ALAS2-2019-1218

Amazon Linux 2 Security Advisory: ALAS-2019-1218
Advisory Release Date: 2019-05-29 19:08 Pacific
Advisory Updated Date: 2019-05-30 20:41 Pacific

Severity: Important

References: CVE-2019-11234 CVE-2019-11235
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

FreeRADIUS mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.(CVE-2019-11235)

FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.(CVE-2019-11234)

Affected Packages:

freeradius

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update freeradius to update your system.

New Packages:

aarch64:
    freeradius-3.0.13-10.amzn2.aarch64
    freeradius-doc-3.0.13-10.amzn2.aarch64
    freeradius-utils-3.0.13-10.amzn2.aarch64
    freeradius-devel-3.0.13-10.amzn2.aarch64
    freeradius-ldap-3.0.13-10.amzn2.aarch64
    freeradius-krb5-3.0.13-10.amzn2.aarch64
    freeradius-perl-3.0.13-10.amzn2.aarch64
    freeradius-python-3.0.13-10.amzn2.aarch64
    freeradius-mysql-3.0.13-10.amzn2.aarch64
    freeradius-postgresql-3.0.13-10.amzn2.aarch64
    freeradius-sqlite-3.0.13-10.amzn2.aarch64
    freeradius-unixODBC-3.0.13-10.amzn2.aarch64
    freeradius-debuginfo-3.0.13-10.amzn2.aarch64

i686:
    freeradius-3.0.13-10.amzn2.i686
    freeradius-doc-3.0.13-10.amzn2.i686
    freeradius-utils-3.0.13-10.amzn2.i686
    freeradius-devel-3.0.13-10.amzn2.i686
    freeradius-ldap-3.0.13-10.amzn2.i686
    freeradius-krb5-3.0.13-10.amzn2.i686
    freeradius-perl-3.0.13-10.amzn2.i686
    freeradius-python-3.0.13-10.amzn2.i686
    freeradius-mysql-3.0.13-10.amzn2.i686
    freeradius-postgresql-3.0.13-10.amzn2.i686
    freeradius-sqlite-3.0.13-10.amzn2.i686
    freeradius-unixODBC-3.0.13-10.amzn2.i686
    freeradius-debuginfo-3.0.13-10.amzn2.i686

src:
    freeradius-3.0.13-10.amzn2.src

x86_64:
    freeradius-3.0.13-10.amzn2.x86_64
    freeradius-doc-3.0.13-10.amzn2.x86_64
    freeradius-utils-3.0.13-10.amzn2.x86_64
    freeradius-devel-3.0.13-10.amzn2.x86_64
    freeradius-ldap-3.0.13-10.amzn2.x86_64
    freeradius-krb5-3.0.13-10.amzn2.x86_64
    freeradius-perl-3.0.13-10.amzn2.x86_64
    freeradius-python-3.0.13-10.amzn2.x86_64
    freeradius-mysql-3.0.13-10.amzn2.x86_64
    freeradius-postgresql-3.0.13-10.amzn2.x86_64
    freeradius-sqlite-3.0.13-10.amzn2.x86_64
    freeradius-unixODBC-3.0.13-10.amzn2.x86_64
    freeradius-debuginfo-3.0.13-10.amzn2.x86_64

Additional References

Red Hat: CVE-2019-11234, CVE-2019-11235

Mitre: CVE-2019-11234, CVE-2019-11235

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS2-2019-1218

Additional References