SUSE-SU-2017:2202-1

Описание

This update for freeradius-server fixes the following issues:

• update to 3.0.15 (bsc#1049086)
  • Bind the lifetime of program name and python path to the module
  • CVE-2017-10978: FR-GV-201: Check input / output length in make_secret() (bsc#1049086)
  • CVE-2017-10983: FR-GV-206: Fix read overflow when decoding DHCP option 63 (bsc#1049086)
  • CVE-2017-10984: FR-GV-301: Fix write overflow in data2vp_wimax() (bsc#1049086)
  • CVE-2017-10985: FR-GV-302: Fix infinite loop and memory exhaustion with 'concat' attributes (bsc#1049086)
  • CVE-2017-10986: FR-GV-303: Fix infinite read in dhcp_attr2vp() (bsc#1049086)
  • CVE-2017-10987: FR-GV-304: Fix buffer over-read in fr_dhcp_decode_suboptions() (bsc#1049086)
  • CVE-2017-10988: FR-GV-305: Decode 'signed' attributes correctly. (bsc#1049086)
  • FR-AD-001: use strncmp() instead of memcmp() for bounded data
  • Print messages when we see deprecated configuration items
  • Show reasons why we couldn't parse a certificate expiry time
  • Be more accepting about truncated ASN1 times.
  • Fix OpenSSL API issue which could leak small amounts of memory.
  • For Access-Reject, call rad_authlog() after running the post-auth section, just like for Access-Accept.
  • Don't crash when reading corrupted data from session resumption cache.
  • Parse port in dhcpclient.
  • Don't leak memory for OpenSSL.
  • Portability fixes taken from OpenBSD port collection.
  • run rad_authlog after post-auth for Access-Reject.
  • Don't process VMPS packets twice.
  • Fix attribute truncation in rlm_perl
  • Fix bug when processing huntgroups.
  • FR-AD-002 - Bind the lifetime of program name and python path to the module
  • FR-AD-003 - Pass correct statement length into sqlite3_prepare[_v2]