[SECURITY] Fedora 16 Update: freeradius-2.2.0-0.fc16

updates at fedoraproject.org updates at fedoraproject.org
Thu Oct 18 00:21:31 UTC 2012

Fedora Update Notification
2012-10-10 00:09:31

Name        : freeradius
Product     : Fedora 16
Version     : 2.2.0
Release     : 0.fc16
URL         : http://www.freeradius.org/
Summary     : High-performance and highly configurable free RADIUS server
Description :
The FreeRADIUS Server Project is a high performance and highly configurable
GPL'd free RADIUS server. The server is similar in some respects to
Livingston's 2.0 server.  While FreeRADIUS started as a variant of the
Cistron RADIUS server, they don't share a lot in common any more. It now has
many more features than Cistron or Livingston, and is much more configurable.

FreeRADIUS is an Internet authentication daemon, which implements the RADIUS
protocol, as defined in RFC 2865 (and others). It allows Network Access
Servers (NAS boxes) to perform authentication for dial-up users. There are
also RADIUS clients available for Web servers, firewalls, Unix logins, and
more.  Using RADIUS allows authentication and authorization for a network to
be centralized, and minimizes the amount of re-configuration which has to be
done when adding or deleting new users.

Update Information:

This updates to the current upstream 2.2.0 release which is configuration compatible with the prior 2.1.12.

Version 2.2.0 includes a security fix for CVE-2012-3547 Stack-based buffer overflow

This update also includes a fix to prevent .rpmsave and .rpmnew files from being read from the configuration directories.

* Tue Oct  9 2012 John Dennis <jdennis at redhat.com> - 2.2.0-0
- Add new patch to avoid reading .rpmnew, .rpmsave and other invalid
  files when loading config files
- Upgrade to new 2.2.0 upstream release
- Upstream changelog for 2.1.12:
  Feature improvements
  * 100% configuration file compatible with 2.1.x.
    The only fix needed is to disallow "hashsize=0" for rlm_passwd
  * Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware,
    Redback, and Mikrotik dictionaries
  * Switch to using SHA1 for certificate digests instead of MD5.
    See raddb/certs/*.cnf
  * Added copyright statements to the dictionaries, so that we know
    when people are using them.
  * Better documentation for radrelay and detail file writer.
    See raddb/modules/radrelay and raddb/radrelay.conf
  * Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
  * Added -F <file> to radwho
  * Added query timeouts to MySQL driver.  Patch from Brian De Wolf.
  * Add /etc/default/freeradius to debian package.
    Patch from Matthew Newton
  * Finalize DHCP and DHCP relay code.  It should now work everywhere.
    See raddb/sites-available/dhcp, src_ipaddr and src_interface.
  * DHCP capabilitiies are now compiled in by default.
    It runs as a DHCP server ONLY when manually enabled.
  * Added one letter expansions: %G - request minute and %I request
  * Added script to convert ISC DHCP lease files to SQL pools.
    See scripts/isc2ippool.pl
  * Added rlm_cache to cache arbitrary attributes.
  * Added max_use to rlm_ldap to force connection to be re-established
    after a given number of queries.
  * Added configtest option to Debian init scripts, and automatic
    config test on restart.
  * Added cache config item to rlm_krb5. When set to "no" ticket
    caching is disabled which may increase performance.

