A sad note from the HostAP mailing list. OpenSSL has broken the most recent release. The good news is that we've put changes into v3 to detect this kind of nonsense. It refuses to start with a broken OpenSSL. But, this means that if your system auto-upgrades OpenSSL, FreeRADIUS will refuse to start. If you upgrade OpenSSL, you MUST REBUILD FreeRADIUS. This requirement is made because the OpenSSL people hate their end users, and break binary compatibility. --- Please note that the OpenSSL versions released yesterday are not binary compatible with the prior releases due to a quite undesired ABI change (HMAC_CTX size changes). This affects multiple programs using OpenSSL shared libraries, including wpa_supplicant. If you are using wpa_supplicant with OpenSSL as a shared library and update the OpenSSL shared library without rebuilding the wpa_supplicant binary against the new header files from the new OpenSSL version, you may hit memory corruption issues at runtime. Rebuilding wpa_supplicant against the matching OpenSSL version will fix those. Based on a quick test, this issue did not show up in practice for me on 64-bit Ubuntu 14.04 with gcc build due to the HMAC_CTX struct padding done by the compiler. However, on 32-bit Ubuntu 14.04, this did result in memory corruption and process termination due to malloc() memory corruption and/or stack smashing detection. This is an OpenSSL issue and I hope that the previous ABI will be restored in a new release shortly. There is not really anything that wpa_supplicant can do about this apart from doing that rebuild with new OpenSSL header files.
What about the 1.0.2c release that has just made its way out to correct ABI compatibility? Nick
Hi On Fri, Jun 12, 2015 at 7:24 PM, Nick Lowe <nick.lowe@gmail.com> wrote:
What about the 1.0.2c release that has just made its way out to correct ABI compatibility?
Quote: "New releases to resolve ABI compatibility problems:" From: https://www.openssl.org/news/
On Jun 12, 2015, at 12:29 PM, Isaac Boukris <iboukris@gmail.com> wrote:
Quote: "New releases to resolve ABI compatibility problems:" From: https://www.openssl.org/news/
That's good news. But it's still annoying... Alan DeKok.
participants (3)
-
Alan DeKok -
Isaac Boukris -
Nick Lowe