본문 바로가기

취약점 정보2

red hat 보안 업데이트 권고

728x90

 FreeRADIUS는 네트워크에 중앙 인증 및 권한 부여를 허용하도록 설계된 고성능의 구성 가능한 무료 원격 인증 다이얼 인 사용자 서비스 서버입니다. 

보안 수정 : FreeRADIUS의 EAP 모듈이 TLS 세션 재개를 처리하는 방식에서 인증 우회 결함이 발견되었습니다. 

인증되지 않은 원격 공격자는이 결함을 잠재적으로 사용하여 이전의 인증되지 않은 TLS 세션을 다시 시작하여

 FreeRADIUS의 내부 인증 검사를 우회 할 수 있습니다.


=====================================================================

                   Red Hat Security Advisory


Synopsis:          Important: freeradius security update

Advisory ID:       RHSA-2017:1581-01

Product:           Red Hat Enterprise Linux

Advisory URL:      https://access.redhat.com/errata/RHSA-2017:1581

Issue date:        2017-06-28

CVE Names:         CVE-2017-9148 

=====================================================================


1. Summary:


An update for freeradius is now available for Red Hat Enterprise Linux 7.


Red Hat Product Security has rated this update as having a security impact

of Important. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available for each vulnerability

from the CVE link(s) in the References section.


2. Relevant releases/architectures:


Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64


3. Description:


FreeRADIUS is a high-performance and highly configurable free Remote

Authentication Dial In User Service (RADIUS) server, designed to allow

centralized authentication and authorization for a network.


Security Fix(es):


* An authentication bypass flaw was found in the way the EAP module in

FreeRADIUS handled TLS session resumption. A remote unauthenticated

attacker could potentially use this flaw to bypass the inner authentication

check in FreeRADIUS by resuming an older unauthenticated TLS session.

(CVE-2017-9148)


4. Solution:


For details on how to apply this update, which includes the changes

described in this advisory, refer to:


https://access.redhat.com/articles/11258


5. Bugs fixed (https://bugzilla.redhat.com/):


1456697 - CVE-2017-9148 freeradius: TLS resumption authentication bypass


6. Package List:


Red Hat Enterprise Linux Server (v. 7):


Source:

freeradius-3.0.4-8.el7_3.src.rpm


aarch64:

freeradius-3.0.4-8.el7_3.aarch64.rpm

freeradius-debuginfo-3.0.4-8.el7_3.aarch64.rpm


ppc64:

freeradius-3.0.4-8.el7_3.ppc64.rpm

freeradius-debuginfo-3.0.4-8.el7_3.ppc64.rpm


ppc64le:

freeradius-3.0.4-8.el7_3.ppc64le.rpm

freeradius-debuginfo-3.0.4-8.el7_3.ppc64le.rpm


s390x:

freeradius-3.0.4-8.el7_3.s390x.rpm

freeradius-debuginfo-3.0.4-8.el7_3.s390x.rpm


x86_64:

freeradius-3.0.4-8.el7_3.x86_64.rpm

freeradius-debuginfo-3.0.4-8.el7_3.x86_64.rpm


Red Hat Enterprise Linux Server Optional (v. 7):


aarch64:

freeradius-debuginfo-3.0.4-8.el7_3.aarch64.rpm

freeradius-devel-3.0.4-8.el7_3.aarch64.rpm

freeradius-doc-3.0.4-8.el7_3.aarch64.rpm

freeradius-krb5-3.0.4-8.el7_3.aarch64.rpm

freeradius-ldap-3.0.4-8.el7_3.aarch64.rpm

freeradius-mysql-3.0.4-8.el7_3.aarch64.rpm

freeradius-perl-3.0.4-8.el7_3.aarch64.rpm

freeradius-postgresql-3.0.4-8.el7_3.aarch64.rpm

freeradius-python-3.0.4-8.el7_3.aarch64.rpm

freeradius-sqlite-3.0.4-8.el7_3.aarch64.rpm

freeradius-unixODBC-3.0.4-8.el7_3.aarch64.rpm

freeradius-utils-3.0.4-8.el7_3.aarch64.rpm


ppc64:

freeradius-debuginfo-3.0.4-8.el7_3.ppc.rpm

freeradius-debuginfo-3.0.4-8.el7_3.ppc64.rpm

freeradius-devel-3.0.4-8.el7_3.ppc.rpm

freeradius-devel-3.0.4-8.el7_3.ppc64.rpm

freeradius-doc-3.0.4-8.el7_3.ppc64.rpm

freeradius-krb5-3.0.4-8.el7_3.ppc64.rpm

freeradius-ldap-3.0.4-8.el7_3.ppc64.rpm

freeradius-mysql-3.0.4-8.el7_3.ppc64.rpm

freeradius-perl-3.0.4-8.el7_3.ppc64.rpm

freeradius-postgresql-3.0.4-8.el7_3.ppc64.rpm

freeradius-python-3.0.4-8.el7_3.ppc64.rpm

freeradius-sqlite-3.0.4-8.el7_3.ppc64.rpm

freeradius-unixODBC-3.0.4-8.el7_3.ppc64.rpm

freeradius-utils-3.0.4-8.el7_3.ppc64.rpm


ppc64le:

