Debian LTS Advisory ([SECURITY] [DLA 977-1] freeradius security update)

Several issues were discovered in FreeRADIUS, a high-performance and highly configurable RADIUS server. CVE-2014-2015 A stack-based buffer overflow was found in the normify function in the rlm_pap module, which can be attacked by existing users to cause denial of service or other issues. CVE-2015-4680 It was discovered that freeradius failed to check revocation of intermediate CA certificates, thus accepting client certificates issued by revoked certificates from an intermediate CA. Note that to enable checking of intermediate CA certificates, it is necessary to enable the check_all_crl option of the EAP TLS section in eap.conf. This is only necessary for servers using certificates signed by an intermediate CA. Servers that use self-signed CA certificate are unaffected. CVE-2017-9148 The TLS session cache fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS.

freeradius on Debian Linux

This check tests the installed software version using the apt package manager.

For Debian 7 'Wheezy', these problems have been fixed in version 2.1.12+dfsg-1.2+deb7u1. We recommend that you upgrade your freeradius packages.