openSUSE Security Update : freeradius-server (openSUSE-2017-972)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update for freeradius-server fixes the following issues :

- update to 3.0.15 (bsc#1049086)

- Bind the lifetime of program name and python path to the

- CVE-2017-10978: FR-GV-201: Check input / output length
in make_secret() (bsc#1049086)

- CVE-2017-10983: FR-GV-206: Fix read overflow when
decoding DHCP option 63 (bsc#1049086)

- CVE-2017-10984: FR-GV-301: Fix write overflow in
data2vp_wimax() (bsc#1049086)

- CVE-2017-10985: FR-GV-302: Fix infinite loop and memory
exhaustion with 'concat' attributes (bsc#1049086)

- CVE-2017-10986: FR-GV-303: Fix infinite read in
dhcp_attr2vp() (bsc#1049086)

- CVE-2017-10987: FR-GV-304: Fix buffer over-read in
fr_dhcp_decode_suboptions() (bsc#1049086)

- CVE-2017-10988: FR-GV-305: Decode 'signed' attributes
correctly. (bsc#1049086)

- FR-AD-001: use strncmp() instead of memcmp() for bounded

- Print messages when we see deprecated configuration

- Show reasons why we couldn't parse a certificate expiry

- Be more accepting about truncated ASN1 times.

- Fix OpenSSL API issue which could leak small amounts of

- For Access-Reject, call rad_authlog() after running the
post-auth section, just like for Access-Accept.

- Don't crash when reading corrupted data from session
resumption cache.

- Parse port in dhcpclient.

- Don't leak memory for OpenSSL.

- Portability fixes taken from OpenBSD port collection.

- run rad_authlog after post-auth for Access-Reject.

- Don't process VMPS packets twice.

- Fix attribute truncation in rlm_perl

- Fix bug when processing huntgroups.

- FR-AD-002 - Bind the lifetime of program name and python
path to the module

- FR-AD-003 - Pass correct statement length into

This update was imported from the SUSE:SLE-12-SP3:Update update

See also :

Solution :

Update the affected freeradius-server packages.

Risk factor :

High / CVSS Base Score : 7.8

Family: SuSE Local Security Checks

Nessus Plugin ID: 102810 ()

Bugtraq ID:

CVE ID: CVE-2017-10978

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now