freeradius-server-3.0.23-1.5 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10767 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z freeradius-server-3.0.23-1.5 on GA media These are all security issues fixed in the freeradius-server-3.0.23-1.5 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10767 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10767 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2008-4474/ SUSE CVE CVE-2008-4474 page https://www.suse.com/security/cve/CVE-2015-4680/ SUSE CVE CVE-2015-4680 page https://www.suse.com/security/cve/CVE-2015-8763/ SUSE CVE CVE-2015-8763 page https://www.suse.com/security/cve/CVE-2017-10978/ SUSE CVE CVE-2017-10978 page https://www.suse.com/security/cve/CVE-2017-10983/ SUSE CVE CVE-2017-10983 page https://www.suse.com/security/cve/CVE-2017-10984/ SUSE CVE CVE-2017-10984 page https://www.suse.com/security/cve/CVE-2017-10985/ SUSE CVE CVE-2017-10985 page https://www.suse.com/security/cve/CVE-2017-10986/ SUSE CVE CVE-2017-10986 page https://www.suse.com/security/cve/CVE-2017-10987/ SUSE CVE CVE-2017-10987 page https://www.suse.com/security/cve/CVE-2017-10988/ SUSE CVE CVE-2017-10988 page https://www.suse.com/security/cve/CVE-2017-9148/ SUSE CVE CVE-2017-9148 page https://www.suse.com/security/cve/CVE-2019-11234/ SUSE CVE CVE-2019-11234 page https://www.suse.com/security/cve/CVE-2019-13456/ SUSE CVE CVE-2019-13456 page https://www.suse.com/security/cve/CVE-2019-17185/ SUSE CVE CVE-2019-17185 page openSUSE Tumbleweed freeradius-server-3.0.23-1.5 freeradius-server-devel-3.0.23-1.5 freeradius-server-doc-3.0.23-1.5 freeradius-server-krb5-3.0.23-1.5 freeradius-server-ldap-3.0.23-1.5 freeradius-server-ldap-schemas-3.0.23-1.5 freeradius-server-libs-3.0.23-1.5 freeradius-server-mysql-3.0.23-1.5 freeradius-server-perl-3.0.23-1.5 freeradius-server-postgresql-3.0.23-1.5 freeradius-server-python3-3.0.23-1.5 freeradius-server-sqlite-3.0.23-1.5 freeradius-server-utils-3.0.23-1.5 freeradius-server-3.0.23-1.5 as a component of openSUSE Tumbleweed freeradius-server-devel-3.0.23-1.5 as a component of openSUSE Tumbleweed freeradius-server-doc-3.0.23-1.5 as a component of openSUSE Tumbleweed freeradius-server-krb5-3.0.23-1.5 as a component of openSUSE Tumbleweed freeradius-server-ldap-3.0.23-1.5 as a component of openSUSE Tumbleweed freeradius-server-ldap-schemas-3.0.23-1.5 as a component of openSUSE Tumbleweed freeradius-server-libs-3.0.23-1.5 as a component of openSUSE Tumbleweed freeradius-server-mysql-3.0.23-1.5 as a component of openSUSE Tumbleweed freeradius-server-perl-3.0.23-1.5 as a component of openSUSE Tumbleweed freeradius-server-postgresql-3.0.23-1.5 as a component of openSUSE Tumbleweed freeradius-server-python3-3.0.23-1.5 as a component of openSUSE Tumbleweed freeradius-server-sqlite-3.0.23-1.5 as a component of openSUSE Tumbleweed freeradius-server-utils-3.0.23-1.5 as a component of openSUSE Tumbleweed freeradius-dialupadmin in freeradius 2.0.4 allows local users to overwrite arbitrary files via a symlink attack on temporary files in (1) backup_radacct, (2) clean_radacct, (3) monthly_tot_stats, (4) tot_stats, and (5) truncate_radacct. CVE-2008-4474 openSUSE Tumbleweed:freeradius-server-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-devel-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-doc-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-krb5-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-libs-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-mysql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-perl-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-postgresql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-python3-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-sqlite-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-utils-3.0.23-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-4474.html CVE-2008-4474 https://bugzilla.suse.com/433762 SUSE Bug 433762 FreeRADIUS 2.2.x before 2.2.8 and 3.0.x before 3.0.9 does not properly check revocation of intermediate CA certificates. CVE-2015-4680 openSUSE Tumbleweed:freeradius-server-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-devel-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-doc-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-krb5-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-libs-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-mysql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-perl-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-postgresql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-python3-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-sqlite-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-utils-3.0.23-1.5 moderate 4 AV:N/AC:H/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-4680.html CVE-2015-4680 https://bugzilla.suse.com/935573 SUSE Bug 935573 The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attackers to have unspecified impact via a crafted (1) commit or (2) confirm message, which triggers an out-of-bounds read. CVE-2015-8763 openSUSE Tumbleweed:freeradius-server-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-devel-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-doc-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-krb5-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-libs-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-mysql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-perl-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-postgresql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-python3-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-sqlite-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-utils-3.0.23-1.5 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8763.html CVE-2015-8763 https://bugzilla.suse.com/961479 SUSE Bug 961479 An FR-GV-201 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before 3.0.15 allows "Read / write overflow in make_secret()" and a denial of service. CVE-2017-10978 openSUSE Tumbleweed:freeradius-server-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-devel-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-doc-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-krb5-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-libs-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-mysql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-perl-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-postgresql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-python3-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-sqlite-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-utils-3.0.23-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-10978.html CVE-2017-10978 https://bugzilla.suse.com/1049086 SUSE Bug 1049086 An FR-GV-206 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before 3.0.15 allows "DHCP - Read overflow when decoding option 63" and a denial of service. CVE-2017-10983 openSUSE Tumbleweed:freeradius-server-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-devel-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-doc-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-krb5-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-libs-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-mysql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-perl-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-postgresql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-python3-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-sqlite-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-utils-3.0.23-1.5 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-10983.html CVE-2017-10983 https://bugzilla.suse.com/1049086 SUSE Bug 1049086 An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overflow in data2vp_wimax()" - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code. CVE-2017-10984 openSUSE