Summary: | <net-dialup/freeradius-3.0.20: multiple vulnerabilities (CVE-2019-{11234,11235}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | dan, geaaru, proxy-maint |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/gentoo/gentoo/pull/15369 https://bugs.gentoo.org/show_bug.cgi?id=701822 |
||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 709804 | ||
Bug Blocks: |
Description
GLSAMaker/CVETool Bot
![]() A new vulnerability has been reported. 3) CVE-2019-20510 Description: "rlm_eap/types/rlm_eap_pwd/eap_pwd.c in the EAP-pwd implementation in FreeRADIUS before 3.0.20 allows remote attackers to discover passwords because there is a side-channel information leak associated with the Hunting and Pecking abort for excessive iterations." Patch: https://github.com/janetuk/freeradius/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa A new vulnerability has been reported. 4) CVE-2019-17185 Description: "In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes. This mean multiple threads use the same BN_CTX instance concurrently, resulting in crashes when concurrent EAP-pwd handshakes are initiated. This can be abused by an adversary as a Denial-of-Service (DoS) attack." Fix is in 3.0.20: https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_20 @maintainer(s), please cleanup <3.0.20. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8475a815d7bb356fa09d69b130833ae08f63873c commit 8475a815d7bb356fa09d69b130833ae08f63873c Author: Daniele Rondina <geaaru@gmail.com> AuthorDate: 2020-04-16 16:44:49 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-04-17 07:35:56 +0000 net-dialup/freeradius: Drop old Package-Manager: Portage-2.3.69, Repoman-2.3.14 Bug: https://bugs.gentoo.org/685840 Signed-off-by: Daniele Rondina <geaaru@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/15369 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-dialup/freeradius/Manifest | 4 - .../files/freeradius-3.0.18-systemd-service.patch | 34 --- .../files/freeradius-3.0.19-systemd-service.patch | 53 ----- net-dialup/freeradius/files/freeradius.service | 15 -- net-dialup/freeradius/freeradius-3.0.15.ebuild | 227 ------------------- net-dialup/freeradius/freeradius-3.0.17.ebuild | 240 -------------------- net-dialup/freeradius/freeradius-3.0.18-r1.ebuild | 244 --------------------- net-dialup/freeradius/freeradius-3.0.19.ebuild | 242 -------------------- 8 files changed, 1059 deletions(-) Thanks for quick cleanup. GLSA Vote: No Thank you all for you work. Closing as [noglsa]. |