Vulnerability in FreeRADIUS

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Vulnerability in FreeRADIUS

HANCHATE Ravikiran (u5574292)
Dears,



we received Vulnerability in FreeRADIUS , Can you please assist here,



1/ How this will impact on our radius infra ?

2/ what steps need to be taken to Apply the Linux Fedora patches regarding the FreeRADIUS vulnerability

 ?

Please provide step by step guides or implement instructions to   Apply the Linux Fedora patches ?



Please let me know if you need any information on this ?



Regards,



Ravi

*********DISCLAIMER*********
This electronic transmission (and any attached document) is intended
exclusively for the person or entity to whom it is addressed and may
contain confidential and/or privileged material.
Any disclosure, copying, distribution or other action based upon
the information by persons or entities other than the intended recipient
is prohibited. If you receive this message in error, please contact the
sender and delete the material from any and all computers.
Orange Belgium does not warrant a proper and complete transmission of this
information, nor does it accept liability for any delays.
Unless clearly and unambiguously stated otherwise, the content of this
e-mail and its attachment is provided to you for information purposes
only, and nothing herein shall be binding upon, or shall constitute or
be construed as a binding offer of Orange Belgium.
*****END OF DISCLAIMER*****


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

vul free radius.txt (2K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Vulnerability in FreeRADIUS

Alan DeKok-2
On Mar 16, 2020, at 8:02 AM, HANCHATE Ravikiran (u5574292) <[hidden email]> wrote:
> we received Vulnerability in FreeRADIUS , Can you please assist here,

  This issue was found and fixed many months ago.

> 1/ How this will impact on our radius infra ?

  Do you run EAP-PWD?

no - this doesn't affect you

yes - the description says what the impact is.

> 2/ what steps need to be taken to Apply the Linux Fedora patches regarding the FreeRADIUS vulnerability

  Ask Fedora how their system works.

> Please provide step by step guides or implement instructions to   Apply the Linux Fedora patches ?

  You seem to be operating under the misconception that we *owe* you something.  We don't.

  The guides and documentation are available on the FreeRADIUS web site, and are included with the source.  If you have *specific* questions about them, please ask.  Otherwise, if it's too much work for you to look for the guides, then it's too much work for us to look for them, too.  If only there was something called "google", or perhaps a "wiki".  Or even a "doc" directory in the server.  That would be magical...

  As for Fedora, ask Fedora how to apply patches to their system.  Ask Fedora if they have updated patches.

  We supply the source, which you can download and build yourself.  Instructions are on the Wiki, and included with the source.

  We also supply pre-built packages.  Full instructions are on our web site: http://packages.networkradius.com

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Vulnerability in FreeRADIUS

HANCHATE Ravikiran (u5574292)
Thank you Alan for your descriptive reply .

Cheers !!!

________________________________________
From: Freeradius-Users [freeradius-users-bounces+u5574292=[hidden email]] on behalf of Alan DeKok [[hidden email]]
Sent: Monday, 16 March  2020 1:15 PM
To: FreeRadius users mailing list
Cc: HANCHATE Ravikiran (TechM)
Subject: Re: Vulnerability in FreeRADIUS

On Mar 16, 2020, at 8:02 AM, HANCHATE Ravikiran (u5574292) <[hidden email]> wrote:
> we received Vulnerability in FreeRADIUS , Can you please assist here,

  This issue was found and fixed many months ago.

> 1/ How this will impact on our radius infra ?

  Do you run EAP-PWD?

no - this doesn't affect you

yes - the description says what the impact is.

> 2/ what steps need to be taken to Apply the Linux Fedora patches regarding the FreeRADIUS vulnerability

  Ask Fedora how their system works.

> Please provide step by step guides or implement instructions to   Apply the Linux Fedora patches ?

  You seem to be operating under the misconception that we *owe* you something.  We don't.

  The guides and documentation are available on the FreeRADIUS web site, and are included with the source.  If you have *specific* questions about them, please ask.  Otherwise, if it's too much work for you to look for the guides, then it's too much work for us to look for them, too.  If only there was something called "google", or perhaps a "wiki".  Or even a "doc" directory in the server.  That would be magical...

  As for Fedora, ask Fedora how to apply patches to their system.  Ask Fedora if they have updated patches.

  We supply the source, which you can download and build yourself.  Instructions are on the Wiki, and included with the source.

  We also supply pre-built packages.  Full instructions are on our web site: http://packages.networkradius.com

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
*********DISCLAIMER*********
This electronic transmission (and any attached document) is intended
exclusively for the person or entity to whom it is addressed and may
contain confidential and/or privileged material.
Any disclosure, copying, distribution or other action based upon
the information by persons or entities other than the intended recipient
is prohibited. If you receive this message in error, please contact the
sender and delete the material from any and all computers.
Orange Belgium does not warrant a proper and complete transmission of this
information, nor does it accept liability for any delays.
Unless clearly and unambiguously stated otherwise, the content of this
e-mail and its attachment is provided to you for information purposes
only, and nothing herein shall be binding upon, or shall constitute or
be construed as a binding offer of Orange Belgium.
*****END OF DISCLAIMER*****


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Vulnerability in FreeRADIUS

Alex Scheel
Fedora's FreeRADIUS maintainer here.

----- Original Message -----
> From: "HANCHATE Ravikiran (u5574292)" <[hidden email]>
> To: "FreeRadius users mailing list" <[hidden email]>
> Sent: Monday, March 16, 2020 8:22:44 AM
> Subject: RE: Vulnerability in FreeRADIUS
>
> Thank you Alan for your descriptive reply .
>
> Cheers !!!
>

~snip~

> > 2/ what steps need to be taken to Apply the Linux Fedora patches regarding
> > the FreeRADIUS vulnerability
>
>   Ask Fedora how their system works.

Run:

sudo dnf update --refresh

It should get you the latest packages. Fedora 30 and Fedora 31 both have
3.0.20, which is still the latest upstream release. My understanding is
that that release fixes the CVE in question (CVE-2019-13456).


- Alex

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html