Описание
Security update for freeradius-server
This update for freeradius-server fixes the following issues:
Security issues fixed:
- CVE-2019-11235: Fixed an authentication bypass related to the EAP-PWD Commit frame and insufficent validation of elliptic curve points (bsc#1132549).
- CVE-2019-11234: Fixed an authentication bypass caused by reflecting privous values back to the server (bsc#1132664).
This update was imported from the SUSE:SLE-15:Update update project.
Список пакетов
openSUSE Leap 15.0
freeradius-server-3.0.16-lp150.2.3.1
freeradius-server-devel-3.0.16-lp150.2.3.1
freeradius-server-doc-3.0.16-lp150.2.3.1
freeradius-server-krb5-3.0.16-lp150.2.3.1
freeradius-server-ldap-3.0.16-lp150.2.3.1
freeradius-server-libs-3.0.16-lp150.2.3.1
freeradius-server-mysql-3.0.16-lp150.2.3.1
freeradius-server-perl-3.0.16-lp150.2.3.1
freeradius-server-postgresql-3.0.16-lp150.2.3.1
freeradius-server-python-3.0.16-lp150.2.3.1
freeradius-server-sqlite-3.0.16-lp150.2.3.1
freeradius-server-utils-3.0.16-lp150.2.3.1
Ссылки
- E-Mail link for openSUSE-SU-2019:1346-1
- SUSE Security Ratings
- SUSE Bug 1132549
- SUSE Bug 1132664
- SUSE CVE CVE-2019-11234 page
- SUSE CVE CVE-2019-11235 page
Описание
FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.
Затронутые продукты
openSUSE Leap 15.0:freeradius-server-3.0.16-lp150.2.3.1
openSUSE Leap 15.0:freeradius-server-devel-3.0.16-lp150.2.3.1
openSUSE Leap 15.0:freeradius-server-doc-3.0.16-lp150.2.3.1
openSUSE Leap 15.0:freeradius-server-krb5-3.0.16-lp150.2.3.1
Ссылки
- CVE-2019-11234
- SUSE Bug 1132664
Описание
FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.
Затронутые продукты
openSUSE Leap 15.0:freeradius-server-3.0.16-lp150.2.3.1
openSUSE Leap 15.0:freeradius-server-devel-3.0.16-lp150.2.3.1
openSUSE Leap 15.0:freeradius-server-doc-3.0.16-lp150.2.3.1
openSUSE Leap 15.0:freeradius-server-krb5-3.0.16-lp150.2.3.1
Ссылки
- CVE-2019-11235
- SUSE Bug 1132549
- SUSE Bug 1132664
- SUSE Bug 1144524