Описание
Security update for freeradius-server
This update for freeradius-server fixes the following issues:
Security issue fixed:
- CVE-2017-9148: Disable OpenSSL's internal session cache to mitigate authentication bypass. (bsc#1041445)
Non security issue fixed:
- Fix case insensitive matching in compiled regular expressions (bsc#1027243)
Список пакетов
SUSE Linux Enterprise Server 12 SP2
freeradius-server-3.0.3-17.4.1
freeradius-server-doc-3.0.3-17.4.1
freeradius-server-krb5-3.0.3-17.4.1
freeradius-server-ldap-3.0.3-17.4.1
freeradius-server-libs-3.0.3-17.4.1
freeradius-server-mysql-3.0.3-17.4.1
freeradius-server-perl-3.0.3-17.4.1
freeradius-server-postgresql-3.0.3-17.4.1
freeradius-server-python-3.0.3-17.4.1
freeradius-server-sqlite-3.0.3-17.4.1
freeradius-server-utils-3.0.3-17.4.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
freeradius-server-3.0.3-17.4.1
freeradius-server-doc-3.0.3-17.4.1
freeradius-server-krb5-3.0.3-17.4.1
freeradius-server-ldap-3.0.3-17.4.1
freeradius-server-libs-3.0.3-17.4.1
freeradius-server-mysql-3.0.3-17.4.1
freeradius-server-perl-3.0.3-17.4.1
freeradius-server-postgresql-3.0.3-17.4.1
freeradius-server-python-3.0.3-17.4.1
freeradius-server-sqlite-3.0.3-17.4.1
freeradius-server-utils-3.0.3-17.4.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
freeradius-server-3.0.3-17.4.1
freeradius-server-doc-3.0.3-17.4.1
freeradius-server-krb5-3.0.3-17.4.1
freeradius-server-ldap-3.0.3-17.4.1
freeradius-server-libs-3.0.3-17.4.1
freeradius-server-mysql-3.0.3-17.4.1
freeradius-server-perl-3.0.3-17.4.1
freeradius-server-postgresql-3.0.3-17.4.1
freeradius-server-python-3.0.3-17.4.1
freeradius-server-sqlite-3.0.3-17.4.1
freeradius-server-utils-3.0.3-17.4.1
SUSE Linux Enterprise Software Development Kit 12 SP2
freeradius-server-devel-3.0.3-17.4.1
Ссылки
- Link for SUSE-SU-2017:1705-1
- E-Mail link for SUSE-SU-2017:1705-1
- SUSE Security Ratings
- SUSE Bug 1027243
- SUSE Bug 1041445
- SUSE CVE CVE-2017-9148 page
Описание
The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before 3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP2:freeradius-server-3.0.3-17.4.1
SUSE Linux Enterprise Server 12 SP2:freeradius-server-doc-3.0.3-17.4.1
SUSE Linux Enterprise Server 12 SP2:freeradius-server-krb5-3.0.3-17.4.1
SUSE Linux Enterprise Server 12 SP2:freeradius-server-ldap-3.0.3-17.4.1
Ссылки
- CVE-2017-9148
- SUSE Bug 1041445
- SUSE Bug 1046141