Updated freeradius package fixes security vulnerability
Publication date: 28 Jul 2015Modification date: 28 Jul 2015
Type: security
Affected Mageia releases : 4 , 5
CVE: CVE-2015-4680
Description
The FreeRADIUS server relies on OpenSSL to perform certificate validation, including Certificate Revocation List (CRL) checks. The FreeRADIUS usage of OpenSSL, in CRL application, limits the checks to leaf certificates, therefore not detecting revocation of intermediate CA certificates. An unexpired client certificate, issued by an intermediate CA with a revoked certificate, is therefore accepted by FreeRADIUS (CVE-2015-4680). The freeradius package has been updated to version 2.2.8, which fixes this issue, as well as the failure to run on Mageia 5 due to an OpenSSL issue.
References
- https://bugs.mageia.org/show_bug.cgi?id=16175
- http://freeradius.org/security.html
- http://freeradius.org/press/index.html#2.2.8
- http://www.ocert.org/advisories/ocert-2015-008.html
- https://bugs.mageia.org/show_bug.cgi?id=16176
- https://bugs.mageia.org/show_bug.cgi?id=16175
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4680
SRPMS
5/core
- freeradius-2.2.8-1.mga5
4/core
- freeradius-2.2.8-1.mga4