Bug 13843

Summary: [CVE 21] freeradius 3.0.23 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED DUPLICATE QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: Highest CC: e.kosachev, i.gaptrakhmanov, s.matveev, v.potapov, y.tumanov
Version: AllFlags: y.tumanov: secteam_verified?
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2022-41860,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-10-18 20:25:29 MSK 
Please patch CVEs for package freeradius version 3.0.23
  
INFO (CVEs are): freeradius 3.0.23
 cves found
CVE-2022-41860
Desc: In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-41860
Severity: HIGH
Comment 1 Vladimir Potapov 2023-10-20 12:47:48 MSK 
*** Bug 13711 has been marked as a duplicate of this bug. ***
Comment 2 ilfat 2023-10-23 19:19:59 MSK 

*** This bug has been marked as a duplicate of bug 13493 ***