The freeradious development team reports:
Multiple issues exist with version 1.0.4, and all prior versions of the server. Externally exploitable vulnerabilities exist only for sites that use the rlm_sqlcounter module. Those sites may be vulnerable to SQL injection attacks, similar to the issues noted below. All sites that have not deployed the rlm_sqlcounter module are not vulnerable to external exploits. The issues are: SQL Injection attack in the rlm_sqlcounter module. Buffer overflow in the rlm_sqlcounter module, that may cause a server crash. Buffer overflow while expanding %t, that may cause a server crash.