL4.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1354
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4744
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2006 Red Hat, Inc.
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Middle-School Dropout Codes Clever Chat Program That Foils NSA Spying
FreeBSD Patches DoS Vulnerability
Rogue cell towers discovered in Washington, D.C.
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.