CVE-2022-41859 (https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f): In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack. CVE-2022-41860 (https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a): In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash. CVE-2022-41861 (https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e): A flaw was found in freeradius. A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash. All have referenced patches, but don't seem to be in any release.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b3ba1ccdbb78b40fc07e108cd7a30f92bbc59d9f commit b3ba1ccdbb78b40fc07e108cd7a30f92bbc59d9f Author: Alarig Le Lay <alarig@swordarmor.fr> AuthorDate: 2023-02-27 08:28:14 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-02-27 08:30:58 +0000 net-dialup/freeradius: add 3.2.1 Bug: https://bugs.gentoo.org/891265 Closes: https://bugs.gentoo.org/897082 Signed-off-by: Alarig Le Lay <alarig@swordarmor.fr> Closes: https://github.com/gentoo/gentoo/pull/29342 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-dialup/freeradius/Manifest | 1 + net-dialup/freeradius/freeradius-3.2.1.ebuild | 311 ++++++++++++++++++++++++++ 2 files changed, 312 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88befb5372fc96f806de06bef0caca0bf4488b6e commit 88befb5372fc96f806de06bef0caca0bf4488b6e Author: Alarig Le Lay <alarig@swordarmor.fr> AuthorDate: 2023-02-27 08:27:26 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-02-27 08:30:58 +0000 net-dialup/freeradius: add 3.0.26 Bug: https://bugs.gentoo.org/891265 Signed-off-by: Alarig Le Lay <alarig@swordarmor.fr> Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-dialup/freeradius/Manifest | 1 + net-dialup/freeradius/freeradius-3.0.26.ebuild | 267 +++++++++++++++++++++++++ 2 files changed, 268 insertions(+)
Well as I was thinking, maybe just bump to 3.2.2, stabilize that and drop all the older versions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a624ea84bec7bafb42e92db83f493ddf96c35324 commit a624ea84bec7bafb42e92db83f493ddf96c35324 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2023-02-27 09:03:34 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-02-27 09:03:51 +0000 net-dialup/freeradius: add 3.2.2 Bug: https://bugs.gentoo.org/891265 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-dialup/freeradius/Manifest | 1 + net-dialup/freeradius/freeradius-3.2.2.ebuild | 309 ++++++++++++++++++++++++++ 2 files changed, 310 insertions(+)
Manually checking the source code, the linked commits are present in 3.2.2 release.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b022e526a4edf6aa28f76069f42c7195c21e1e27 commit b022e526a4edf6aa28f76069f42c7195c21e1e27 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-04-20 03:58:53 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-04-20 03:58:53 +0000 net-dialup/freeradius: drop 3.0.25-r2, 3.0.26, 3.2.0, 3.2.1 Bug: https://bugs.gentoo.org/891265 Signed-off-by: John Helmert III <ajak@gentoo.org> net-dialup/freeradius/Manifest | 4 - net-dialup/freeradius/freeradius-3.0.25-r2.ebuild | 267 ------------------- net-dialup/freeradius/freeradius-3.0.26.ebuild | 267 ------------------- net-dialup/freeradius/freeradius-3.2.0.ebuild | 309 --------------------- net-dialup/freeradius/freeradius-3.2.1.ebuild | 311 ---------------------- 5 files changed, 1158 deletions(-)