An update for freeradius is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-2165 Final 1.0 1.0 2022-12-30 Initial 2022-12-30 2022-12-30 openEuler SA Tool V1.0 2022-12-30 freeradius security update An update for freeradius is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. Security Fix(es): When an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash. References: https://freeradius.org/security/ Upstream fix: https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a(CVE-2022-41860) A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash. References: https://freeradius.org/security/ Upstream fix: https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e(CVE-2022-41861) An update for freeradius is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High freeradius https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2165 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-41860 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-41861 https://nvd.nist.gov/vuln/detail/CVE-2022-41860 https://nvd.nist.gov/vuln/detail/CVE-2022-41861 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS freeradius-help-3.0.15-25.oe1.aarch64.rpm freeradius-devel-3.0.15-25.oe1.aarch64.rpm freeradius-mysql-3.0.15-25.oe1.aarch64.rpm freeradius-ldap-3.0.15-25.oe1.aarch64.rpm python2-freeradius-3.0.15-25.oe1.aarch64.rpm freeradius-postgresql-3.0.15-25.oe1.aarch64.rpm freeradius-perl-3.0.15-25.oe1.aarch64.rpm freeradius-krb5-3.0.15-25.oe1.aarch64.rpm freeradius-debugsource-3.0.15-25.oe1.aarch64.rpm freeradius-debuginfo-3.0.15-25.oe1.aarch64.rpm freeradius-sqlite-3.0.15-25.oe1.aarch64.rpm freeradius-3.0.15-25.oe1.aarch64.rpm freeradius-utils-3.0.15-25.oe1.aarch64.rpm freeradius-mysql-3.0.15-25.oe1.aarch64.rpm freeradius-devel-3.0.15-25.oe1.aarch64.rpm python2-freeradius-3.0.15-25.oe1.aarch64.rpm freeradius-debuginfo-3.0.15-25.oe1.aarch64.rpm freeradius-postgresql-3.0.15-25.oe1.aarch64.rpm freeradius-ldap-3.0.15-25.oe1.aarch64.rpm freeradius-debugsource-3.0.15-25.oe1.aarch64.rpm freeradius-utils-3.0.15-25.oe1.aarch64.rpm freeradius-3.0.15-25.oe1.aarch64.rpm freeradius-help-3.0.15-25.oe1.aarch64.rpm freeradius-perl-3.0.15-25.oe1.aarch64.rpm freeradius-krb5-3.0.15-25.oe1.aarch64.rpm freeradius-sqlite-3.0.15-25.oe1.aarch64.rpm freeradius-ldap-3.0.25-2.oe2203.aarch64.rpm freeradius-postgresql-3.0.25-2.oe2203.aarch64.rpm freeradius-devel-3.0.25-2.oe2203.aarch64.rpm freeradius-utils-3.0.25-2.oe2203.aarch64.rpm freeradius-krb5-3.0.25-2.oe2203.aarch64.rpm freeradius-sqlite-3.0.25-2.oe2203.aarch64.rpm python3-freeradius-3.0.25-2.oe2203.aarch64.rpm freeradius-debugsource-3.0.25-2.oe2203.aarch64.rpm freeradius-perl-3.0.25-2.oe2203.aarch64.rpm freeradius-mysql-3.0.25-2.oe2203.aarch64.rpm freeradius-debuginfo-3.0.25-2.oe2203.aarch64.rpm freeradius-3.0.25-2.oe2203.aarch64.rpm freeradius-help-3.0.25-2.oe2203.aarch64.rpm freeradius-3.0.15-25.oe1.src.rpm freeradius-3.0.15-25.oe1.src.rpm freeradius-3.0.25-2.oe2203.src.rpm freeradius-utils-3.0.15-25.oe1.x86_64.rpm freeradius-debuginfo-3.0.15-25.oe1.x86_64.rpm freeradius-ldap-3.0.15-25.oe1.x86_64.rpm freeradius-devel-3.0.15-25.oe1.x86_64.rpm freeradius-postgresql-3.0.15-25.oe1.x86_64.rpm freeradius-perl-3.0.15-25.oe1.x86_64.rpm freeradius-sqlite-3.0.15-25.oe1.x86_64.rpm freeradius-mysql-3.0.15-25.oe1.x86_64.rpm freeradius-help-3.0.15-25.oe1.x86_64.rpm python2-freeradius-3.0.15-25.oe1.x86_64.rpm freeradius-debugsource-3.0.15-25.oe1.x86_64.rpm freeradius-3.0.15-25.oe1.x86_64.rpm freeradius-krb5-3.0.15-25.oe1.x86_64.rpm freeradius-sqlite-3.0.15-25.oe1.x86_64.rpm freeradius-krb5-3.0.15-25.oe1.x86_64.rpm python2-freeradius-3.0.15-25.oe1.x86_64.rpm freeradius-help-3.0.15-25.oe1.x86_64.rpm freeradius-debugsource-3.0.15-25.oe1.x86_64.rpm freeradius-ldap-3.0.15-25.oe1.x86_64.rpm freeradius-3.0.15-25.oe1.x86_64.rpm freeradius-utils-3.0.15-25.oe1.x86_64.rpm freeradius-mysql-3.0.15-25.oe1.x86_64.rpm freeradius-devel-3.0.15-25.oe1.x86_64.rpm freeradius-debuginfo-3.0.15-25.oe1.x86_64.rpm freeradius-perl-3.0.15-25.oe1.x86_64.rpm freeradius-postgresql-3.0.15-25.oe1.x86_64.rpm freeradius-perl-3.0.25-2.oe2203.x86_64.rpm freeradius-sqlite-3.0.25-2.oe2203.x86_64.rpm freeradius-debuginfo-3.0.25-2.oe2203.x86_64.rpm freeradius-3.0.25-2.oe2203.x86_64.rpm freeradius-utils-3.0.25-2.oe2203.x86_64.rpm freeradius-debugsource-3.0.25-2.oe2203.x86_64.rpm freeradius-krb5-3.0.25-2.oe2203.x86_64.rpm freeradius-mysql-3.0.25-2.oe2203.x86_64.rpm freeradius-postgresql-3.0.25-2.oe2203.x86_64.rpm python3-freeradius-3.0.25-2.oe2203.x86_64.rpm freeradius-devel-3.0.25-2.oe2203.x86_64.rpm freeradius-help-3.0.25-2.oe2203.x86_64.rpm freeradius-ldap-3.0.25-2.oe2203.x86_64.rpm When an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.References:https://freeradius.org/security/Upstream fix:https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a 2022-12-30 CVE-2022-41860 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N freeradius security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2165 A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash.References:https://freeradius.org/security/Upstream fix:https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e 2022-12-30 CVE-2022-41861 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N freeradius security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2165