Tumbleweed:freeradius-server-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-devel-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-doc-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-krb5-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-libs-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-mysql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-perl-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-postgresql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-python3-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-sqlite-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-utils-3.0.23-1.5 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-10984.html CVE-2017-10984 https://bugzilla.suse.com/1049086 SUSE Bug 1049086 An FR-GV-302 issue in FreeRADIUS 3.x before 3.0.15 allows "Infinite loop and memory exhaustion with 'concat' attributes" and a denial of service. CVE-2017-10985 openSUSE Tumbleweed:freeradius-server-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-devel-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-doc-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-krb5-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-libs-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-mysql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-perl-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-postgresql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-python3-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-sqlite-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-utils-3.0.23-1.5 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-10985.html CVE-2017-10985 https://bugzilla.suse.com/1049086 SUSE Bug 1049086 An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infinite read in dhcp_attr2vp()" and a denial of service. CVE-2017-10986 openSUSE Tumbleweed:freeradius-server-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-devel-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-doc-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-krb5-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-libs-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-mysql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-perl-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-postgresql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-python3-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-sqlite-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-utils-3.0.23-1.5 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-10986.html CVE-2017-10986 https://bugzilla.suse.com/1049086 SUSE Bug 1049086 An FR-GV-304 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Buffer over-read in fr_dhcp_decode_suboptions()" and a denial of service. CVE-2017-10987 openSUSE Tumbleweed:freeradius-server-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-devel-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-doc-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-krb5-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-libs-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-mysql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-perl-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-postgresql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-python3-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-sqlite-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-utils-3.0.23-1.5 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-10987.html CVE-2017-10987 https://bugzilla.suse.com/1049086 SUSE Bug 1049086 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2017-10988 openSUSE Tumbleweed:freeradius-server-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-devel-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-doc-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-krb5-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-libs-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-mysql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-perl-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-postgresql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-python3-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-sqlite-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-utils-3.0.23-1.5 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-10988.html CVE-2017-10988 https://bugzilla.suse.com/1049086 SUSE Bug 1049086 The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before 3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS. CVE-2017-9148 openSUSE Tumbleweed:freeradius-server-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-devel-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-doc-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-krb5-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-libs-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-mysql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-perl-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-postgresql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-python3-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-sqlite-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-utils-3.0.23-1.5 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-9148.html CVE-2017-9148 https://bugzilla.suse.com/1041445 SUSE Bug 1041445 https://bugzilla.suse.com/1046141 SUSE Bug 1046141 FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a "Dragonblood" issue, a similar issue to CVE-2019-9497. CVE-2019-11234 openSUSE Tumbleweed:freeradius-server-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-devel-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-doc-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-krb5-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-libs-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-mysql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-perl-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-postgresql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-python3-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-sqlite-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-utils-3.0.23-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11234.html CVE-2019-11234 https://bugzilla.suse.com/1132664 SUSE Bug 1132664 In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the "Dragonblood" attack and CVE-2019-9494. CVE-2019-13456 openSUSE Tumbleweed:freeradius-server-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-devel-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-doc-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-krb5-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-libs-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-mysql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-perl-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-postgresql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-python3-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-sqlite-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-utils-3.0.23-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-13456.html CVE-2019-13456 https://bugzilla.suse.com/1144524 SUSE Bug 1144524 https://bugzilla.suse.com/1166858 SUSE Bug 1166858 In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes. This mean multiple threads use the same BN_CTX instance concurrently, resulting in crashes when concurrent EAP-pwd handshakes are initiated. This can be abused by an adversary as a Denial-of-Service (DoS) attack. CVE-2019-17185 openSUSE Tumbleweed:freeradius-server-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-devel-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-doc-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-krb5-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-libs-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-mysql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-perl-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-postgresql-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-python3-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-sqlite-3.0.23-1.5 openSUSE Tumbleweed:freeradius-server-utils-3.0.23-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17185.html CVE-2019-17185 https://bugzilla.suse.com/1166847 SUSE Bug 1166847