| Summary: | freeradius new security issues bsc#1180525 and bsc#1184016 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, herman.viaene, ouaurelien, richard, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA7-64-OK MGA8-64-OK | ||
| Source RPM: | freeradius-3.0.21-3.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2021-05-30 23:56:00 CEST
Cauldron has up to 3.0.21. Various people commit this SRPM, so assigning the bug globally. Assignee:
bugsquad =>
pkg-bugs SUSE has issued an advisory on June 11: https://lists.suse.com/pipermail/sle-security-updates/2021-June/009004.html The issue it fixed is a private SUSE bug, but maybe there will be a patch for it in the next openSUSE update. Whiteboard:
(none) =>
MGA8TOO, MGA7TOO (In reply to David Walser from comment #2) > SUSE has issued an advisory on June 11: > https://lists.suse.com/pipermail/sle-security-updates/2021-June/009004.html > > The issue it fixed is a private SUSE bug, but maybe there will be a patch > for it in the next openSUSE update. openSUSE has issued an advisory for this today (June 27): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4OYNG7T54XRRYWVRHWU4UTH3NXGSVTV/ Patch is in this commit: https://build.opensuse.org/request/show/901594 Summary:
freeradius new security issue bsc#1180525 =>
freeradius new security issues bsc#1180525 and bsc#1184016 (In reply to David Walser from comment #3) > (In reply to David Walser from comment #2) > > SUSE has issued an advisory on June 11: > > https://lists.suse.com/pipermail/sle-security-updates/2021-June/009004.html > > > > The issue it fixed is a private SUSE bug, but maybe there will be a patch > > for it in the next openSUSE update. > > openSUSE has issued an advisory for this today (June 27): > https://lists.opensuse.org/archives/list/security-announce@lists.opensuse. > org/thread/U4OYNG7T54XRRYWVRHWU4UTH3NXGSVTV/ > > Patch is in this commit: > https://build.opensuse.org/request/show/901594 Also fixed upstream in 3.0.22. freeradius-3.0.22-1.mga9 uploaded for Cauldron by David Geiger. Whiteboard:
MGA8TOO, MGA7TOO =>
MGA7TOO Advisory: ======================== Updated freeradius packages fix security vulnerabilities: Moved logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525). Fixed plaintext password entries in logfiles (bsc#1184016). The freeradius package has been updated to version 3.0.22, fixing these issues and other bugs. See the upstream release announcements for details. References: https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_21 https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_22 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TLMELQDBBH6JKZK2EHVYSSE6THAIWIP2/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4OYNG7T54XRRYWVRHWU4UTH3NXGSVTV/ ======================== Updated packages in core/updates_testing: ======================== freeradius-3.0.22-1.mga7 freeradius-krb5-3.0.22-1.mga7 freeradius-ldap-3.0.22-1.mga7 freeradius-postgresql-3.0.22-1.mga7 freeradius-mysql-3.0.22-1.mga7 freeradius-unixODBC-3.0.22-1.mga7 freeradius-sqlite-3.0.22-1.mga7 freeradius-yubikey-3.0.22-1.mga7 libfreeradius1-3.0.22-1.mga7 libfreeradius-devel-3.0.22-1.mga7 freeradius-3.0.22-1.mga8 libfreeradius1-3.0.22-1.mga8 libfreeradius-devel-3.0.22-1.mga8 freeradius-ldap-3.0.22-1.mga8 freeradius-postgresql-3.0.22-1.mga8 freeradius-yubikey-3.0.22-1.mga8 freeradius-mysql-3.0.22-1.mga8 freeradius-sqlite-3.0.22-1.mga8 freeradius-krb5-3.0.22-1.mga8 freeradius-unixODBC-3.0.22-1.mga8 from SRPMS: freeradius-3.0.22-1.mga7.src.rpm freeradius-3.0.22-1.mga8.src.rpm Assignee:
