17 Apr
2014
17 Apr
'14
5:24 p.m.
Hi,
I wonder if this checking for "bad" libraries inside FR is really useful or appropriate, especially if it's causing you major hassles. It's not obvious to me why OpenSSL is special - where's the blacklist for glibc or libpq or $whatever? Are other projects doing this?
There aren't massive security holes in other libraries. I'm not sure if other projects are doing this. I know for my sanity, I don't want people blaming FreeRADIUS because they've chosen to use a vulnerable version of OpenSSL.
ISC do similar thign with OpenSSL for named and have done so for years. alan