That CVE was announced here: https://www.openwall.com/lists/oss-security/2024/07/09/4 For Cauldron, version 3.2.5 is already built. For Mageia 9, version 3.0.27 is needed.
I think we also need to tell to users who already deployed freeradius that they need to update their radiusd.conf file to add the following two lines into the security section: """ require_message_authenticator = auto limit_proxy_state = auto """ See: https://www.freeradius.org/security/
CVE: (none) => CVE-2024-3596Status comment: (none) => Fixed upstream in 3.0.27Source RPM: (none) => freeradius-3.0.26-1.2.mga9.src.rpm
Assigning this directly to DavidG who has done all recent maintenance of this SRPM.
Assignee: bugsquad => geiger.david68210
Assigning to QA, Packages in 9/Core/Updates_testing: ====================== freeradius-3.0.27-1.mga9 freeradius-krb5-3.0.27-1.mga9 freeradius-ldap-3.0.27-1.mga9 freeradius-mysql-3.0.27-1.mga9 freeradius-postgresql-3.0.27-1.mga9 freeradius-sqlite-3.0.27-1.mga9 freeradius-unixODBC-3.0.27-1.mga9 freeradius-yubikey-3.0.27-1.mga9 libfreeradius-devel-3.0.27-1.mga9 libfreeradius1-3.0.27-1.mga9 lib64freeradius-devel-3.0.27-1.mga9 lib64freeradius1-3.0.27-1.mga9 From SRPMS: freeradius-3.0.27-1.mga9.src.rpm Note: these two lines are added upstream in the default radiusd.conf file: """ require_message_authenticator = auto limit_proxy_state = auto """
Assignee: geiger.david68210 => qa-bugs
Keywords: (none) => advisory
RH mageia 9 x86_64 LC_ALL=C urpmi freeradius-krb5 freeradius-ldap freeradius-mysql freeradius-postgresql freeradius-sqlite freeradius-unixODBC freeradius-yubikey To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") freeradius 3.0.27 1.mga9 x86_64 freeradius-krb5 3.0.27 1.mga9 x86_64 freeradius-ldap 3.0.27 1.mga9 x86_64 freeradius-mysql 3.0.27 1.mga9 x86_64 freeradius-postgresql 3.0.27 1.mga9 x86_64 freeradius-sqlite 3.0.27 1.mga9 x86_64 freeradius-unixODBC 3.0.27 1.mga9 x86_64 freeradius-yubikey 3.0.27 1.mga9 x86_64 lib64freeradius1 3.0.27 1.mga9 x86_64 (medium "Core Release (distrib1)") lib64hiredis0.13 0.13.3 8.mga9 x86_64 lib64memcached11 1.0.18 9.mga9 x86_64 lib64ykclient3 2.15 4.mga9 x86_64 lib64yubikey0 1.13 4.mga9 x86_64 perl-Net-IP 1.260.0 10.mga9 noarch (medium "Core Updates (distrib3)") lib64pq5 15.7 1.mga9 x86_64 lib64unixODBC2 2.3.11 1.1.mga9 x86_64 12MB of additional disk space will be used. 2.9MB of packages will be retrieved. Proceed with the installation of the 16 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64memcached11-1.0.18-9.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64yubikey0-1.13-4.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64hiredis0.13-0.13.3-8.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Net-IP-1.260.0-10.mga9.noarch.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64ykclient3-2.15-4.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64pq5-15.7-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64unixODBC2-2.3.11-1.1.mga9.x86_64.rpm installing //home/katnatek/qa-testing/x86_64/lib64freeradius1-3.0.27-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/freeradius-yubikey-3.0.27-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/freeradius-3.0.27-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64ykclient3-2.15-4.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/freeradius-postgresql-3.0.27-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/freeradius-ldap-3.0.27-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/freeradius-unixODBC-3.0.27-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/freeradius-mysql-3.0.27-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64pq5-15.7-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64memcached11-1.0.18-9.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64yubikey0-1.13-4.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64hiredis0.13-0.13.3-8.mga9.x86_64.rpm /var/cache/urpmi/rpms/perl-Net-IP-1.260.0-10.mga9.noarch.rpm /var/cache/urpmi/rpms/lib64unixODBC2-2.3.11-1.1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/freeradius-sqlite-3.0.27-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/freeradius-krb5-3.0.27-1.mga9.x86_64.rpm Preparing... ################################################################################################## 1/16: lib64unixODBC2 ################################################################################################## 2/16: perl-Net-IP ################################################################################################## 3/16: lib64hiredis0.13 ################################################################################################## 4/16: lib64yubikey0 ################################################################################################## 5/16: lib64memcached11 ################################################################################################## 6/16: lib64pq5 ################################################################################################## 7/16: lib64ykclient3 ################################################################################################## 8/16: lib64freeradius1 ################################################################################################## 9/16: freeradius ################################################################################################## Generating DH parameters, 2048 bit long safe prime #some omited output here ;) 10/16: freeradius-yubikey ################################################################################################## 11/16: freeradius-postgresql ################################################################################################## 12/16: freeradius-ldap ################################################################################################## 13/16: freeradius-unixODBC ################################################################################################## 14/16: freeradius-mysql ################################################################################################## 15/16: freeradius-sqlite ################################################################################################## 16/16: freeradius-krb5 ################################################################################################## Reference bug#31291 comment#4 systemctl start radiusd systemctl -l status radiusd ● radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; preset: disabled) Active: active (running) since Sat 2024-07-13 11:34:18 CST; 19s ago Process: 401827 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS) Process: 401829 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS) Main PID: 401831 (radiusd) Tasks: 6 (limit: 6880) Memory: 42.2M CPU: 266ms CGroup: /system.slice/radiusd.service └─401831 /usr/sbin/radiusd -d /etc/raddb jul 13 11:34:18 jgrey.phoenix systemd[1]: Starting radiusd.service... jul 13 11:34:18 jgrey.phoenix systemd[1]: Started radiusd.service. echo 'testing Cleartext-Password := "password"' >> /etc/raddb/users systemctl restart radiusd systemctl -l status radiusd ● radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; preset: disabled) Active: active (running) since Sat 2024-07-13 11:35:52 CST; 25s ago Process: 404795 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS) Process: 404797 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS) Main PID: 404799 (radiusd) Tasks: 6 (limit: 6880) Memory: 41.9M CPU: 251ms CGroup: /system.slice/radiusd.service └─404799 /usr/sbin/radiusd -d /etc/raddb jul 13 11:35:52 jgrey.phoenix systemd[1]: Starting radiusd.service... jul 13 11:35:52 jgrey.phoenix systemd[1]: Started radiusd.service. radtest testing password 127.0.0.1 0 testing123 Sent Access-Request Id 140 from 0.0.0.0:36064 to 127.0.0.1:1812 length 77 User-Name = "testing" User-Password = "password" NAS-IP-Address = 192.168.1.3 NAS-Port = 0 Cleartext-Password = "password" Received Access-Accept Id 140 from 127.0.0.1:1812 to 127.0.0.1:36064 length 38 Message-Authenticator = 0x8271cce4da81f884ff192a4127f79548 Consistent with reference and previous round bug#33312 comment#3
CC: (none) => andrewsfarmWhiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0264.html
Status: NEW => RESOLVEDResolution: (none) => FIXED