This update for freeradius-server fixes the following issues:
- update to 3.0.15 (bsc#1049086)
- Bind the lifetime of program name and python path to the module
- CVE-2017-10978: FR-GV-201: Check input / output length in
make_secret() (bsc#1049086)
- CVE-2017-10983: FR-GV-206: Fix read overflow when decoding DHCP option
63 (bsc#1049086)
- CVE-2017-10984: FR-GV-301: Fix write overflow in data2vp_wimax()
(bsc#1049086)
- CVE-2017-10985: FR-GV-302: Fix infinite loop and memory exhaustion
with ‘concat’ attributes (bsc#1049086)
- CVE-2017-10986: FR-GV-303: Fix infinite read in dhcp_attr2vp()
(bsc#1049086)
- CVE-2017-10987: FR-GV-304: Fix buffer over-read in
fr_dhcp_decode_suboptions() (bsc#1049086)
- CVE-2017-10988: FR-GV-305: Decode ‘signed’ attributes correctly.
(bsc#1049086)
- FR-AD-001: use strncmp() instead of memcmp() for bounded data
- Print messages when we see deprecated configuration items
- Show reasons why we couldn’t parse a certificate expiry time
- Be more accepting about truncated ASN1 times.
- Fix OpenSSL API issue which could leak small amounts of memory.
- For Access-Reject, call rad_authlog() after running the post-auth
section, just like for Access-Accept.
- Don’t crash when reading corrupted data from session resumption cache.
- Parse port in dhcpclient.
- Don’t leak memory for OpenSSL.
- Portability fixes taken from OpenBSD port collection.
- run rad_authlog after post-auth for Access-Reject.
- Don’t process VMPS packets twice.
- Fix attribute truncation in rlm_perl
- Fix bug when processing huntgroups.
- FR-AD-002 - Bind the lifetime of program name and python path to the
module
- FR-AD-003 - Pass correct statement length into sqlite3_prepare[_v2]
This update was imported from the SUSE:SLE-12-SP3:Update update project.