1.56. freeradius
1.56.1. RHSA-2009:1451: Moderate security update
Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1451
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network.
An input validation flaw was discovered in the way FreeRADIUS decoded specific RADIUS attributes from RADIUS packets. A remote attacker could use this flaw to crash the RADIUS daemon (radiusd) via a specially-crafted RADIUS packet. (CVE-2009-3111)
Users of FreeRADIUS are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, radiusd will be restarted automatically.
1.56.2. RHBA-2009:1678: bug fix update
Note
This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1678
FreeRADIUS is an Internet authentication daemon, which implements the RADIUS protocol, as defined in RFC 2865 (and others). It allows Network Access Servers (NAS boxes) to perform authentication for dial-up users. There are also RADIUS clients available for Web servers, firewalls, Unix logins, and more. Using RADIUS allows authentication and authorization for a network to be centralized, and minimizes the amount of re-configuration which has to be done when adding or deleting new users.
This update addresses the following bug:
* an error in the EAP authentication module could cause memory corruption. Running the radeapclient utility would typically expose the problem. An error message including text such as this
*** glibc detected *** radeapclient: free(): invalid pointer:
presented and radeapclient would then abort abnormally. This update corrects the error in the EAP authentication module. The module no longer corrupts memory and applications such as radeapclient that use this module work as expected. (BZ#476513)
All freeradius users should install these updated packages, which fix this problem.