Parent Directory | Revision Log
MGASA-2019-0176: freeradius-3.0.15-1.1.mga6
1 | davidwhodgins | 8551 | type: security |
2 | subject: Updated freeradius packages fix security vulnerability | ||
3 | CVE: | ||
4 | - CVE-2019-11234 | ||
5 | - CVE-2019-11235 | ||
6 | src: | ||
7 | 6: | ||
8 | core: | ||
9 | - freeradius-3.0.15-1.1.mga6 | ||
10 | description: | | ||
11 | An attacker can reflect the received scalar and element from the server in | ||
12 | it's own commit message, and subsequently reflect the confirm value as | ||
13 | well. This causes the adversary to successfully authenticate as the victim | ||
14 | (CVE-2019-11234). | ||
15 | |||
16 | An invalid curve attack allows an attacker to authenticate as any user | ||
17 | (without knowing the password). The problem is that on the reception of an | ||
18 | EAP-PWD Commit frame, FreeRADIUS doesn't verify whether the received | ||
19 | elliptic curve point is valid (CVE-2019-11235). | ||
20 | references: | ||
21 | - https://bugs.mageia.org/show_bug.cgi?id=24762 | ||
22 | - https://bugzilla.redhat.com/show_bug.cgi?id=1695748 | ||
23 | - https://bugzilla.redhat.com/show_bug.cgi?id=1695783 | ||
24 | - https://access.redhat.com/errata/RHSA-2019:1131 | ||
25 | tmb | 8556 | ID: MGASA-2019-0176 |
ViewVC Help | |
Powered by ViewVC 1.1.30 |