freeradius-debuginfo-3.0.4-8.el7_3.ppc64le.rpm

freeradius-devel-3.0.4-8.el7_3.ppc64le.rpm

freeradius-doc-3.0.4-8.el7_3.ppc64le.rpm

freeradius-krb5-3.0.4-8.el7_3.ppc64le.rpm

freeradius-ldap-3.0.4-8.el7_3.ppc64le.rpm

freeradius-mysql-3.0.4-8.el7_3.ppc64le.rpm

freeradius-perl-3.0.4-8.el7_3.ppc64le.rpm

freeradius-postgresql-3.0.4-8.el7_3.ppc64le.rpm

freeradius-python-3.0.4-8.el7_3.ppc64le.rpm

freeradius-sqlite-3.0.4-8.el7_3.ppc64le.rpm

freeradius-unixODBC-3.0.4-8.el7_3.ppc64le.rpm

freeradius-utils-3.0.4-8.el7_3.ppc64le.rpm


s390x:

freeradius-debuginfo-3.0.4-8.el7_3.s390.rpm

freeradius-debuginfo-3.0.4-8.el7_3.s390x.rpm

freeradius-devel-3.0.4-8.el7_3.s390.rpm

freeradius-devel-3.0.4-8.el7_3.s390x.rpm

freeradius-doc-3.0.4-8.el7_3.s390x.rpm

freeradius-krb5-3.0.4-8.el7_3.s390x.rpm

freeradius-ldap-3.0.4-8.el7_3.s390x.rpm

freeradius-mysql-3.0.4-8.el7_3.s390x.rpm

freeradius-perl-3.0.4-8.el7_3.s390x.rpm

freeradius-postgresql-3.0.4-8.el7_3.s390x.rpm

freeradius-python-3.0.4-8.el7_3.s390x.rpm

freeradius-sqlite-3.0.4-8.el7_3.s390x.rpm

freeradius-unixODBC-3.0.4-8.el7_3.s390x.rpm

freeradius-utils-3.0.4-8.el7_3.s390x.rpm


x86_64:

freeradius-debuginfo-3.0.4-8.el7_3.i686.rpm

freeradius-debuginfo-3.0.4-8.el7_3.x86_64.rpm

freeradius-devel-3.0.4-8.el7_3.i686.rpm

freeradius-devel-3.0.4-8.el7_3.x86_64.rpm

freeradius-doc-3.0.4-8.el7_3.x86_64.rpm

freeradius-krb5-3.0.4-8.el7_3.x86_64.rpm

freeradius-ldap-3.0.4-8.el7_3.x86_64.rpm

freeradius-mysql-3.0.4-8.el7_3.x86_64.rpm

freeradius-perl-3.0.4-8.el7_3.x86_64.rpm

freeradius-postgresql-3.0.4-8.el7_3.x86_64.rpm

freeradius-python-3.0.4-8.el7_3.x86_64.rpm

freeradius-sqlite-3.0.4-8.el7_3.x86_64.rpm

freeradius-unixODBC-3.0.4-8.el7_3.x86_64.rpm

freeradius-utils-3.0.4-8.el7_3.x86_64.rpm


Red Hat Enterprise Linux Workstation (v. 7):


Source:

freeradius-3.0.4-8.el7_3.src.rpm


x86_64:

freeradius-3.0.4-8.el7_3.x86_64.rpm

freeradius-debuginfo-3.0.4-8.el7_3.x86_64.rpm


Red Hat Enterprise Linux Workstation Optional (v. 7):


x86_64:

freeradius-debuginfo-3.0.4-8.el7_3.i686.rpm

freeradius-debuginfo-3.0.4-8.el7_3.x86_64.rpm

freeradius-devel-3.0.4-8.el7_3.i686.rpm

freeradius-devel-3.0.4-8.el7_3.x86_64.rpm

freeradius-doc-3.0.4-8.el7_3.x86_64.rpm

freeradius-krb5-3.0.4-8.el7_3.x86_64.rpm

freeradius-ldap-3.0.4-8.el7_3.x86_64.rpm

freeradius-mysql-3.0.4-8.el7_3.x86_64.rpm

freeradius-perl-3.0.4-8.el7_3.x86_64.rpm

freeradius-postgresql-3.0.4-8.el7_3.x86_64.rpm

freeradius-python-3.0.4-8.el7_3.x86_64.rpm

freeradius-sqlite-3.0.4-8.el7_3.x86_64.rpm

freeradius-unixODBC-3.0.4-8.el7_3.x86_64.rpm

freeradius-utils-3.0.4-8.el7_3.x86_64.rpm


These packages are GPG signed by Red Hat for security.  Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/


7. References:


https://access.redhat.com/security/cve/CVE-2017-9148

https://access.redhat.com/security/updates/classification/#important

728x90