pkg-bugs =>
qa-bugs MGA7-64 Plasma on Lenovo B50 No installation issues Teted as in bug 25907 Comment 6 # systemctl start radiusd # systemctl -l status radiusd ● radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2021-07-09 10:40:28 CEST; 14s ago Process: 28929 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS) Process: 28931 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS) Main PID: 28933 (radiusd) Tasks: 6 (limit: 4915) Memory: 77.4M CGroup: /system.slice/radiusd.service └─28933 /usr/sbin/radiusd -d /etc/raddb Jul 09 10:40:28 mach5.hviaene.thuis systemd[1]: Starting FreeRADIUS high performance RADIUS server.... Jul 09 10:40:28 mach5.hviaene.thuis systemd[1]: Started FreeRADIUS high performance RADIUS server.. # echo 'testing Cleartext-Password := "password"' >> /etc/raddb/users # systemctl restart radiusd # systemctl -l status radiusd ● radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2021-07-09 10:41:49 CEST; 6s ago Process: 32691 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS) Process: 32693 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS) Main PID: 32695 (radiusd) Tasks: 6 (limit: 4915) Memory: 77.4M CGroup: /system.slice/radiusd.service └─32695 /usr/sbin/radiusd -d /etc/raddb Jul 09 10:41:49 mach5.hviaene.thuis systemd[1]: radiusd.service: Succeeded. Jul 09 10:41:49 mach5.hviaene.thuis systemd[1]: Stopped FreeRADIUS high performance RADIUS server.. Jul 09 10:41:49 mach5.hviaene.thuis systemd[1]: Starting FreeRADIUS high performance RADIUS server.... Jul 09 10:41:49 mach5.hviaene.thuis systemd[1]: Started FreeRADIUS high performance RADIUS server.. # radtest testing password 127.0.0.1 0 testing123 Sent Access-Request Id 244 from 0.0.0.0:60679 to 127.0.0.1:1812 length 77 User-Name = "testing" User-Password = "password" NAS-IP-Address = 192.168.2.5 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "password" Received Access-Accept Id 244 from 127.0.0.1:1812 to 127.0.0.1:60679 length 20 Looks all OK Whiteboard:
MGA7TOO =>
MGA7TOO MGA7-64-OK MGA8-64 Plasma on Lenovo B50 No installation issues Repeated test as above Comment 6, same commands, same results. So OK. Whiteboard:
MGA7TOO MGA7-64-OK =>
MGA7TOO MGA7-64-OK MGA8-64-OK Validating. Advisory in Comment 5. Keywords:
(none) =>
validated_update
Aurelien Oudelet
2021-07-12 20:50:50 CEST
Source RPM:
freeradius-3.0.21-4.mga9.src.rpm =>
freeradius-3.0.21-3.mga8.src.rpm An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0342.html Resolution:
(none) =>
FIXED Hi, Sorry for this late comment. When updating with this new version, i have the following error : "Le fichier /usr.lib64/freeradius/rlm_ldap.so de l'installation de freeradius-ldap-3.0.22-1.mga7.x86_64 entre en conflit avec le fichier du paquet lib64freeradius1.-3.0.20-1.mga7.x86_64" Even if i run with the option "--allow-force --force" the update stop. CC:
(none) =>
richard (In reply to rexy from comment #10) > Hi, > > Sorry for this late comment. When updating with this new version, i have the > following error : > "Le fichier /usr.lib64/freeradius/rlm_ldap.so de l'installation de > freeradius-ldap-3.0.22-1.mga7.x86_64 entre en conflit avec le fichier du > paquet lib64freeradius1.-3.0.20-1.mga7.x86_64" > Even if i run with the option "--allow-force --force" the update stop. Please uninstall packages with version 3.0.20-1 before install whose with version 3.0.22. As Mageia 7 is End-Of-Life, we will not provide further updates. Please migrate to Mageia 8. It's OK when uninstalling the previous version. Thank you, |