On 7 Apr 2014, at 22:18, Alan DeKok <aland@deployingradius.com> wrote:
This is a bad one:
... The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. ...
* OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable * OpenSSL 1.0.1g is NOT vulnerable * OpenSSL 0.9.8 branch is NOT vulnerable
Everyone using TLS methods with EAP are likely vulnerable. Anyone using RadSec is likely vulnerable.
Please check which version of OpenSSL you are using.
That's really bad. Think we should add a configure time check to prevent the server being built against vulnerable versions? Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2