Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 685840 (CVE-2019-11234, CVE-2019-11235) - <net-dialup/freeradius-3.0.20: multiple vulnerabilities (CVE-2019-{11234,11235})
Summary: <net-dialup/freeradius-3.0.20: multiple vulnerabilities (CVE-2019-{11234,11235})
Alias: CVE-2019-11234, CVE-2019-11235
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Keywords: PullRequest
Depends on: 709804
  Show dependency tree
Reported: 2019-05-13 14:46 UTC by GLSAMaker/CVETool Bot
Modified: 2020-04-26 03:26 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-13 14:46:53 UTC
CVE-2019-11234 (
  FreeRADIUS before 3.0.19 does not prevent use of reflection for
  authentication spoofing, aka a "Dragonblood" issue, a similar issue to

CVE-2019-11235 (
  FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the
  received scalar is within a range, and that the received group element is a
  valid point on the curve being used" protection mechanism, aka a
  "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 02:00:34 UTC
A new vulnerability has been reported.

3) CVE-2019-20510
"rlm_eap/types/rlm_eap_pwd/eap_pwd.c in the EAP-pwd implementation in FreeRADIUS before 3.0.20 allows remote attackers to discover passwords because there is a side-channel information leak associated with the Hunting and Pecking abort for excessive iterations."

Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-22 17:14:41 UTC
A new vulnerability has been reported.

4) CVE-2019-17185 
"In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes. This mean multiple threads use the same BN_CTX instance concurrently, resulting in crashes when concurrent EAP-pwd handshakes are initiated. This can be abused by an adversary as a Denial-of-Service (DoS) attack."

Fix is in 3.0.20:
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-16 00:47:14 UTC
@maintainer(s), please cleanup <3.0.20.
Comment 4 Larry the Git Cow gentoo-dev 2020-04-17 07:36:19 UTC
The bug has been referenced in the following commit(s):

commit 8475a815d7bb356fa09d69b130833ae08f63873c
Author:     Daniele Rondina <>
AuthorDate: 2020-04-16 16:44:49 +0000
Commit:     Joonas Niilola <>
CommitDate: 2020-04-17 07:35:56 +0000

    net-dialup/freeradius: Drop old
    Package-Manager: Portage-2.3.69, Repoman-2.3.14
    Signed-off-by: Daniele Rondina <>
    Signed-off-by: Joonas Niilola <>

 net-dialup/freeradius/Manifest                     |   4 -
 .../files/freeradius-3.0.18-systemd-service.patch  |  34 ---
 .../files/freeradius-3.0.19-systemd-service.patch  |  53 -----
 net-dialup/freeradius/files/freeradius.service     |  15 --
 net-dialup/freeradius/freeradius-3.0.15.ebuild     | 227 -------------------
 net-dialup/freeradius/freeradius-3.0.17.ebuild     | 240 --------------------
 net-dialup/freeradius/freeradius-3.0.18-r1.ebuild  | 244 ---------------------
 net-dialup/freeradius/freeradius-3.0.19.ebuild     | 242 --------------------
 8 files changed, 1059 deletions(-)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-17 16:02:59 UTC
Thanks for quick cleanup.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2020-04-26 03:26:16 UTC
GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].