Parent Directory | Revision Log
MGASA-2019-0176: freeradius-3.0.15-1.1.mga6
1 | type: security |
2 | subject: Updated freeradius packages fix security vulnerability |
3 | CVE: |
4 | - CVE-2019-11234 |
5 | - CVE-2019-11235 |
6 | src: |
7 | 6: |
8 | core: |
9 | - freeradius-3.0.15-1.1.mga6 |
10 | description: | |
11 | An attacker can reflect the received scalar and element from the server in |
12 | it's own commit message, and subsequently reflect the confirm value as |
13 | well. This causes the adversary to successfully authenticate as the victim |
14 | (CVE-2019-11234). |
15 | |
16 | An invalid curve attack allows an attacker to authenticate as any user |
17 | (without knowing the password). The problem is that on the reception of an |
18 | EAP-PWD Commit frame, FreeRADIUS doesn't verify whether the received |
19 | elliptic curve point is valid (CVE-2019-11235). |
20 | references: |
21 | - https://bugs.mageia.org/show_bug.cgi?id=24762 |
22 | - https://bugzilla.redhat.com/show_bug.cgi?id=1695748 |
23 | - https://bugzilla.redhat.com/show_bug.cgi?id=1695783 |
24 | - https://access.redhat.com/errata/RHSA-2019:1131 |
25 | ID: MGASA-2019-0176 |
ViewVC Help | |
Powered by ViewVC 1.1.30 |