Red Hat Product Errata RHSA-2004:609 - Security Advisory
Issued:
2004-11-12
Updated:
2004-11-12

RHSA-2004:609 - Security Advisory

Synopsis

freeradius security update

Type/Severity

Security Advisory: Moderate

Topic

Updated freeradius packages that fix a number of denial of service
vulnerabilities as well as minor bugs are now available for Red Hat
Enterprise Linux 3.

Description

FreeRADIUS is a high-performance and highly configurable free RADIUS server
designed to allow centralized authentication and authorization for a network.

A number of flaws were found in FreeRADIUS versions prior to 1.0.1. An
attacker who is able to send packets to the server could construct
carefully constructed packets in such a way as to cause the server to
consume memory or crash. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CAN-2004-0938, CAN-2004-0960, and
CAN-2004-0961 to these issues.

Users of FreeRADIUS should update to these erratum packages that contain
FreeRADIUS 1.0.1, which is not vulnerable to these issues and also corrects
a number of bugs.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Affected Products

  • Red Hat Enterprise Linux Server 3 x86_64
  • Red Hat Enterprise Linux Server 3 ia64
  • Red Hat Enterprise Linux Server 3 i386
  • Red Hat Enterprise Linux for IBM z Systems 3 s390x
  • Red Hat Enterprise Linux for IBM z Systems 3 s390
  • Red Hat Enterprise Linux for Power, big endian 3 ppc

Fixes

  • BZ - 127162 - zlib-devel is missing from BuildRequires in spec file
  • BZ - 127168 - rebuilding freeradius picks up system libeap rather than package libeap
  • BZ - 130606 - Missing buildrequires in freediag
  • BZ - 130613 - radiusd.conf specifies other pam-auth than file installed in /etc/pam.d
  • BZ - 135825 - CAN-2004-0938 Freeradius < 1.0.1 DoS and remote crash (CAN-2004-0960, CAN-2004-0961)

References

(none)

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.