Updated freeradius packages fix security vulnerabilitiesPublication date: 05 Jan 2020
Affected Mageia releases : 7
CVE: CVE-2019-10143 , CVE-2019-13456 , CVE-2019-17185
Updated freeradius packages fix security vulnerabilities: It was discovered freeradius does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user (CVE-2019-10143). An information leak was discovered in the implementation of EAP-pwd in freeradius. An attacker could initiate several EAP-pwd handshakes to leak information, which can then be used to recover the user's WiFi password by performing dictionary and brute-force attacks (CVE-2019-13456). Denial of service issues due to multithreaded BN_CTX access (CVE-2019-17185).