- ---------------------------------------------------------------------                   Red Hat Security Advisory

Synopsis:          Moderate: freeradius security update
Advisory ID:       RHSA-2005:524-01
Advisory URL:      https://access.redhat.com/errata/RHSA-2005:524.html
Issue date:        2005-06-23
Updated on:        2005-06-23
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2005-1454 CAN-2005-1455
- ---------------------------------------------------------------------1. Summary:

Updated freeradius packages that fix a buffer overflow and possible SQL
injection attacks in the sql module are now available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64

3. Problem description:

FreeRADIUS is a high-performance and highly configurable free RADIUS server
designed to allow centralized authentication and authorization for a network.

A buffer overflow bug was found in the way FreeRADIUS escapes data in an
SQL query. An attacker may be able to crash FreeRADIUS if they cause
FreeRADIUS to escape a string containing three or less characters. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-1454 to this issue.

Additionally a bug was found in the way FreeRADIUS escapes SQL data. It is
possible that an authenticated user could execute arbitrary SQL queries by
sending a specially crafted request to FreeRADIUS. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-1455 to this issue.

Users of FreeRADIUS should update to these erratum packages, which contain
backported patches and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

156941 - CAN-2005-1454 Multiple issues in freeradius (CAN-2005-1455)


6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
1fd359fe09899c240dd58c6b1cba38b7  freeradius-1.0.1-1.1.RHEL3.src.rpm

i386:
8fd519d93b3871849933b28f7e1bc2d9  freeradius-1.0.1-1.1.RHEL3.i386.rpm

ia64:
5442a3527c92a8d07d08acd77dace190  freeradius-1.0.1-1.1.RHEL3.ia64.rpm

ppc:
fd51f53af3f1e45fe6c0dad9a68fbad0  freeradius-1.0.1-1.1.RHEL3.ppc.rpm

s390:
536f28bdca07bf52391d5cae2e8f073c  freeradius-1.0.1-1.1.RHEL3.s390.rpm

s390x:
209ec09aa78f6e0e4ab8f26f4b356182  freeradius-1.0.1-1.1.RHEL3.s390x.rpm

x86_64:
4b1d9482db8d45cb79e6c522e72cb25a  freeradius-1.0.1-1.1.RHEL3.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
1fd359fe09899c240dd58c6b1cba38b7  freeradius-1.0.1-1.1.RHEL3.src.rpm

i386:
8fd519d93b3871849933b28f7e1bc2d9  freeradius-1.0.1-1.1.RHEL3.i386.rpm

ia64:
5442a3527c92a8d07d08acd77dace190  freeradius-1.0.1-1.1.RHEL3.ia64.rpm

x86_64:
4b1d9482db8d45cb79e6c522e72cb25a  freeradius-1.0.1-1.1.RHEL3.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
454ecaca99cdbbbd70d31b72aae7e682  freeradius-1.0.1-3.RHEL4.src.rpm

i386:
ff75a31027509f376c3706efaeb10305  freeradius-1.0.1-3.RHEL4.i386.rpm
ff28f13e57713e277a74b789969bc583  freeradius-mysql-1.0.1-3.RHEL4.i386.rpm
3dc1a74e7dd8ce755e60887ac4fd73cc  freeradius-postgresql-1.0.1-3.RHEL4.i386.rpm
eab011f77b2bce24d42e5608abcea1ed  freeradius-unixODBC-1.0.1-3.RHEL4.i386.rpm

ia64:
0eac053fe887cd2f8c805badd511b91e  freeradius-1.0.1-3.RHEL4.ia64.rpm
de0ccf2e0a508eba3062bfdd5b222835  freeradius-mysql-1.0.1-3.RHEL4.ia64.rpm
0de26700a43c17adeec0498db847a5bc  freeradius-postgresql-1.0.1-3.RHEL4.ia64.rpm
bcc8c5f0ea86f06cbb8f182e0b2e427f  freeradius-unixODBC-1.0.1-3.RHEL4.ia64.rpm

