[SECURITY] [DLA 4232-1] freeradius security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4232-1] freeradius security update
From: Abhijith PA <abhijith@debian.org>
Date: Thu, 26 Jun 2025 20:07:26 +0530
Message-id: <[🔎] aF1bJjcrrjY3d-6h@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4232-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
June 26, 2025                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : freeradius
Version        : 3.0.21+dfsg-2.2+deb11u2
CVE ID         : CVE-2022-41859 CVE-2022-41860 CVE-2022-41861

Several security vulnerabilities have been discovered in freeradius, a
highly configurable RADIUS server.


CVE-2022-41859

     The EAP-PWD function compute_password_element() leaks information
     about the password which allows an attacker to substantially
     reduce the size of an offline dictionary attack.

CVE-2022-41860

    When an EAP-SIM supplicant sends an unknown SIM option, the server
    will try to look that option up in the internal dictionaries. This
    lookup will fail, but the SIM code will not check for that
    failure. Instead, it will dereference a NULL pointer, and cause
    the server to crash.

CVE-2022-41861

    A malicious RADIUS client or home server can send a malformed
    abinary attribute which can cause the server to crash. This crash
    is not exploitable by end users. Only systems which are in the
    RADIUS circle of trust can send these malformed attributes to a
    server.

For Debian 11 bullseye, these problems have been fixed in version
3.0.21+dfsg-2.2+deb11u2.

We recommend that you upgrade your freeradius packages.

For the detailed security status of freeradius please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/freeradius

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmhdWyYACgkQhj1N8u2c
KO/G5hAAjfQbm+fq071NGJkXskxn/p+0+u1XQKJ0S+zXqrCR1Qu8p66+XCaUU1EM
Ghv2EQrkbeasl+Y+LIpNzkABM28KiBRpdUGP5bXbx43kpHo7+N0eQSr+leKVu3V2
E5EaArYB1txqdWr8dcZcgj1iyj3SnOwOQ6K/8C2/mCAPCyxiy5jb8fhZc8t2pAH2
OVsyl2154vPhrKOzwVjvu8vZCt62ADbV5n/VepQfuRpifE9EuXApLypk0esfnSsg
w37GDY5GVHHHvXV2Dq34TqfD3vBtMND1rHPd/u/c46p8PYt/p7cmgXrwdrQdFXxP
roaJuJ2BmyI4f9lQDDuPq8qPemAFn2pG7EvBs5yKHQf9wTuxdw9Z9YZKQzNKApLa
5kmJAx1xqHV5xV2A80OT/CeYglc2ipPTaMfjaNN5jztmB+bMwjU5eV3l789dFHBW
IbN1GLXMRl8c81CydELDrOCRujdPHMEmTI5MzOGAPOrG+uDpR/tMn5Hp2/7kb/vc
5toilGXyH5pu6RXVpkMpi/CyfGY3jcXSPgrJQvd+5h48zQF0MSThLmrIp6pa3NPY
aRGRBfJpzxswd6++B9lSoydh/y7Y8jK3fneWlp3zOM7DjW5Cog2lkmKCLA5s40BG
edGcp62jirIw5w+9UWm5BaNLNKckHXSm/OCGWrrcg6W7qoo97WY=
=Adaa
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4231-1] firefox-esr security update
Next by Date: [SECURITY] [DLA 4233-1] nagvis security update
Previous by thread: [SECURITY] [DLA 4231-1] firefox-esr security update
Next by thread: [SECURITY] [DLA 4233-1] nagvis security update
Index(es):
- Date
- Thread