Debian Security Advisory

DSA-1089-1 freeradius -- several vulnerabilities

Date Reported:
03 Jun 2006
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 359042.
In the Bugtraq database (at SecurityFocus): BugTraq ID 17171, BugTraq ID 17293.
In Mitre's CVE dictionary: CVE-2005-4744, CVE-2006-1354.
More information:

Several problems have been discovered in freeradius, a high-performance and highly configurable RADIUS server. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2005-4744

    SuSE researchers have discovered several off-by-one errors may allow remote attackers to cause a denial of service and possibly execute arbitrary code.

  • CVE-2006-1354

    Due to insufficient input validation it is possible for a remote attacker to bypass authentication or cause a denial of service.

The old stable distribution (woody) does not contain this package.

For the stable distribution (sarge) this problem has been fixed in version 1.0.2-4sarge1.

For the unstable distribution (sid) this problem has been fixed in version 1.1.0-1.2.

We recommend that you upgrade your freeradius package.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Architecture-independent component:
Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.