-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:047 http://www.mandriva.com/security/ _______________________________________________________________________ Package : freeradius Date : April 2, 2012 Affected: 2011. _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in freeradius: The ocsp_check function in rlm_eap_tls.c in FreeRADIUS 2.1.11, when OCSP is enabled, does not properly parse replies from OCSP responders, which allows remote attackers to bypass authentication by using the EAP-TLS protocol with a revoked X.509 client certificate (CVE-2011-2701). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2701 _______________________________________________________________________ Updated Packages: Mandriva Linux 2011: 9592998224d1dd4546383ceb570d3604 2011/i586/freeradius-2.1.11-1.1-mdv2011.0.i586.rpm c7ec70f99705f8791c08c7912455e720 2011/i586/freeradius-krb5-2.1.11-1.1-mdv2011.0.i586.rpm ce2c6c629cc39a2f99c5b2d1abc29d9f 2011/i586/freeradius-ldap-2.1.11-1.1-mdv2011.0.i586.rpm b5cec8d58961e87db88b3aa66c2c6df9 2011/i586/freeradius-mysql-2.1.11-1.1-mdv2011.0.i586.rpm 363cbe053c0543f9347039c8706df1c3 2011/i586/freeradius-postgresql-2.1.11-1.1-mdv2011.0.i586.rpm c826e248100cf3d35b74020865762645 2011/i586/freeradius-sqlite-2.1.11-1.1-mdv2011.0.i586.rpm 7f07e2059fa79f504188253afdd77f78 2011/i586/freeradius-unixODBC-2.1.11-1.1-mdv2011.0.i586.rpm 7d8dbb6ef93d6cb29558f66d71083943 2011/i586/freeradius-web-2.1.11-1.1-mdv2011.0.i586.rpm 21426a8a40d24ba90242d3ce5e0b113b 2011/i586/libfreeradius1-2.1.11-1.1-mdv2011.0.i586.rpm 304f8ba5960f970b944369de8f842cdd 2011/i586/libfreeradius-devel-2.1.11-1.1-mdv2011.0.i586.rpm 2600944fccf85291c36e3da0c890d94e 2011/SRPMS/freeradius-2.1.11-1.1.src.rpm Mandriva Linux 2011/X86_64: 49669a354bf8a8a6427c0bfe81b34c0c 2011/x86_64/freeradius-2.1.11-1.1-mdv2011.0.x86_64.rpm 6d47286995039b37481e1281728a48bf 2011/x86_64/freeradius-krb5-2.1.11-1.1-mdv2011.0.x86_64.rpm 90e7fa1c475b9ef529b699ed2398e70a 2011/x86_64/freeradius-ldap-2.1.11-1.1-mdv2011.0.x86_64.rpm c63a69dc4d33bd93b770a0bbcaf244aa 2011/x86_64/freeradius-mysql-2.1.11-1.1-mdv2011.0.x86_64.rpm 38e7261e1efa0bcba37d639de9e8fed7 2011/x86_64/freeradius-postgresql-2.1.11-1.1-mdv2011.0.x86_64.rpm f616bf3ee830937f0cc38796616b76c5 2011/x86_64/freeradius-sqlite-2.1.11-1.1-mdv2011.0.x86_64.rpm 9ede61aed21b46ec642b424265c247fc 2011/x86_64/freeradius-unixODBC-2.1.11-1.1-mdv2011.0.x86_64.rpm a7fa64a62adb65f72ea3052a7b2795ac 2011/x86_64/freeradius-web-2.1.11-1.1-mdv2011.0.x86_64.rpm 6db99dc40f74f94c6d48931453ce27f6 2011/x86_64/lib64freeradius1-2.1.11-1.1-mdv2011.0.x86_64.rpm 4a7846bb6261b07a4430cb12a5b67ec7 2011/x86_64/lib64freeradius-devel-2.1.11-1.1-mdv2011.0.x86_64.rpm 2600944fccf85291c36e3da0c890d94e 2011/SRPMS/freeradius-2.1.11-1.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPeUYPmqjQ0CJFipgRAgkHAKDaoiL7/ihAA3bufPy+vys89WY0mQCdHZ9t BolUuQnx/+8zAiGhNt87zsA= =FZSY -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/