[Security Announce] [ MDKSA-2007:085 ] - Updated freeradius packages fix DoS vulnerability
Posted on: 04/17/2007 01:30 AM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:085
http://www.mandriva.com/security/
_______________________________________________________________________

Package : freeradius
Date : April 16, 2007
Affected: 2007.0, 2007.1, Corporate 4.0
_______________________________________________________________________

Problem Description:

Memory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to
cause a denial of service (memory consumption) via a large number of
EAP-TTLS tunnel connections using malformed Diameter format attributes,
which causes the authentication request to be rejected but does not
reclaim VALUE_PAIR data structures.

Updated packages have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2028
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.0:
485265e479ed47e03c1966f773c43850 2007.0/i586/freeradius-1.1.2-2.1mdv2007.0.i586.rpm
a04d690ae7133426eb697fed54f56199 2007.0/i586/libfreeradius1-1.1.2-2.1mdv2007.0.i586.rpm
5595ff7619d10b67a436712e5a76fc78 2007.0/i586/libfreeradius1-devel-1.1.2-2.1mdv2007.0.i586.rpm
8dd97ce0b5b9ce5a198a1cfe1db0ebb5 2007.0/i586/libfreeradius1-krb5-1.1.2-2.1mdv2007.0.i586.rpm
092420b0c0b79c7d044cb54856f194d4 2007.0/i586/libfreeradius1-ldap-1.1.2-2.1mdv2007.0.i586.rpm
45a1ddd16609babbdda3f39ca9af8c39 2007.0/i586/libfreeradius1-mysql-1.1.2-2.1mdv2007.0.i586.rpm
8eaa8251f9ef2db2163da446759e338e 2007.0/i586/libfreeradius1-postgresql-1.1.2-2.1mdv2007.0.i586.rpm
3241acf858db1afa1250afe6e1f500dc 2007.0/i586/libfreeradius1-unixODBC-1.1.2-2.1mdv2007.0.i586.rpm
c7fc04dcb8df275a27d37541353bc0b8 2007.0/SRPMS/freeradius-1.1.2-2.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
95758b84f15d847e5df61d9479440700 2007.0/x86_64/freeradius-1.1.2-2.1mdv2007.0.x86_64.rpm
baded8fb60d1c41b02a790afac5c6337 2007.0/x86_64/lib64freeradius1-1.1.2-2.1mdv2007.0.x86_64.rpm
d9c95ac32f15019081f2ef6343aaf095 2007.0/x86_64/lib64freeradius1-devel-1.1.2-2.1mdv2007.0.x86_64.rpm
04d950d8db9cd92053fdf512727297cd 2007.0/x86_64/lib64freeradius1-krb5-1.1.2-2.1mdv2007.0.x86_64.rpm
2ca93232b0934ec6e5ef121e32fc487b 2007.0/x86_64/lib64freeradius1-ldap-1.1.2-2.1mdv2007.0.x86_64.rpm
cb61b2079cacc4b72ab0c7df9a4e463a 2007.0/x86_64/lib64freeradius1-mysql-1.1.2-2.1mdv2007.0.x86_64.rpm
37edc72f39c8b05ce9383e6b5810b288 2007.0/x86_64/lib64freeradius1-postgresql-1.1.2-2.1mdv2007.0.x86_64.rpm
155dbe7aed46442bdcb1a0cab0d61582 2007.0/x86_64/lib64freeradius1-unixODBC-1.1.2-2.1mdv2007.0.x86_64.rpm
c7fc04dcb8df275a27d37541353bc0b8 2007.0/SRPMS/freeradius-1.1.2-2.1mdv2007.0.src.rpm

Mandriva Linux 2007.1:
7f655754289547a87da54e7f9d56d9c1 2007.1/i586/freeradius-1.1.2-5.1mdv2007.1.i586.rpm
0db64e8f6535adb19f23d22cef6dab39 2007.1/i586/libfreeradius1-1.1.2-5.1mdv2007.1.i586.rpm
9a61e66884c6926e22039e4290b75800 2007.1/i586/libfreeradius1-devel-1.1.2-5.1mdv2007.1.i586.rpm
7db0ee6b971766dc724f31ed185c807f 2007.1/i586/libfreeradius1-krb5-1.1.2-5.1mdv2007.1.i586.rpm
1a9e9007f3f28805b6bf4d9486d4a8e7 2007.1/i586/libfreeradius1-ldap-1.1.2-5.1mdv2007.1.i586.rpm
39a710e6ef266fa3d04030e2f02405e7 2007.1/i586/libfreeradius1-mysql-1.1.2-5.1mdv2007.1.i586.rpm
862bde1f3db0207bc133f49b7d7c7907 2007.1/i586/libfreeradius1-postgresql-1.1.2-5.1mdv2007.1.i586.rpm
c1872069cc1ccac4f2468635e575d39e 2007.1/i586/libfreeradius1-unixODBC-1.1.2-5.1mdv2007.1.i586.rpm
9a9a7cf043f8486a1b148f2eb1be1a30 2007.1/SRPMS/freeradius-1.1.2-5.1mdv2007.1.src.rpm

