Package: src:freeradius Severity: important Tags: security 3.0.19 has been released adressing some issues in EAP-PWD. The VU# linked in the original advisory is not (yet?) accessible and I haven't found a CVE for it.
Since FreeRADIUS is orphaned I'll look at doing an NMU when I find some time, but likely not before early next week. https://freeradius.org/security/ 2019.04.10Authentication bypass in EAP-PWD The EAP-PWD module is vulnerable to multiple issues, including authentication bypass. This module is not enabled in the default configuration. Administrators must manually enable it for their server to be vulnerable. Version 3.0.0 through 3.0.18 are are affected. The EAP-PWD module is vulnerable to side-channel and cache-based attacks. The issue is discussed in more in Hostap 2019-2. The attack requires the attacker to be able to run a program on the target device. This is not commonly the case on an authentication server (EAP server), so the most likely target for this would be a client device using EAP-PWD. It is not clear at this time if the attack is possible between multiple virtual machines on the same hardware. Other issues with EAP-PWD were found earlier, and patched in Hostap. The FreeRADIUS team was not notified of these attacks until recently. We have now patched FreeRADIUS to address these issues. Additional issues were found by Mathy Vanhoef as part of a deep investigation into EAP-PWD. He also supplied patches to address the issues. His report is included below. This issue is recorded in VU#871675 We have released version 3.0.19 to address these issues.

