openSUSE has issued an advisory on March 16: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TLMELQDBBH6JKZK2EHVYSSE6THAIWIP2/ The issue is fixed upstream in 3.0.22: https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_22 Mageia 7 and Mageia 8 are also affected.
Cauldron has up to 3.0.21. Various people commit this SRPM, so assigning the bug globally.
Assignee: bugsquad => pkg-bugs
SUSE has issued an advisory on June 11: https://lists.suse.com/pipermail/sle-security-updates/2021-June/009004.html The issue it fixed is a private SUSE bug, but maybe there will be a patch for it in the next openSUSE update.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 3.0.22
(In reply to David Walser from comment #2) > SUSE has issued an advisory on June 11: > https://lists.suse.com/pipermail/sle-security-updates/2021-June/009004.html > > The issue it fixed is a private SUSE bug, but maybe there will be a patch > for it in the next openSUSE update. openSUSE has issued an advisory for this today (June 27): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4OYNG7T54XRRYWVRHWU4UTH3NXGSVTV/ Patch is in this commit: https://build.opensuse.org/request/show/901594
Summary: freeradius new security issue bsc#1180525 => freeradius new security issues bsc#1180525 and bsc#1184016
(In reply to David Walser from comment #3) > (In reply to David Walser from comment #2) > > SUSE has issued an advisory on June 11: > > https://lists.suse.com/pipermail/sle-security-updates/2021-June/009004.html > > > > The issue it fixed is a private SUSE bug, but maybe there will be a patch > > for it in the next openSUSE update. > > openSUSE has issued an advisory for this today (June 27): > https://lists.opensuse.org/archives/list/security-announce@lists.opensuse. > org/thread/U4OYNG7T54XRRYWVRHWU4UTH3NXGSVTV/ > > Patch is in this commit: > https://build.opensuse.org/request/show/901594 Also fixed upstream in 3.0.22. freeradius-3.0.22-1.mga9 uploaded for Cauldron by David Geiger.
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8CC: (none) => geiger.david68210
Advisory: ======================== Updated freeradius packages fix security vulnerabilities: Moved logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525). Fixed plaintext password entries in logfiles (bsc#1184016). The freeradius package has been updated to version 3.0.22, fixing these issues and other bugs. See the upstream release announcements for details. References: https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_21 https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_22 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TLMELQDBBH6JKZK2EHVYSSE6THAIWIP2/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4OYNG7T54XRRYWVRHWU4UTH3NXGSVTV/ ======================== Updated packages in core/updates_testing: ======================== freeradius-3.0.22-1.mga7 freeradius-krb5-3.0.22-1.mga7 freeradius-ldap-3.0.22-1.mga7 freeradius-postgresql-3.0.22-1.mga7 freeradius-mysql-3.0.22-1.mga7 freeradius-unixODBC-3.0.22-1.mga7 freeradius-sqlite-3.0.22-1.mga7 freeradius-yubikey-3.0.22-1.mga7 libfreeradius1-3.0.22-1.mga7 libfreeradius-devel-3.0.22-1.mga7 freeradius-3.0.22-1.mga8 libfreeradius1-3.0.22-1.mga8 libfreeradius-devel-3.0.22-1.mga8 freeradius-ldap-3.0.22-1.mga8 freeradius-postgresql-3.0.22-1.mga8 freeradius-yubikey-3.0.22-1.mga8 freeradius-mysql-3.0.22-1.mga8 freeradius-sqlite-3.0.22-1.mga8 freeradius-krb5-3.0.22-1.mga8 freeradius-unixODBC-3.0.22-1.mga8 from SRPMS: freeradius-3.0.22-1.mga7.src.rpm freeradius-3.0.22-1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 3.0.22 => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues Teted as in bug 25907 Comment 6 # systemctl start radiusd # systemctl -l status radiusd ● radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2021-07-09 10:40:28 CEST; 14s ago Process: 28929 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS) Process: 28931 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS) Main PID: 28933 (radiusd) Tasks: 6 (limit: 4915) Memory: 77.4M CGroup: /system.slice/radiusd.service └─28933 /usr/sbin/radiusd -d /etc/raddb Jul 09 10:40:28 mach5.hviaene.thuis systemd[1]: Starting FreeRADIUS high performance RADIUS server.... Jul 09 10:40:28 mach5.hviaene.thuis systemd[1]: Started FreeRADIUS high performance RADIUS server.. # echo 'testing Cleartext-Password := "password"' >> /etc/raddb/users # systemctl restart radiusd # systemctl -l status radiusd ● radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2021-07-09 10:41:49 CEST; 6s ago Process: 32691 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS) Process: 32693 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS) Main PID: 32695 (radiusd) Tasks: 6 (limit: 4915) Memory: 77.4M CGroup: /system.slice/radiusd.service └─32695 /usr/sbin/radiusd -d /etc/raddb Jul 09 10:41:49 mach5.hviaene.thuis systemd[1]: radiusd.service: Succeeded. Jul 09 10:41:49 mach5.hviaene.thuis systemd[1]: Stopped FreeRADIUS high performance RADIUS server.. Jul 09 10:41:49 mach5.hviaene.thuis systemd[1]: Starting FreeRADIUS high performance RADIUS server.... Jul 09 10:41:49 mach5.hviaene.thuis systemd[1]: Started FreeRADIUS high performance RADIUS server.. # radtest testing password 127.0.0.1 0 testing123 Sent Access-Request Id 244 from 0.0.0.0:60679 to 127.0.0.1:1812 length 77 User-Name = "testing" User-Password = "password" NAS-IP-Address = 192.168.2.5 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "password" Received Access-Accept Id 244 from 127.0.0.1:1812 to 127.0.0.1:60679 length 20 Looks all OK
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OKCC: (none) => herman.viaene
MGA8-64 Plasma on Lenovo B50 No installation issues Repeated test as above Comment 6, same commands, same results. So OK.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Source RPM: freeradius-3.0.21-4.mga9.src.rpm => freeradius-3.0.21-3.mga8.src.rpmCC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0342.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Hi, Sorry for this late comment. When updating with this new version, i have the following error : "Le fichier /usr.lib64/freeradius/rlm_ldap.so de l'installation de freeradius-ldap-3.0.22-1.mga7.x86_64 entre en conflit avec le fichier du paquet lib64freeradius1.-3.0.20-1.mga7.x86_64" Even if i run with the option "--allow-force --force" the update stop.
CC: (none) => richard
(In reply to rexy from comment #10) > Hi, > > Sorry for this late comment. When updating with this new version, i have the > following error : > "Le fichier /usr.lib64/freeradius/rlm_ldap.so de l'installation de > freeradius-ldap-3.0.22-1.mga7.x86_64 entre en conflit avec le fichier du > paquet lib64freeradius1.-3.0.20-1.mga7.x86_64" > Even if i run with the option "--allow-force --force" the update stop. Please uninstall packages with version 3.0.20-1 before install whose with version 3.0.22. As Mageia 7 is End-Of-Life, we will not provide further updates. Please migrate to Mageia 8.
It's OK when uninstalling the previous version. Thank you,