(RHSA-2005:524) freeradius security update

2005-06-2300:00:00

access.redhat.com

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

75.5%

JSON

FreeRADIUS is a high-performance and highly configurable free RADIUS server
designed to allow centralized authentication and authorization for a network.

A buffer overflow bug was found in the way FreeRADIUS escapes data in an
SQL query. An attacker may be able to crash FreeRADIUS if they cause
FreeRADIUS to escape a string containing three or less characters. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-1454 to this issue.

Additionally a bug was found in the way FreeRADIUS escapes SQL data. It is
possible that an authenticated user could execute arbitrary SQL queries by
sending a specially crafted request to FreeRADIUS. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-1455 to this issue.

Users of FreeRADIUS should update to these erratum packages, which contain
backported patches and are not vulnerable to these issues.

OSVersionArchitecturePackageVersionFilename
RedHatanyi386freeradius-unixodbc< 1.0.1-3.RHEL4freeradius-unixODBC-1.0.1-3.RHEL4.i386.rpm
RedHatanys390freeradius-postgresql< 1.0.1-3.RHEL4freeradius-postgresql-1.0.1-3.RHEL4.s390.rpm
RedHatanyppcfreeradius-postgresql< 1.0.1-3.RHEL4freeradius-postgresql-1.0.1-3.RHEL4.ppc.rpm
RedHatanyx86_64freeradius-postgresql< 1.0.1-3.RHEL4freeradius-postgresql-1.0.1-3.RHEL4.x86_64.rpm
RedHatanyi386freeradius-mysql< 1.0.1-3.RHEL4freeradius-mysql-1.0.1-3.RHEL4.i386.rpm
RedHatanyppcfreeradius< 1.0.1-3.RHEL4freeradius-1.0.1-3.RHEL4.ppc.rpm
RedHatanys390freeradius< 1.0.1-3.RHEL4freeradius-1.0.1-3.RHEL4.s390.rpm
RedHatanyia64freeradius-postgresql< 1.0.1-3.RHEL4freeradius-postgresql-1.0.1-3.RHEL4.ia64.rpm
RedHatanys390xfreeradius-postgresql< 1.0.1-3.RHEL4freeradius-postgresql-1.0.1-3.RHEL4.s390x.rpm
RedHatanyx86_64freeradius-unixodbc< 1.0.1-3.RHEL4freeradius-unixODBC-1.0.1-3.RHEL4.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	any	i386	freeradius-unixodbc	< 1.0.1-3.RHEL4	freeradius-unixODBC-1.0.1-3.RHEL4.i386.rpm
RedHat	any	s390	freeradius-postgresql	< 1.0.1-3.RHEL4	freeradius-postgresql-1.0.1-3.RHEL4.s390.rpm
RedHat	any	ppc	freeradius-postgresql	< 1.0.1-3.RHEL4	freeradius-postgresql-1.0.1-3.RHEL4.ppc.rpm
RedHat	any	x86_64	freeradius-postgresql	< 1.0.1-3.RHEL4	freeradius-postgresql-1.0.1-3.RHEL4.x86_64.rpm
RedHat	any	i386	freeradius-mysql	< 1.0.1-3.RHEL4	freeradius-mysql-1.0.1-3.RHEL4.i386.rpm
RedHat	any	ppc	freeradius	< 1.0.1-3.RHEL4	freeradius-1.0.1-3.RHEL4.ppc.rpm
RedHat	any	s390	freeradius	< 1.0.1-3.RHEL4	freeradius-1.0.1-3.RHEL4.s390.rpm
RedHat	any	ia64	freeradius-postgresql	< 1.0.1-3.RHEL4	freeradius-postgresql-1.0.1-3.RHEL4.ia64.rpm
RedHat	any	s390x	freeradius-postgresql	< 1.0.1-3.RHEL4	freeradius-postgresql-1.0.1-3.RHEL4.s390x.rpm
RedHat	any	x86_64	freeradius-unixodbc	< 1.0.1-3.RHEL4	freeradius-unixODBC-1.0.1-3.RHEL4.x86_64.rpm