ppc:
0bdd63fef27bd242ed17f48598e25194  freeradius-1.0.1-3.RHEL4.ppc.rpm
68eadec552a9d1f1ec5bd15b90f91b3a  freeradius-mysql-1.0.1-3.RHEL4.ppc.rpm
8be58c952be576172e7f5c50908a3fde  freeradius-postgresql-1.0.1-3.RHEL4.ppc.rpm
76013d354aa7ad542685dc72d62edde5  freeradius-unixODBC-1.0.1-3.RHEL4.ppc.rpm

s390:
d42b57021c61dbfea75314cf7a947f8b  freeradius-1.0.1-3.RHEL4.s390.rpm
0a86a8b88be9aff82f04ea734b1e43eb  freeradius-mysql-1.0.1-3.RHEL4.s390.rpm
cdf1a574f93ade40e99e086f28c81b14  freeradius-postgresql-1.0.1-3.RHEL4.s390.rpm
8441481b5543541d5aae8a3d7bd896cc  freeradius-unixODBC-1.0.1-3.RHEL4.s390.rpm

s390x:
67feac31092680e592c0c0ed7e31ee0c  freeradius-1.0.1-3.RHEL4.s390x.rpm
a369980828701e0694200269c6fd8777  freeradius-mysql-1.0.1-3.RHEL4.s390x.rpm
5d43a5e4ea7b32c74c9b5488172781f7  freeradius-postgresql-1.0.1-3.RHEL4.s390x.rpm
19d3425135a11bfe28fcf09438d298f6  freeradius-unixODBC-1.0.1-3.RHEL4.s390x.rpm

x86_64:
216dcc841b3ef864f866d0536d2e4769  freeradius-1.0.1-3.RHEL4.x86_64.rpm
3a709b00d74cd9e89f1bf1d82f0874a4  freeradius-mysql-1.0.1-3.RHEL4.x86_64.rpm
a41378ac35d1b3ab52b9f0217812aef2  freeradius-postgresql-1.0.1-3.RHEL4.x86_64.rpm
422c04328234167649bb811f882cb774  freeradius-unixODBC-1.0.1-3.RHEL4.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
454ecaca99cdbbbd70d31b72aae7e682  freeradius-1.0.1-3.RHEL4.src.rpm

i386:
ff75a31027509f376c3706efaeb10305  freeradius-1.0.1-3.RHEL4.i386.rpm
ff28f13e57713e277a74b789969bc583  freeradius-mysql-1.0.1-3.RHEL4.i386.rpm
3dc1a74e7dd8ce755e60887ac4fd73cc  freeradius-postgresql-1.0.1-3.RHEL4.i386.rpm
eab011f77b2bce24d42e5608abcea1ed  freeradius-unixODBC-1.0.1-3.RHEL4.i386.rpm

ia64:
0eac053fe887cd2f8c805badd511b91e  freeradius-1.0.1-3.RHEL4.ia64.rpm
de0ccf2e0a508eba3062bfdd5b222835  freeradius-mysql-1.0.1-3.RHEL4.ia64.rpm
0de26700a43c17adeec0498db847a5bc  freeradius-postgresql-1.0.1-3.RHEL4.ia64.rpm
bcc8c5f0ea86f06cbb8f182e0b2e427f  freeradius-unixODBC-1.0.1-3.RHEL4.ia64.rpm

x86_64:
216dcc841b3ef864f866d0536d2e4769  freeradius-1.0.1-3.RHEL4.x86_64.rpm
3a709b00d74cd9e89f1bf1d82f0874a4  freeradius-mysql-1.0.1-3.RHEL4.x86_64.rpm
a41378ac35d1b3ab52b9f0217812aef2  freeradius-postgresql-1.0.1-3.RHEL4.x86_64.rpm
422c04328234167649bb811f882cb774  freeradius-unixODBC-1.0.1-3.RHEL4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1455

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.

RedHat: Moderate: freeradius security update RHSA-2005:524-01

Updated freeradius packages that fix a buffer overflow and possible SQL injection attacks in the sql module are now available. This update has been rated as having moderate secur...

