freeradius-server-3.2.3-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13386 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z freeradius-server-3.2.3-2.1 on GA media These are all security issues fixed in the freeradius-server-3.2.3-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13386 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13386 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-41859/ SUSE CVE CVE-2022-41859 page https://www.suse.com/security/cve/CVE-2022-41860/ SUSE CVE CVE-2022-41860 page https://www.suse.com/security/cve/CVE-2022-41861/ SUSE CVE CVE-2022-41861 page openSUSE Tumbleweed freeradius-server-3.2.3-2.1 freeradius-server-devel-3.2.3-2.1 freeradius-server-doc-3.2.3-2.1 freeradius-server-krb5-3.2.3-2.1 freeradius-server-ldap-3.2.3-2.1 freeradius-server-ldap-schemas-3.2.3-2.1 freeradius-server-libs-3.2.3-2.1 freeradius-server-mysql-3.2.3-2.1 freeradius-server-perl-3.2.3-2.1 freeradius-server-postgresql-3.2.3-2.1 freeradius-server-python3-3.2.3-2.1 freeradius-server-sqlite-3.2.3-2.1 freeradius-server-utils-3.2.3-2.1 freeradius-server-3.2.3-2.1 as a component of openSUSE Tumbleweed freeradius-server-devel-3.2.3-2.1 as a component of openSUSE Tumbleweed freeradius-server-doc-3.2.3-2.1 as a component of openSUSE Tumbleweed freeradius-server-krb5-3.2.3-2.1 as a component of openSUSE Tumbleweed freeradius-server-ldap-3.2.3-2.1 as a component of openSUSE Tumbleweed freeradius-server-ldap-schemas-3.2.3-2.1 as a component of openSUSE Tumbleweed freeradius-server-libs-3.2.3-2.1 as a component of openSUSE Tumbleweed freeradius-server-mysql-3.2.3-2.1 as a component of openSUSE Tumbleweed freeradius-server-perl-3.2.3-2.1 as a component of openSUSE Tumbleweed freeradius-server-postgresql-3.2.3-2.1 as a component of openSUSE Tumbleweed freeradius-server-python3-3.2.3-2.1 as a component of openSUSE Tumbleweed freeradius-server-sqlite-3.2.3-2.1 as a component of openSUSE Tumbleweed freeradius-server-utils-3.2.3-2.1 as a component of openSUSE Tumbleweed In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack. CVE-2022-41859 openSUSE Tumbleweed:freeradius-server-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-devel-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-doc-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-krb5-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-ldap-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-libs-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-mysql-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-perl-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-postgresql-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-python3-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-sqlite-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-utils-3.2.3-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-41859.html CVE-2022-41859 https://bugzilla.suse.com/1206204 SUSE Bug 1206204 In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash. CVE-2022-41860 openSUSE Tumbleweed:freeradius-server-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-devel-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-doc-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-krb5-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-ldap-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-libs-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-mysql-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-perl-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-postgresql-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-python3-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-sqlite-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-utils-3.2.3-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-41860.html CVE-2022-41860 https://bugzilla.suse.com/1206205 SUSE Bug 1206205 A flaw was found in freeradius. A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash. CVE-2022-41861 openSUSE Tumbleweed:freeradius-server-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-devel-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-doc-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-krb5-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-ldap-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-ldap-schemas-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-libs-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-mysql-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-perl-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-postgresql-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-python3-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-sqlite-3.2.3-2.1 openSUSE Tumbleweed:freeradius-server-utils-3.2.3-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-41861.html CVE-2022-41861 https://bugzilla.suse.com/1206206 SUSE Bug 1206206