not able to install FR 3.0.16+git in (pure) Debian 9
Alan Buxey
alan.buxey at gmail.com
Thu Sep 7 11:11:13 CEST 2017
hi,
> So they still distribute 3.0.12, but with everything fixed.
no. not everything fixed. everythign fixed would be eg 3.0.15 - I
still dont understand why they dont just upgrade the version rather
than do backports.
> This way of incorporating security-related bug fixes into source
> is interesting in a number of ways:
> - Sometimes it's simpler: For the TLS-Cache issue with 3.0.12, they simply
> changed
> the default config by removing the entire cache {} section from the eap
> config file.
> --> quick, simple, and non-disruptive (could only hamper performance in
> special cases)
ummm, okay - so for any sites doing lots of EAP, performance sucks.
those people then come to the list and
we tell them to 'just enable the cache option in eap module - et
voila! now server insecure because the version in
use was not patched!
their solution is awful! :(
> - For the fuzzing issues found in 3.0.14, they incorporated the fixes into
> their 3.0.12
> source tree -- but it took them 11 days in this case. This includes
> extensive tests, though.
..why not just use 3.0.14? what a waste of their time/resources . :/
sorry, if someone says they are using 3.0.12 then I can only assume
its the same code as I know/see - if someone else
has been playing around with it, removing things, changing things then
who knows what else is broken or not working?
fundamentally, there are more issues/errors than just some security
issues - theres a reason why 3.0.15 exists, for example,
and why we say people should use it - many other things , many other
fixes/features. no break on upgrade.
alan
More information about the Freeradius-Users
mailing list