Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 211654

Summary: CVE-2006-1354 FreeRADIUS authentication bypass
Product: [Retired] Fedora Legacy Reporter: Matthew Miller <mattdm>
Component: freeradiusAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CANTFIX QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: fc4Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: source=secalert,reported=20060321,public=20060320,impact=important
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-04-10 19:44:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 211653    
Bug Blocks:    

Description Matthew Miller 2006-10-20 16:56:28 UTC 
This appears to also affect FC4.

+++ This bug was initially created as a clone of Bug #211653 +++
+++ This bug was initially created as a clone of Bug #186083 +++

FreeRADIUS authentication bypass

A bug in the EAP-MSCHAPv2 module could allow an attacker to
improperly authenticate as an aribitrary user.

http://www.freeradius.org/security.html


This issue also affects RHEL3

-- Additional comment from bressers on 2006-03-21 10:28 EST --
Created an attachment (id=126403)
Patch from upstream CVS


-- Additional comment from bugzilla on 2006-04-04 04:45 EST --

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0271.html
Comment 1 Matthew Miller 2006-10-20 17:03:02 UTC 
Also, CVE-2005-4745 and CVE-2005-4746, I think.
Comment 2 Matthew Miller 2007-04-10 19:44:39 UTC 
Fedora Core 4 is now completely unmaintained. These bugs can't be fixed in that
version. If the issue still persists in current Fedora Core, please reopen.
Thank you, and sorry about this.