{"id":"MGASA-2020-0007","summary":"Updated freeradius packages fix security vulnerabilities","details":"Updated freeradius packages fix security vulnerabilities:\n\nIt was discovered freeradius does not correctly configure logrotate,\nallowing a local attacker who already has control of the radiusd user to\nescalate his privileges to root, by tricking logrotate into writing a\nradiusd-writable file to a directory normally inaccessible by the radiusd\n user (CVE-2019-10143).\n\nAn information leak was discovered in the implementation of EAP-pwd in\nfreeradius. An attacker could initiate several EAP-pwd handshakes to leak\ninformation, which can then be used to recover the user's WiFi password by\nperforming dictionary and brute-force attacks (CVE-2019-13456).\n\nDenial of service issues due to multithreaded BN_CTX access\n(CVE-2019-17185).\n","modified":"2026-04-16T01:45:34.159367601Z","published":"2020-01-05T15:37:51Z","upstream":["CVE-2019-10143","CVE-2019-13456","CVE-2019-17185"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0007.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=25907"},{"type":"WEB","url":"https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_20"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TKODLHHUOVAYENTBP4D3N25ST3Q6LJBP/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/USTITI4A3TVUX3SGO7TJCJ4WWFBZFWLZ/"}],"affected":[{"package":{"name":"freeradius","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/freeradius?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.0.20-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0007.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}