-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: freeradius security and bug fix update Advisory ID: RHSA-2023:2166-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2166 Issue date: 2023-05-09 CVE Names: CVE-2022-41859 CVE-2022-41860 CVE-2022-41861 ==================================================================== 1. Summary: An update for freeradius is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux CRB (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network. Security Fix(es): * freeradius: Information leakage in EAP-PWD (CVE-2022-41859) * freeradius: Crash on unknown option in EAP-SIM (CVE-2022-41860) * freeradius: Crash on invalid abinary data (CVE-2022-41861) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2078483 - CVE-2022-41859 freeradius: Information leakage in EAP-PWD 2078485 - CVE-2022-41860 freeradius: Crash on unknown option in EAP-SIM 2078487 - CVE-2022-41861 freeradius: Crash on invalid abinary data 2126380 - Add dropped packages to RHEL9 CRB repository 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: freeradius-3.0.21-37.el9.src.rpm aarch64: freeradius-3.0.21-37.el9.aarch64.rpm freeradius-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-debugsource-3.0.21-37.el9.aarch64.rpm freeradius-devel-3.0.21-37.el9.aarch64.rpm freeradius-doc-3.0.21-37.el9.aarch64.rpm freeradius-krb5-3.0.21-37.el9.aarch64.rpm freeradius-krb5-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-ldap-3.0.21-37.el9.aarch64.rpm freeradius-ldap-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-mysql-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-perl-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-postgresql-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-rest-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-sqlite-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-unixODBC-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-utils-3.0.21-37.el9.aarch64.rpm freeradius-utils-debuginfo-3.0.21-37.el9.aarch64.rpm python3-freeradius-3.0.21-37.el9.aarch64.rpm python3-freeradius-debuginfo-3.0.21-37.el9.aarch64.rpm ppc64le: freeradius-3.0.21-37.el9.ppc64le.rpm freeradius-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-debugsource-3.0.21-37.el9.ppc64le.rpm freeradius-devel-3.0.21-37.el9.ppc64le.rpm freeradius-doc-3.0.21-37.el9.ppc64le.rpm freeradius-krb5-3.0.21-37.el9.ppc64le.rpm freeradius-krb5-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-ldap-3.0.21-37.el9.ppc64le.rpm freeradius-ldap-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-mysql-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-perl-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-postgresql-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-rest-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-sqlite-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-unixODBC-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-utils-3.0.21-37.el9.ppc64le.rpm freeradius-utils-debuginfo-3.0.21-37.el9.ppc64le.rpm python3-freeradius-3.0.21-37.el9.ppc64le.rpm python3-freeradius-debuginfo-3.0.21-37.el9.ppc64le.rpm s390x: freeradius-3.0.21-37.el9.s390x.rpm freeradius-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-debugsource-3.0.21-37.el9.s390x.rpm freeradius-devel-3.0.21-37.el9.s390x.rpm freeradius-doc-3.0.21-37.el9.s390x.rpm freeradius-krb5-3.0.21-37.el9.s390x.rpm freeradius-krb5-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-ldap-3.0.21-37.el9.s390x.rpm freeradius-ldap-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-mysql-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-perl-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-postgresql-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-rest-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-sqlite-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-unixODBC-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-utils-3.0.21-37.el9.s390x.rpm freeradius-utils-debuginfo-3.0.21-37.el9.s390x.rpm python3-freeradius-3.0.21-37.el9.s390x.rpm python3-freeradius-debuginfo-3.0.21-37.el9.s390x.rpm x86_64: freeradius-3.0.21-37.el9.x86_64.rpm freeradius-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-debugsource-3.0.21-37.el9.x86_64.rpm freeradius-devel-3.0.21-37.el9.x86_64.rpm freeradius-doc-3.0.21-37.el9.x86_64.rpm freeradius-krb5-3.0.21-37.el9.x86_64.rpm freeradius-krb5-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-ldap-3.0.21-37.el9.x86_64.rpm freeradius-ldap-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-mysql-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-perl-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-postgresql-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-rest-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-sqlite-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-unixODBC-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-utils-3.0.21-37.el9.x86_64.rpm freeradius-utils-debuginfo-3.0.21-37.el9.x86_64.rpm