Sigurnosni propust, koji je otklonjen novom zakrpom, javlja se u radu programskog paketa freeradius, a napadaču omogućuje zaobilaženje sigurnosnih postavki.
Paket:
freeradius 2.x
Operacijski sustavi:
Mandriva Linux 2011
Problem:
neodgovarajuća provjera ulaznih podataka
Iskorištavanje:
udaljeno
Posljedica:
neovlašteni pristup sustavu, zaobilaženje postavljenih ograničenja
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-2701
Izvorni ID preporuke:
MDVSA-2012:047
Izvor:
Mandriva
Problem:
Propust u funkciji "ocsp_check" javlja se zbog nepravilnog rukovanja OCSP (eng. Online Certificate Status Protocol) odgovorima.
Posljedica:
Zlonamjerni udaljeni korisnik bi mogao zaobići sigurnosna ograničenja i zadobiti pristup sustavu.
Rješenje:
Svim se korisnicima savjetuje instalacija nadogradnji.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2012:047
http://www.mandriva.com/security/
_______________________________________________________________________
Package : freeradius
Date : April 2, 2012
Affected: 2011.
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in freeradius:
The ocsp_check function in rlm_eap_tls.c in FreeRADIUS 2.1.11,
when OCSP is enabled, does not properly parse replies from OCSP
responders, which allows remote attackers to bypass authentication
by using the EAP-TLS protocol with a revoked X.509 client certificate
(CVE-2011-2701).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2701
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2011:
9592998224d1dd4546383ceb570d3604
2011/i586/freeradius-2.1.11-1.1-mdv2011.0.i586.rpm
c7ec70f99705f8791c08c7912455e720
2011/i586/freeradius-krb5-2.1.11-1.1-mdv2011.0.i586.rpm
ce2c6c629cc39a2f99c5b2d1abc29d9f
2011/i586/freeradius-ldap-2.1.11-1.1-mdv2011.0.i586.rpm
b5cec8d58961e87db88b3aa66c2c6df9
2011/i586/freeradius-mysql-2.1.11-1.1-mdv2011.0.i586.rpm
363cbe053c0543f9347039c8706df1c3
2011/i586/freeradius-postgresql-2.1.11-1.1-mdv2011.0.i586.rpm
c826e248100cf3d35b74020865762645
2011/i586/freeradius-sqlite-2.1.11-1.1-mdv2011.0.i586.rpm
7f07e2059fa79f504188253afdd77f78
2011/i586/freeradius-unixODBC-2.1.11-1.1-mdv2011.0.i586.rpm
7d8dbb6ef93d6cb29558f66d71083943
2011/i586/freeradius-web-2.1.11-1.1-mdv2011.0.i586.rpm
21426a8a40d24ba90242d3ce5e0b113b
2011/i586/libfreeradius1-2.1.11-1.1-mdv2011.0.i586.rpm
304f8ba5960f970b944369de8f842cdd
2011/i586/libfreeradius-devel-2.1.11-1.1-mdv2011.0.i586.rpm
2600944fccf85291c36e3da0c890d94e 2011/SRPMS/freeradius-2.1.11-1.1.src.rpm
Mandriva Linux 2011/X86_64:
49669a354bf8a8a6427c0bfe81b34c0c
2011/x86_64/freeradius-2.1.11-1.1-mdv2011.0.x86_64.rpm
6d47286995039b37481e1281728a48bf
2011/x86_64/freeradius-krb5-2.1.11-1.1-mdv2011.0.x86_64.rpm
90e7fa1c475b9ef529b699ed2398e70a
2011/x86_64/freeradius-ldap-2.1.11-1.1-mdv2011.0.x86_64.rpm
c63a69dc4d33bd93b770a0bbcaf244aa
2011/x86_64/freeradius-mysql-2.1.11-1.1-mdv2011.0.x86_64.rpm
38e7261e1efa0bcba37d639de9e8fed7
2011/x86_64/freeradius-postgresql-2.1.11-1.1-mdv2011.0.x86_64.rpm
f616bf3ee830937f0cc38796616b76c5
2011/x86_64/freeradius-sqlite-2.1.11-1.1-mdv2011.0.x86_64.rpm
9ede61aed21b46ec642b424265c247fc
2011/x86_64/freeradius-unixODBC-2.1.11-1.1-mdv2011.0.x86_64.rpm
a7fa64a62adb65f72ea3052a7b2795ac
2011/x86_64/freeradius-web-2.1.11-1.1-mdv2011.0.x86_64.rpm
6db99dc40f74f94c6d48931453ce27f6
2011/x86_64/lib64freeradius1-2.1.11-1.1-mdv2011.0.x86_64.rpm
4a7846bb6261b07a4430cb12a5b67ec7
2011/x86_64/lib64freeradius-devel-2.1.11-1.1-mdv2011.0.x86_64.rpm
2600944fccf85291c36e3da0c890d94e 2011/SRPMS/freeradius-2.1.11-1.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFPeUYPmqjQ0CJFipgRAgkHAKDaoiL7/ihAA3bufPy+vys89WY0mQCdHZ9t
BolUuQnx/+8zAiGhNt87zsA=
=FZSY
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke