Support / Security / Advisories / Mandriva Linux 2011 / MDVSA-2012:047

Package name: freeradius
Date: 2012-04-02
Advisory ID: MDVSA-2012:047
Affected versions: 2011 i586 , 2011 x86_64

Problem description

A vulnerability has been found and corrected in freeradius:

The ocsp_check function in rlm_eap_tls.c in FreeRADIUS 2.1.11,
when OCSP is enabled, does not properly parse replies from OCSP
responders, which allows remote attackers to bypass authentication
by using the EAP-TLS protocol with a revoked X.509 client certificate
(CVE-2011-2701).

The updated packages have been patched to correct this issue.

Updated packages

2011 i586

 9592998224d1dd4546383ceb570d3604  2011/i586/freeradius-2.1.11-1.1-mdv2011.0.i586.rpm
 c7ec70f99705f8791c08c7912455e720  2011/i586/freeradius-krb5-2.1.11-1.1-mdv2011.0.i586.rpm
 ce2c6c629cc39a2f99c5b2d1abc29d9f  2011/i586/freeradius-ldap-2.1.11-1.1-mdv2011.0.i586.rpm
 b5cec8d58961e87db88b3aa66c2c6df9  2011/i586/freeradius-mysql-2.1.11-1.1-mdv2011.0.i586.rpm
 363cbe053c0543f9347039c8706df1c3  2011/i586/freeradius-postgresql-2.1.11-1.1-mdv2011.0.i586.rpm
 c826e248100cf3d35b74020865762645  2011/i586/freeradius-sqlite-2.1.11-1.1-mdv2011.0.i586.rpm
 7f07e2059fa79f504188253afdd77f78  2011/i586/freeradius-unixODBC-2.1.11-1.1-mdv2011.0.i586.rpm
 7d8dbb6ef93d6cb29558f66d71083943  2011/i586/freeradius-web-2.1.11-1.1-mdv2011.0.i586.rpm
 21426a8a40d24ba90242d3ce5e0b113b  2011/i586/libfreeradius1-2.1.11-1.1-mdv2011.0.i586.rpm
 304f8ba5960f970b944369de8f842cdd  2011/i586/libfreeradius-devel-2.1.11-1.1-mdv2011.0.i586.rpm 
 2600944fccf85291c36e3da0c890d94e  2011/SRPMS/freeradius-2.1.11-1.1.src.rpm

2011 x86_64

 49669a354bf8a8a6427c0bfe81b34c0c  2011/x86_64/freeradius-2.1.11-1.1-mdv2011.0.x86_64.rpm
 6d47286995039b37481e1281728a48bf  2011/x86_64/freeradius-krb5-2.1.11-1.1-mdv2011.0.x86_64.rpm
 90e7fa1c475b9ef529b699ed2398e70a  2011/x86_64/freeradius-ldap-2.1.11-1.1-mdv2011.0.x86_64.rpm
 c63a69dc4d33bd93b770a0bbcaf244aa  2011/x86_64/freeradius-mysql-2.1.11-1.1-mdv2011.0.x86_64.rpm
 38e7261e1efa0bcba37d639de9e8fed7  2011/x86_64/freeradius-postgresql-2.1.11-1.1-mdv2011.0.x86_64.rpm
 f616bf3ee830937f0cc38796616b76c5  2011/x86_64/freeradius-sqlite-2.1.11-1.1-mdv2011.0.x86_64.rpm
 9ede61aed21b46ec642b424265c247fc  2011/x86_64/freeradius-unixODBC-2.1.11-1.1-mdv2011.0.x86_64.rpm
 a7fa64a62adb65f72ea3052a7b2795ac  2011/x86_64/freeradius-web-2.1.11-1.1-mdv2011.0.x86_64.rpm
 6db99dc40f74f94c6d48931453ce27f6  2011/x86_64/lib64freeradius1-2.1.11-1.1-mdv2011.0.x86_64.rpm
 4a7846bb6261b07a4430cb12a5b67ec7  2011/x86_64/lib64freeradius-devel-2.1.11-1.1-mdv2011.0.x86_64.rpm 
 2600944fccf85291c36e3da0c890d94e  2011/SRPMS/freeradius-2.1.11-1.1.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2701