Mandriva Linux 2007.1/X86_64:
5ad448a832f4a4ed1227a33433612df9 2007.1/x86_64/freeradius-1.1.2-5.1mdv2007.1.x86_64.rpm
d675f6d01f97c0a1f603f58026e0dc1f 2007.1/x86_64/lib64freeradius1-1.1.2-5.1mdv2007.1.x86_64.rpm
4c229c337bb4fd50462bae9963911fc6 2007.1/x86_64/lib64freeradius1-devel-1.1.2-5.1mdv2007.1.x86_64.rpm
b6de623842506793d39bb488a5bf062d 2007.1/x86_64/lib64freeradius1-krb5-1.1.2-5.1mdv2007.1.x86_64.rpm
9277ae9c7e972bc3a6a539b8aa787d8e 2007.1/x86_64/lib64freeradius1-ldap-1.1.2-5.1mdv2007.1.x86_64.rpm
2ee400549d37447daa7377e38e6804ef 2007.1/x86_64/lib64freeradius1-mysql-1.1.2-5.1mdv2007.1.x86_64.rpm
19c236506fd00c8939e564625d987617 2007.1/x86_64/lib64freeradius1-postgresql-1.1.2-5.1mdv2007.1.x86_64.rpm
58a862d856c75c61cc28cc914f355f55 2007.1/x86_64/lib64freeradius1-unixODBC-1.1.2-5.1mdv2007.1.x86_64.rpm
9a9a7cf043f8486a1b148f2eb1be1a30 2007.1/SRPMS/freeradius-1.1.2-5.1mdv2007.1.src.rpm

Corporate 4.0:
c4ceeeacc64b27a3810d7b9e391052c0 corporate/4.0/i586/freeradius-1.0.4-2.3.20060mlcs4.i586.rpm
63232cd692916c816c814f39de733d75 corporate/4.0/i586/libfreeradius1-1.0.4-2.3.20060mlcs4.i586.rpm
aab0141fdb684b856871faa3a281e8b1 corporate/4.0/i586/libfreeradius1-devel-1.0.4-2.3.20060mlcs4.i586.rpm
db28ccacac6df2430c159b372356cc8d corporate/4.0/i586/libfreeradius1-krb5-1.0.4-2.3.20060mlcs4.i586.rpm
778bdbd5643f737652d697d2b81b185e corporate/4.0/i586/libfreeradius1-ldap-1.0.4-2.3.20060mlcs4.i586.rpm
cc3d3c9e06f9484108440498560e22d3 corporate/4.0/i586/libfreeradius1-mysql-1.0.4-2.3.20060mlcs4.i586.rpm
ec2d5a756c26a683b06b84d3f91cd573 corporate/4.0/i586/libfreeradius1-postgresql-1.0.4-2.3.20060mlcs4.i586.rpm
9564641192642abf3690e374e262ef09 corporate/4.0/i586/libfreeradius1-unixODBC-1.0.4-2.3.20060mlcs4.i586.rpm
b473a94d7dff1a06e2db7cc3da187aa5 corporate/4.0/SRPMS/freeradius-1.0.4-2.3.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
c1600875ddab2ce7d31d84060668e5b8 corporate/4.0/x86_64/freeradius-1.0.4-2.3.20060mlcs4.x86_64.rpm
69a84b748264aad6555d0d3d92789f32 corporate/4.0/x86_64/lib64freeradius1-1.0.4-2.3.20060mlcs4.x86_64.rpm
7b6dc0a1121b2f1d84d57e38c577c2e8 corporate/4.0/x86_64/lib64freeradius1-devel-1.0.4-2.3.20060mlcs4.x86_64.rpm
b3a479b99a541cca01a920fb35872b33 corporate/4.0/x86_64/lib64freeradius1-krb5-1.0.4-2.3.20060mlcs4.x86_64.rpm
b66b96b5897b2fee700cf5a848bb8d92 corporate/4.0/x86_64/lib64freeradius1-ldap-1.0.4-2.3.20060mlcs4.x86_64.rpm
b2585acc4c9bfabd832bce4f300b877d corporate/4.0/x86_64/lib64freeradius1-mysql-1.0.4-2.3.20060mlcs4.x86_64.rpm
d1f8a534fb8da7f37817fd575ed680d3 corporate/4.0/x86_64/lib64freeradius1-postgresql-1.0.4-2.3.20060mlcs4.x86_64.rpm
4ad7d3c251d17fedf7479edcd818f103 corporate/4.0/x86_64/lib64freeradius1-unixODBC-1.0.4-2.3.20060mlcs4.x86_64.rpm
b473a94d7dff1a06e2db7cc3da187aa5 corporate/4.0/SRPMS/freeradius-1.0.4-2.3.20060mlcs4.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGI8qUmqjQ0CJFipgRAvv9AKDk8ohKdmfc9DibRIWXqx4qbFcWtwCg498c
tfsPJ2gb6QZPAJRgcLfunZ4=
=czGA
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2007085__updated_freeradius_packages_fix_dos_vulnerability.html)