python3-freeradius-3.0.21-37.el9.x86_64.rpm python3-freeradius-debuginfo-3.0.21-37.el9.x86_64.rpm Red Hat Enterprise Linux CRB (v. 9): aarch64: freeradius-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-debugsource-3.0.21-37.el9.aarch64.rpm freeradius-krb5-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-ldap-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-mysql-3.0.21-37.el9.aarch64.rpm freeradius-mysql-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-perl-3.0.21-37.el9.aarch64.rpm freeradius-perl-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-postgresql-3.0.21-37.el9.aarch64.rpm freeradius-postgresql-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-rest-3.0.21-37.el9.aarch64.rpm freeradius-rest-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-sqlite-3.0.21-37.el9.aarch64.rpm freeradius-sqlite-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-unixODBC-3.0.21-37.el9.aarch64.rpm freeradius-unixODBC-debuginfo-3.0.21-37.el9.aarch64.rpm freeradius-utils-debuginfo-3.0.21-37.el9.aarch64.rpm python3-freeradius-debuginfo-3.0.21-37.el9.aarch64.rpm ppc64le: freeradius-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-debugsource-3.0.21-37.el9.ppc64le.rpm freeradius-krb5-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-ldap-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-mysql-3.0.21-37.el9.ppc64le.rpm freeradius-mysql-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-perl-3.0.21-37.el9.ppc64le.rpm freeradius-perl-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-postgresql-3.0.21-37.el9.ppc64le.rpm freeradius-postgresql-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-rest-3.0.21-37.el9.ppc64le.rpm freeradius-rest-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-sqlite-3.0.21-37.el9.ppc64le.rpm freeradius-sqlite-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-unixODBC-3.0.21-37.el9.ppc64le.rpm freeradius-unixODBC-debuginfo-3.0.21-37.el9.ppc64le.rpm freeradius-utils-debuginfo-3.0.21-37.el9.ppc64le.rpm python3-freeradius-debuginfo-3.0.21-37.el9.ppc64le.rpm s390x: freeradius-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-debugsource-3.0.21-37.el9.s390x.rpm freeradius-krb5-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-ldap-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-mysql-3.0.21-37.el9.s390x.rpm freeradius-mysql-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-perl-3.0.21-37.el9.s390x.rpm freeradius-perl-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-postgresql-3.0.21-37.el9.s390x.rpm freeradius-postgresql-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-rest-3.0.21-37.el9.s390x.rpm freeradius-rest-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-sqlite-3.0.21-37.el9.s390x.rpm freeradius-sqlite-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-unixODBC-3.0.21-37.el9.s390x.rpm freeradius-unixODBC-debuginfo-3.0.21-37.el9.s390x.rpm freeradius-utils-debuginfo-3.0.21-37.el9.s390x.rpm python3-freeradius-debuginfo-3.0.21-37.el9.s390x.rpm x86_64: freeradius-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-debugsource-3.0.21-37.el9.x86_64.rpm freeradius-krb5-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-ldap-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-mysql-3.0.21-37.el9.x86_64.rpm freeradius-mysql-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-perl-3.0.21-37.el9.x86_64.rpm freeradius-perl-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-postgresql-3.0.21-37.el9.x86_64.rpm freeradius-postgresql-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-rest-3.0.21-37.el9.x86_64.rpm freeradius-rest-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-sqlite-3.0.21-37.el9.x86_64.rpm freeradius-sqlite-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-unixODBC-3.0.21-37.el9.x86_64.rpm freeradius-unixODBC-debuginfo-3.0.21-37.el9.x86_64.rpm freeradius-utils-debuginfo-3.0.21-37.el9.x86_64.rpm python3-freeradius-debuginfo-3.0.21-37.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-41859 https://access.redhat.com/security/cve/CVE-2022-41860 https://access.redhat.com/security/cve/CVE-2022-41861 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZFo0UdzjgjWX9erEAQgCTQ/9Fx6u8ucdikG/OBzo0lZKC6umHSzLpnUA hdZ71rL75QjduDnESNLgshxoBiyruH6LXRnVm2dSxDxVKHYDAwvnGjA08wHdJ7cA /P3hiEWA1Y8tmal5G0MOQttSnhSQUyivwBpi47SIodMOZ8p0KXYij7hc0secf4MU sOWw78LzLFX+kS/u23Ez8A/lrNwQnmSXaNw2V/5EowbYeY1WY1TePdY10G7GRnuE rM/1fpHIs5Zq9kcxCGHnBbYFwvmXeNERFBfRS+Qet/E/Tv9s5qlLhrJhl9zUd755 gW+MdXw3bztdOhJCx7CeQLzZK1Zabff6H3neOVMsE1O9A976spJStGUpLRd5y0eD g5dcqlG2jHujtm2yaG+0qYtX74pslWjHTUX2JFmSbwe8pvS6KxV7rk78rBMKVswi FNK3CVOQ3YUo3fdxANQmp2eeDQ797hafeSh3FcVURvEx4UMiLGhK+0pjsJFR9Cz2 CsJzTMkxqPaBqtKNIvWK2I1Cp46Oq7K7glZudWB8g4zL86aELzsjwzl2ngo0zdne /a6Cf+2ArNCLIy3elPxRoRy3rWXKNK+UvExiCAgDUFKkz8O5zO7ayo4l8lS+pc/c 9Nm16E6ga95ks6n8yecoN3iN86dgLmj99H9AE9zIhvrQI+3oTAFcKkpBj3q/EYRo rqMx7VlTaVE=SjbO -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce