Описание
Security update for freeradius-server
This update for freeradius-server fixes the following issues:
Security issues fixed:
- CVE-2019-11235: Fixed an authentication bypass related to the EAP-PWD Commit frame and insufficent validation of elliptic curve points (bsc#1132549).
- CVE-2019-11234: Fixed an authentication bypass caused by reflecting privous values back to the server (bsc#1132664).
This update was imported from the SUSE:SLE-12-SP3:Update update project.
Список пакетов
openSUSE Leap 42.3
freeradius-server-3.0.15-9.1
freeradius-server-devel-3.0.15-9.1
freeradius-server-doc-3.0.15-9.1
freeradius-server-krb5-3.0.15-9.1
freeradius-server-ldap-3.0.15-9.1
freeradius-server-libs-3.0.15-9.1
freeradius-server-mysql-3.0.15-9.1
freeradius-server-perl-3.0.15-9.1
freeradius-server-postgresql-3.0.15-9.1
freeradius-server-python-3.0.15-9.1
freeradius-server-sqlite-3.0.15-9.1
freeradius-server-utils-3.0.15-9.1
Ссылки
- E-Mail link for openSUSE-SU-2019:1394-1
- SUSE Security Ratings
Описание
FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.
Затронутые продукты
openSUSE Leap 42.3:freeradius-server-3.0.15-9.1
openSUSE Leap 42.3:freeradius-server-devel-3.0.15-9.1
openSUSE Leap 42.3:freeradius-server-doc-3.0.15-9.1
openSUSE Leap 42.3:freeradius-server-krb5-3.0.15-9.1
Ссылки
- CVE-2019-11234
- SUSE Bug 1132664
Описание
FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.
Затронутые продукты
openSUSE Leap 42.3:freeradius-server-3.0.15-9.1
openSUSE Leap 42.3:freeradius-server-devel-3.0.15-9.1
openSUSE Leap 42.3:freeradius-server-doc-3.0.15-9.1
openSUSE Leap 42.3:freeradius-server-krb5-3.0.15-9.1
Ссылки
- CVE-2019-11235
- SUSE Bug 1132549
- SUSE Bug 1132664
- SUSE Bug 1144524