Summary



Summary

FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A buffer overflow bug was found in the way FreeRADIUS escapes data in an SQL query. An attacker may be able to crash FreeRADIUS if they cause FreeRADIUS to escape a string containing three or less characters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1454 to this issue. Additionally a bug was found in the way FreeRADIUS escapes SQL data. It is possible that an authenticated user could execute arbitrary SQL queries by sending a specially crafted request to FreeRADIUS. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1455 to this issue. Users of FreeRADIUS should update to these erratum packages, which contain backported patches and are not vulnerable to these issues.


Solution

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
5. Bug IDs fixed (http://bugzilla.redhat.com/):
156941 - CAN-2005-1454 Multiple issues in freeradius (CAN-2005-1455)

6. RPMs required:
Red Hat Enterprise Linux AS version 3:
SRPMS: 1fd359fe09899c240dd58c6b1cba38b7 freeradius-1.0.1-1.1.RHEL3.src.rpm
i386: 8fd519d93b3871849933b28f7e1bc2d9 freeradius-1.0.1-1.1.RHEL3.i386.rpm
ia64: 5442a3527c92a8d07d08acd77dace190 freeradius-1.0.1-1.1.RHEL3.ia64.rpm
ppc: fd51f53af3f1e45fe6c0dad9a68fbad0 freeradius-1.0.1-1.1.RHEL3.ppc.rpm
s390: 536f28bdca07bf52391d5cae2e8f073c freeradius-1.0.1-1.1.RHEL3.s390.rpm
s390x: 209ec09aa78f6e0e4ab8f26f4b356182 freeradius-1.0.1-1.1.RHEL3.s390x.rpm
x86_64: 4b1d9482db8d45cb79e6c522e72cb25a freeradius-1.0.1-1.1.RHEL3.x86_64.rpm
Red Hat Enterprise Linux ES version 3:
SRPMS: 1fd359fe09899c240dd58c6b1cba38b7 freeradius-1.0.1-1.1.RHEL3.src.rpm
i386: 8fd519d93b3871849933b28f7e1bc2d9 freeradius-1.0.1-1.1.RHEL3.i386.rpm
ia64: 5442a3527c92a8d07d08acd77dace190 freeradius-1.0.1-1.1.RHEL3.ia64.rpm
x86_64: 4b1d9482db8d45cb79e6c522e72cb25a freeradius-1.0.1-1.1.RHEL3.x86_64.rpm
Red Hat Enterprise Linux AS version 4:
SRPMS: 454ecaca99cdbbbd70d31b72aae7e682 freeradius-1.0.1-3.RHEL4.src.rpm
i386: ff75a31027509f376c3706efaeb10305 freeradius-1.0.1-3.RHEL4.i386.rpm ff28f13e57713e277a74b789969bc583 freeradius-mysql-1.0.1-3.RHEL4.i386.rpm 3dc1a74e7dd8ce755e60887ac4fd73cc freeradius-postgresql-1.0.1-3.RHEL4.i386.rpm eab011f77b2bce24d42e5608abcea1ed freeradius-unixODBC-1.0.1-3.RHEL4.i386.rpm
ia64: 0eac053fe887cd2f8c805badd511b91e freeradius-1.0.1-3.RHEL4.ia64.rpm de0ccf2e0a508eba3062bfdd5b222835 freeradius-mysql-1.0.1-3.RHEL4.ia64.rpm 0de26700a43c17adeec0498db847a5bc freeradius-postgresql-1.0.1-3.RHEL4.ia64.rpm bcc8c5f0ea86f06cbb8f182e0b2e427f freeradius-unixODBC-1.0.1-3.RHEL4.ia64.rpm
ppc: 0bdd63fef27bd242ed17f48598e25194 freeradius-1.0.1-3.RHEL4.ppc.rpm 68eadec552a9d1f1ec5bd15b90f91b3a freeradius-mysql-1.0.1-3.RHEL4.ppc.rpm 8be58c952be576172e7f5c50908a3fde freeradius-postgresql-1.0.1-3.RHEL4.ppc.rpm 76013d354aa7ad542685dc72d62edde5 freeradius-unixODBC-1.0.1-3.RHEL4.ppc.rpm
