An update for freeradius is now available for openEuler-22.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1022 Final 1.0 1.0 2023-01-06 Initial 2023-01-06 2023-01-06 openEuler SA Tool V1.0 2023-01-06 freeradius security update An update for freeradius is now available for openEuler-22.03-LTS-SP1. Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. Security Fix(es): When an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash. References: https://freeradius.org/security/ Upstream fix: https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a(CVE-2022-41860) A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash. References: https://freeradius.org/security/ Upstream fix: https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e(CVE-2022-41861) An update for freeradius is now available for openEuler-22.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High freeradius https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1022 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-41860 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-41861 https://nvd.nist.gov/vuln/detail/CVE-2022-41860 https://nvd.nist.gov/vuln/detail/CVE-2022-41861 openEuler-22.03-LTS-SP1 freeradius-sqlite-3.0.25-2.oe2203sp1.aarch64.rpm freeradius-help-3.0.25-2.oe2203sp1.aarch64.rpm freeradius-devel-3.0.25-2.oe2203sp1.aarch64.rpm freeradius-utils-3.0.25-2.oe2203sp1.aarch64.rpm freeradius-ldap-3.0.25-2.oe2203sp1.aarch64.rpm freeradius-debuginfo-3.0.25-2.oe2203sp1.aarch64.rpm freeradius-mysql-3.0.25-2.oe2203sp1.aarch64.rpm python3-freeradius-3.0.25-2.oe2203sp1.aarch64.rpm freeradius-debugsource-3.0.25-2.oe2203sp1.aarch64.rpm freeradius-postgresql-3.0.25-2.oe2203sp1.aarch64.rpm freeradius-perl-3.0.25-2.oe2203sp1.aarch64.rpm freeradius-3.0.25-2.oe2203sp1.aarch64.rpm freeradius-krb5-3.0.25-2.oe2203sp1.aarch64.rpm freeradius-3.0.25-2.oe2203sp1.src.rpm freeradius-mysql-3.0.25-2.oe2203sp1.x86_64.rpm freeradius-3.0.25-2.oe2203sp1.x86_64.rpm python3-freeradius-3.0.25-2.oe2203sp1.x86_64.rpm freeradius-devel-3.0.25-2.oe2203sp1.x86_64.rpm freeradius-sqlite-3.0.25-2.oe2203sp1.x86_64.rpm freeradius-postgresql-3.0.25-2.oe2203sp1.x86_64.rpm freeradius-help-3.0.25-2.oe2203sp1.x86_64.rpm freeradius-debuginfo-3.0.25-2.oe2203sp1.x86_64.rpm freeradius-debugsource-3.0.25-2.oe2203sp1.x86_64.rpm freeradius-ldap-3.0.25-2.oe2203sp1.x86_64.rpm freeradius-krb5-3.0.25-2.oe2203sp1.x86_64.rpm freeradius-utils-3.0.25-2.oe2203sp1.x86_64.rpm freeradius-perl-3.0.25-2.oe2203sp1.x86_64.rpm When an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.References:https://freeradius.org/security/Upstream fix:https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a 2023-01-06 CVE-2022-41860 openEuler-22.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N freeradius security update 2023-01-06 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1022 A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash.References:https://freeradius.org/security/Upstream fix:https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e 2023-01-06 CVE-2022-41861 openEuler-22.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N freeradius security update 2023-01-06 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1022