Security update for freeradius-server SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1609-1 Final 1 1 2017-06-19T15:46:27Z current 2017-06-19T15:46:27Z 2017-06-19T15:46:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for freeradius-server This update for freeradius-server fixes the following issues: - CVE-2017-9148: Disable OpenSSL's internal session cache to mitigate authentication bypass. (boo#1041445) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-06/msg00069.html E-Mail link for openSUSE-SU-2017:1609-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 freeradius-server-3.0.12-2.3.1 freeradius-server-devel-3.0.12-2.3.1 freeradius-server-doc-3.0.12-2.3.1 freeradius-server-krb5-3.0.12-2.3.1 freeradius-server-ldap-3.0.12-2.3.1 freeradius-server-libs-3.0.12-2.3.1 freeradius-server-mysql-3.0.12-2.3.1 freeradius-server-perl-3.0.12-2.3.1 freeradius-server-postgresql-3.0.12-2.3.1 freeradius-server-python-3.0.12-2.3.1 freeradius-server-sqlite-3.0.12-2.3.1 freeradius-server-utils-3.0.12-2.3.1 freeradius-server-3.0.12-2.3.1 as a component of openSUSE Leap 42.2 freeradius-server-devel-3.0.12-2.3.1 as a component of openSUSE Leap 42.2 freeradius-server-doc-3.0.12-2.3.1 as a component of openSUSE Leap 42.2 freeradius-server-krb5-3.0.12-2.3.1 as a component of openSUSE Leap 42.2 freeradius-server-ldap-3.0.12-2.3.1 as a component of openSUSE Leap 42.2 freeradius-server-libs-3.0.12-2.3.1 as a component of openSUSE Leap 42.2 freeradius-server-mysql-3.0.12-2.3.1 as a component of openSUSE Leap 42.2 freeradius-server-perl-3.0.12-2.3.1 as a component of openSUSE Leap 42.2 freeradius-server-postgresql-3.0.12-2.3.1 as a component of openSUSE Leap 42.2 freeradius-server-python-3.0.12-2.3.1 as a component of openSUSE Leap 42.2 freeradius-server-sqlite-3.0.12-2.3.1 as a component of openSUSE Leap 42.2 freeradius-server-utils-3.0.12-2.3.1 as a component of openSUSE Leap 42.2 The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before 3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS. CVE-2017-9148 openSUSE Leap 42.2:freeradius-server-3.0.12-2.3.1 openSUSE Leap 42.2:freeradius-server-devel-3.0.12-2.3.1 openSUSE Leap 42.2:freeradius-server-doc-3.0.12-2.3.1 openSUSE Leap 42.2:freeradius-server-krb5-3.0.12-2.3.1 openSUSE Leap 42.2:freeradius-server-ldap-3.0.12-2.3.1 openSUSE Leap 42.2:freeradius-server-libs-3.0.12-2.3.1 openSUSE Leap 42.2:freeradius-server-mysql-3.0.12-2.3.1 openSUSE Leap 42.2:freeradius-server-perl-3.0.12-2.3.1 openSUSE Leap 42.2:freeradius-server-postgresql-3.0.12-2.3.1 openSUSE Leap 42.2:freeradius-server-python-3.0.12-2.3.1 openSUSE Leap 42.2:freeradius-server-sqlite-3.0.12-2.3.1 openSUSE Leap 42.2:freeradius-server-utils-3.0.12-2.3.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-06/msg00069.html https://www.suse.com/security/cve/CVE-2017-9148.html CVE-2017-9148 https://bugzilla.suse.com/1041445 SUSE Bug 1041445 https://bugzilla.suse.com/1046141 SUSE Bug 1046141