On 16 Apr 2014, at 19:12, HCC Mailing Lists <hcc.lists@gmail.com> wrote:
I just did a git clone of 3.0.3 onto an Ubuntu 12.04.4 LTS system and did these steps:
$ tar zxf freeradius-server-2.X.Y.tar.gz $ cd freeradius-server-2.X.Y $ fakeroot dpkg-buildpackage -b -uc $ sudo dpkg -i ../*freeradius*_2.X.Y-*_*.deb
as documented at http://wiki.freeradius.org/building/Build#Building-Debian-packages.
I ended up with a number of .deb files which I expected. During the install phase I get an error saying that libssl1.0.0 is not new enough, the actual message scrolled off too far to find again, but it needs 1.0.1e-2+deb7u6 but has 1.0.1-4ubuntu5.12. Clearly this is more fallout of Heartbleed and the version installed is supposedly fixed.
Great.
Why they distribution maintainers cannot just use the actual version numbers is beyond me.
Their arguments for applying patches to already released systems are bullshit. It makes it impossible to tell whether a given version of a library has the correct fixes applied. They are one of the biggest obstacles to security. They take the one universal method of determining whether vulnerabilities have been patched, and make it useless without providing an alternative.
So the question is, how do I change the version requirement for Ubuntu?
*sigh* i'll have a look. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2