openSUSE Security Update : freeradius-server (openSUSE-2017-972)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update for freeradius-server fixes the following issues :

- update to 3.0.15 (bsc#1049086)

- Bind the lifetime of program name and python path to the
module

- CVE-2017-10978: FR-GV-201: Check input / output length
in make_secret() (bsc#1049086)

- CVE-2017-10983: FR-GV-206: Fix read overflow when
decoding DHCP option 63 (bsc#1049086)

- CVE-2017-10984: FR-GV-301: Fix write overflow in
data2vp_wimax() (bsc#1049086)

- CVE-2017-10985: FR-GV-302: Fix infinite loop and memory
exhaustion with 'concat' attributes (bsc#1049086)

- CVE-2017-10986: FR-GV-303: Fix infinite read in
dhcp_attr2vp() (bsc#1049086)

- CVE-2017-10987: FR-GV-304: Fix buffer over-read in
fr_dhcp_decode_suboptions() (bsc#1049086)

- CVE-2017-10988: FR-GV-305: Decode 'signed' attributes
correctly. (bsc#1049086)

- FR-AD-001: use strncmp() instead of memcmp() for bounded
data

- Print messages when we see deprecated configuration
items

- Show reasons why we couldn't parse a certificate expiry
time

- Be more accepting about truncated ASN1 times.

- Fix OpenSSL API issue which could leak small amounts of
memory.

- For Access-Reject, call rad_authlog() after running the
post-auth section, just like for Access-Accept.

- Don't crash when reading corrupted data from session
resumption cache.

- Parse port in dhcpclient.

- Don't leak memory for OpenSSL.

- Portability fixes taken from OpenBSD port collection.

- run rad_authlog after post-auth for Access-Reject.

- Don't process VMPS packets twice.

- Fix attribute truncation in rlm_perl

- Fix bug when processing huntgroups.

- FR-AD-002 - Bind the lifetime of program name and python
path to the module

- FR-AD-003 - Pass correct statement length into
sqlite3_prepare[_v2]

This update was imported from the SUSE:SLE-12-SP3:Update update
project.

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=1049086

Solution :

Update the affected freeradius-server packages.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)

Family: SuSE Local Security Checks

Nessus Plugin ID: 102810 ()

Bugtraq ID:

CVE ID: CVE-2017-10978
CVE-2017-10983
CVE-2017-10984
CVE-2017-10985
CVE-2017-10986
CVE-2017-10987
CVE-2017-10988

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now