On Mon, Sep 26, 2016 at 11:07:26AM +0200, Stefan Winter wrote:
hm, can we still hold the press? ... Refusing to start with libssl version OpenSSL 1.0.1k 8 Jan 2015 0x100010bf (1.0.1k release) (in range 1.0.1 release - 1.0.1t rele) Security advisory CVE-2016-6304 (OCSP status request extension) For more information see https://www.openssl.org/news/secadv/20160922.txt Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2016-6304' radius-int-1:/usr/local/freeradius #
Just to add to the fun... CVE-2016-6309 and CVE-2016-7052 https://www.openssl.org/news/secadv/20160926.txt They missed a couple of patches from the releases last week, so there's more today. These can lead to a segfault or arbitrary code execution. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>