CVE-2011-4966

Published: 12 March 2013

modules/rlm_unix/rlm_unix.c in FreeRADIUS before 2.2.0, when unix mode is enabled for user authentication, does not properly check the password expiration in /etc/shadow, which allows remote authenticated users to authenticate using an expired password.

Priority

Status

Package	Release	Status
freeradius Launchpad, Ubuntu, Debian	hardy	Ignored (end of life)
	lucid	Released (2.1.8+dfsg-1ubuntu1.1)
	oneiric	Ignored (end of life)
	precise	Released (2.1.10+dfsg-3ubuntu0.12.04.2)
	quantal	Released (2.1.12+dfsg-1.1ubuntu0.1)
	raring	Ignored (end of life)
	saucy	Not vulnerable (2.1.12+dfsg-1.2ubuntu5)
	upstream	Released (2.1.12+dfsg-1.2)
	Patches: upstream: https://github.com/alandekok/freeradius-server/commit/1b1ec5ce75e224bd1755650c18ccdaa6dc53e605

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4966
https://ubuntu.com/security/notices/USN-2122-1
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694407
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4966

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›