CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
75.5%
CentOS Errata and Security Advisory CESA-2005:524
FreeRADIUS is a high-performance and highly configurable free RADIUS server
designed to allow centralized authentication and authorization for a network.
A buffer overflow bug was found in the way FreeRADIUS escapes data in an
SQL query. An attacker may be able to crash FreeRADIUS if they cause
FreeRADIUS to escape a string containing three or less characters. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-1454 to this issue.
Additionally a bug was found in the way FreeRADIUS escapes SQL data. It is
possible that an authenticated user could execute arbitrary SQL queries by
sending a specially crafted request to FreeRADIUS. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-1455 to this issue.
Users of FreeRADIUS should update to these erratum packages, which contain
backported patches and are not vulnerable to these issues.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2005-June/074054.html
https://lists.centos.org/pipermail/centos-announce/2005-June/074056.html
https://lists.centos.org/pipermail/centos-announce/2005-June/074057.html
https://lists.centos.org/pipermail/centos-announce/2005-June/074058.html
https://lists.centos.org/pipermail/centos-announce/2005-June/074063.html
https://lists.centos.org/pipermail/centos-announce/2005-June/074065.html
https://lists.centos.org/pipermail/centos-announce/2005-June/074066.html
Affected packages:
freeradius
freeradius-mysql
freeradius-postgresql
freeradius-unixODBC
Upstream details at:
https://access.redhat.com/errata/RHSA-2005:524
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 4 | ia64 | freeradius | < 1.0.1-3.RHEL4 | freeradius-1.0.1-3.RHEL4.ia64.rpm |
CentOS | 4 | ia64 | freeradius-mysql | < 1.0.1-3.RHEL4 | freeradius-mysql-1.0.1-3.RHEL4.ia64.rpm |
CentOS | 4 | ia64 | freeradius-postgresql | < 1.0.1-3.RHEL4 | freeradius-postgresql-1.0.1-3.RHEL4.ia64.rpm |
CentOS | 4 | ia64 | freeradius-unixodbc | < 1.0.1-3.RHEL4 | freeradius-unixODBC-1.0.1-3.RHEL4.ia64.rpm |
CentOS | 3 | ia64 | freeradius | < 1.0.1-1.1.RHEL3 | freeradius-1.0.1-1.1.RHEL3.ia64.rpm |
CentOS | 3 | ia64 | freeradius-mysql | < 1.0.1-1.1.RHEL3 | freeradius-mysql-1.0.1-1.1.RHEL3.ia64.rpm |
CentOS | 3 | ia64 | freeradius-postgresql | < 1.0.1-1.1.RHEL3 | freeradius-postgresql-1.0.1-1.1.RHEL3.ia64.rpm |
CentOS | 3 | ia64 | freeradius-unixodbc | < 1.0.1-1.1.RHEL3 | freeradius-unixODBC-1.0.1-1.1.RHEL3.ia64.rpm |
CentOS | 4 | x86_64 | freeradius | < 1.0.1-3.RHEL4 | freeradius-1.0.1-3.RHEL4.x86_64.rpm |
CentOS | 4 | x86_64 | freeradius-mysql | < 1.0.1-3.RHEL4 | freeradius-mysql-1.0.1-3.RHEL4.x86_64.rpm |