  Bug fixes
  * Fix CVE-2012-3547.  All users of 2.1.10, 2.1.11, 2.1.12,
    and 802.1X should upgrade immediately.
  * Fix typo in detail file writer, to skip writing if the packet
    was read from this detail file.
  * Free cached replies when closing resumed SSL sessions.
  * Fix a number of issues found by Coverity.
  * Fix memory leak and race condition in the EAP-TLS session cache.
    Thanks to Phil Mayers for tracking down OpenSSL APIs.
  * Restrict ATTRIBUTE names to character sets that make sense.
  * Fix EAP-TLS session Id length so that OpenSSL doesn't get
  * Fix SQL IPPool logic for non-timer attributes.  Closes bug #181
  * Change some informational messages to DEBUG rather than error.
  * Portability fixes for FreeBSD.  Closes bug #177
  * A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols
  * Safely handle extremely long lines in conf file variable expansion
  * Fix for Debian bug #606450
  * Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
  * The passwd module no longer permits "hashsize = 0".  Setting that
    is pointless for a host of reasons.  It will also break the server.
  * Fix proxied inner-tunnel packets sometimes having zero authentication
    vector.  Found by Brian Julin.
  * Added $(EXEEXT) to Makefiles for portability.  Closes bug #188.
  * Fix minor build issue which would cause rlm_eap to be built twice.
  * When using "status_check=request" for a home server, the username
    and password must be specified, or the server will not start.
  * EAP-SIM now calculates keys from the SIM identity, not from the
    EAP-Identity.  Changing the EAP type via NAK may result in
    identities changing.  Bug reported by Microsoft EAP team.
  * Use home server src_ipaddr when sending Status-Server packets
  * Decrypt encrypted ERX attributes in CoA packets.
  * Fix registration of internal xlat's so %{mschap:...} doesn't
    disappear after a HUP.
  * Can now reference tagged attributes in expansions.
    e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
  * Correct calculation of Message-Authenticator for CoA and Disconnect
    replies.  Patch from Jouni Malinen
  * Install rad_counter, for managing rlm_counter files.
  * Add unique index constraint to all SQL flavours so that alternate
    queries work correctly.
  * The TTLS diameter decoder is now more lenient.  It ignores
    unknown attributes, instead of rejecting the TTLS session.
  * Use "globfree" in detail file reader.  Prevents very slow leak.
    Closes bug #207.
  * Operator =~ shouldn't copy the attribute, like :=.  It should
    instead behave more like ==.
  * Build main Debian package without SQL dependencies
  * Use max_queue_size in threading code
  * Update permissions in raddb/sql/postgresql/admin.sql
  * Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL
    wouldn't use methods it knew about.
  * Add more sanity checks in dynamic_clients code so the server won't
    crash if it attempts to load a badly formated client definition.
* Tue Feb  7 2012 John Dennis <jdennis at redhat.com> - 2.1.12-4
- resolves: bug#781877 (from RHEL5) rlm_dbm_parse man page misspelled
- resolves: bug#760193 (from RHEL5) radtest PPPhint option is not parsed properly
* Sun Jan 15 2012 John Dennis <jdennis at redhat.com> - 2.1.12-3
- resolves: bug#781744
  systemd service file incorrectly listed pid file as
  /var/run/radiusd/radiusd which it should have been
* Mon Oct 31 2011 John Dennis <jdennis at redhat.com> - 2.1.12-2
- rename /etc/tmpfiles.d/freeradius.conf to /etc/tmpfiles.d/radiusd.conf
  remove config(noreplace) because it must match files section and
  permissions differ between versions.
* Mon Oct  3 2011 John Dennis <jdennis at redhat.com> - 2.1.12-1
- Upgrade to latest upstream release: 2.1.12
- Upstream changelog for 2.1.12:
  Feature improvements
  * Updates to dictionary.erx, dictionary.siemens, dictionary.starent,
    dictionary.starent.vsa1, dictionary.zyxel, added dictionary.symbol
  * Added support for PCRE from Phil Mayers
  * Configurable file permission in rlm_linelog
  * Added "relaxed" option to rlm_attr_filter.  This copies attributes
    if at least one match occurred.
  * Added documentation on dynamic clients.
    See raddb/modules/dynamic_clients.
  * Added support for elliptical curve cryptography.
    See ecdh_curve in raddb/eap.conf.
  * Added support for 802.1X MIBs in checkrad
  * Added support for %{rand:...}, which generates a uniformly
    distributed number between 0 and the number you specify.
  * Created "man" pages for all installed commands, and documented
    options for all commands.  Patch from John Dennis.
  * Allow radsniff to decode encrypted VSAs and CoA packets.
    Patch from Bjorn Mork.
  * Always send Message-Authenticator in radtest. Patch from John Dennis.
    radclient continues to be more flexible.
  * Updated Oracle schema and queries
  * Added SecurID module.  See src/modules/rlm_securid/README

  Bug fixes
  * Fix memory leak in rlm_detail
  * Fix "failed to insert event"
  * Allow virtual servers to be reloaded on HUP.
    It no longer complains about duplicate virtual servers.
  * Fix %{string:...} expansion
  * Fix "server closed socket" loop in radmin
  * Set ownership of control socket when starting up
  * Always allow root to connect to control socket, even if
    "uid" is set.  They're root.  They can already do anything.
  * Save all attributes in Access-Accept when proxying inner-tunnel
  * Fixes for DHCP relaying.
  * Check certificate validity when using OCSP.
  * Updated Oracle "configure" script
  * Fixed typos in dictionary.alvarion
  * WARNING on potential proxy loop.
  * Be more aggressive about clearing old requests from the
    internal queue
  * Don't open network sockets when using -C

  [ 1 ] Bug #855909 - CVE-2012-3547 freeradius: Stack-based buffer overflow by processing certain expiration date fields of a certificate during x509 certificate validation [fedora-all]

This update can be installed with the "yum" update program.  Use 
su -c 'yum update freeradius' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at

More information about the package-announce mailing list