Multiple issues exist with version 1.0.4, and all prior
versions of the server. Externally exploitable
vulnerabilities exist only for sites that use the
rlm_sqlcounter module. Those sites may be vulnerable to
SQL injection attacks, similar to the issues noted below.
All sites that have not deployed the rlm_sqlcounter module
are not vulnerable to external exploits.
The issues are:
SQL Injection attack in the rlm_sqlcounter module.
Buffer overflow in the rlm_sqlcounter module, that may cause
a server crash.
Buffer overflow while expanding %t, that may cause a server
crash.