s390: d42b57021c61dbfea75314cf7a947f8b freeradius-1.0.1-3.RHEL4.s390.rpm 0a86a8b88be9aff82f04ea734b1e43eb freeradius-mysql-1.0.1-3.RHEL4.s390.rpm cdf1a574f93ade40e99e086f28c81b14 freeradius-postgresql-1.0.1-3.RHEL4.s390.rpm 8441481b5543541d5aae8a3d7bd896cc freeradius-unixODBC-1.0.1-3.RHEL4.s390.rpm
s390x: 67feac31092680e592c0c0ed7e31ee0c freeradius-1.0.1-3.RHEL4.s390x.rpm a369980828701e0694200269c6fd8777 freeradius-mysql-1.0.1-3.RHEL4.s390x.rpm 5d43a5e4ea7b32c74c9b5488172781f7 freeradius-postgresql-1.0.1-3.RHEL4.s390x.rpm 19d3425135a11bfe28fcf09438d298f6 freeradius-unixODBC-1.0.1-3.RHEL4.s390x.rpm
x86_64: 216dcc841b3ef864f866d0536d2e4769 freeradius-1.0.1-3.RHEL4.x86_64.rpm 3a709b00d74cd9e89f1bf1d82f0874a4 freeradius-mysql-1.0.1-3.RHEL4.x86_64.rpm a41378ac35d1b3ab52b9f0217812aef2 freeradius-postgresql-1.0.1-3.RHEL4.x86_64.rpm 422c04328234167649bb811f882cb774 freeradius-unixODBC-1.0.1-3.RHEL4.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
SRPMS: 454ecaca99cdbbbd70d31b72aae7e682 freeradius-1.0.1-3.RHEL4.src.rpm
i386: ff75a31027509f376c3706efaeb10305 freeradius-1.0.1-3.RHEL4.i386.rpm ff28f13e57713e277a74b789969bc583 freeradius-mysql-1.0.1-3.RHEL4.i386.rpm 3dc1a74e7dd8ce755e60887ac4fd73cc freeradius-postgresql-1.0.1-3.RHEL4.i386.rpm eab011f77b2bce24d42e5608abcea1ed freeradius-unixODBC-1.0.1-3.RHEL4.i386.rpm
ia64: 0eac053fe887cd2f8c805badd511b91e freeradius-1.0.1-3.RHEL4.ia64.rpm de0ccf2e0a508eba3062bfdd5b222835 freeradius-mysql-1.0.1-3.RHEL4.ia64.rpm 0de26700a43c17adeec0498db847a5bc freeradius-postgresql-1.0.1-3.RHEL4.ia64.rpm bcc8c5f0ea86f06cbb8f182e0b2e427f freeradius-unixODBC-1.0.1-3.RHEL4.ia64.rpm
x86_64: 216dcc841b3ef864f866d0536d2e4769 freeradius-1.0.1-3.RHEL4.x86_64.rpm 3a709b00d74cd9e89f1bf1d82f0874a4 freeradius-mysql-1.0.1-3.RHEL4.x86_64.rpm a41378ac35d1b3ab52b9f0217812aef2 freeradius-postgresql-1.0.1-3.RHEL4.x86_64.rpm 422c04328234167649bb811f882cb774 freeradius-unixODBC-1.0.1-3.RHEL4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1454 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1455

Package List


Severity
Advisory ID: RHSA-2005:524-01
Advisory URL: https://access.redhat.com/errata/RHSA-2005:524.html
Issued Date: : 2005-06-23
Updated on: 2005-06-23
Product: Red Hat Enterprise Linux
CVE Names: CAN-2005-1454 CAN-2005-1455 Updated freeradius packages that fix a buffer overflow and possible SQL injection attacks in the sql module are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Topic


Topic


 

Relevant Releases Architectures

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64

Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64

Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64


Bugs Fixed


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved