Security update for freeradius-server
This update for freeradius-server fixes the following issues:
- CVE-2019-13456: Fixed a side-channel password leak in EAP-pwd
(bsc#1144524).
- CVE-2019-17185: Fixed a debial of service due to multithreaded
BN_CTX access (bsc#1166847).
- Fixed an issue in TLS-EAP where the OCSP verification, when an
intermediate client certificate was not explicitly trusted
(bsc#1146848).
This update was imported from the SUSE:SLE-15:Update update project.
-
Submitted by
Adam Majer (adamm)
Fixed bugs
bnc#1146848
freeradius still continues establish connection evern with cert error and softfail set as no
bnc#1166847
VUL-0: CVE-2019-17185: freeradius-server: Fix DoS issues due to multithreaded BN_CTX access
bnc#1144524
VUL-0: CVE-2019-13456: freeradius-server: no validation of peer's scalar and elliptic curve point when processing an EAP-pwd Commit frame may lead to authentication bypass
