A belated request for last-minute tests of 3.0.12. I've pushed some changes to complain about OpenSSL. They work for me, but another check would be useful. If all is OK, I'll release 3.0.12 on Monday. For real this time. Alan DeKok.
I've pushed a request for an additional policy to be included... Could we pop that in? Pretty please? With cherries on top? :) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. On 22/09/2016, 17:59, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk@lists.freeradius.org on behalf of aland@deployingradius.com> wrote:
A belated request for last-minute tests of 3.0.12. I've pushed some changes to complain about OpenSSL. They work for me, but another check would be useful.
If all is OK, I'll release 3.0.12 on Monday. For real this time.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you very much! :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. On 23/09/2016, 01:35, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk@lists.freeradius.org on behalf of aland@deployingradius.com> wrote:
On Sep 22, 2016, at 6:44 PM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
I've pushed a request for an additional policy to be included... Could we pop that in?
Done.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, hm, can we still hold the press? main { security { user = "radiusd" group = "radiusd" allow_core_dumps = yes } name = "radiusd" prefix = "/usr/local/freeradius/current" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } Cannot update core dump limit: Operation not permitted Core dumps are enabled main { ... security { max_attributes = 200 reject_delay = 0.000000 status_server = yes allow_vulnerable_openssl = "CVE-2016-6304" } } ... So after dropping priv's, it reads about CVE clearance. But then: Debugger not attached Refusing to start with libssl version OpenSSL 1.0.1k 8 Jan 2015 0x100010bf (1.0.1k release) (in range 1.0.1 release - 1.0.1t rele) Security advisory CVE-2016-6304 (OCSP status request extension) For more information see https://www.openssl.org/news/secadv/20160922.txt Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2016-6304' radius-int-1:/usr/local/freeradius # Hm. That's v3.0.x checkout from just a few minutes ago. Greetings, Stefan Winter Am 22.09.2016 um 17:59 schrieb Alan DeKok:
A belated request for last-minute tests of 3.0.12. I've pushed some changes to complain about OpenSSL. They work for me, but another check would be useful.
If all is OK, I'll release 3.0.12 on Monday. For real this time.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On Mon, Sep 26, 2016 at 11:07:26AM +0200, Stefan Winter wrote:
hm, can we still hold the press? ... Refusing to start with libssl version OpenSSL 1.0.1k 8 Jan 2015 0x100010bf (1.0.1k release) (in range 1.0.1 release - 1.0.1t rele) Security advisory CVE-2016-6304 (OCSP status request extension) For more information see https://www.openssl.org/news/secadv/20160922.txt Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2016-6304' radius-int-1:/usr/local/freeradius #
Just to add to the fun... CVE-2016-6309 and CVE-2016-7052 https://www.openssl.org/news/secadv/20160926.txt They missed a couple of patches from the releases last week, so there's more today. These can lead to a segfault or arbitrary code execution. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Sep 26, 2016, at 6:51 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Just to add to the fun...
CVE-2016-6309 and CVE-2016-7052 https://www.openssl.org/news/secadv/20160926.txt
They missed a couple of patches from the releases last week, so there's more today. These can lead to a segfault or arbitrary code execution.
Ugh. I've pushed fixes. Alan DeKok.
On 26 Sep 2016, at 12:44, Alan DeKok <aland@DEPLOYINGRADIUS.COM> wrote:
Ugh. I've pushed fixes.
Spun a build this morning, looks good to me. Error: Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 0x1000105f (1.0.1e release) (in range 1.0.1 release - 1.0.1t rele) Error: Security advisory CVE-2016-6304 (OCSP status request extension) Error: For more information see https://www.openssl.org/news/secadv/20160922.txt Info: Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2016-6304' Error: Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 0x1000105f (1.0.1e release) (in range 1.0.1 dev - 1.0.1f release) Error: Security advisory CVE-2014-0160 (Heartbleed) Error: For more information see http://heartbleed.com Correctly identifies the vulnerability, and the suppression works as expected. Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
On Sep 27, 2016, at 6:52 AM, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
On 26 Sep 2016, at 12:44, Alan DeKok <aland@DEPLOYINGRADIUS.COM> wrote:
Ugh. I've pushed fixes.
Spun a build this morning, looks good to me.
Thanks. I'm just waiting on confirmation of one issue with EAP-FAST. If I can't get it fixed today, I'll put a note in that EAP-FAST is experimental and broken... and then release 3.0.12. We need a release more than we need EAP-FAST. Alan DeKok.
On 26 Sep 2016, at 10:07, Stefan Winter <stefan.winter@restena.lu> wrote:
Debugger not attached Refusing to start with libssl version OpenSSL 1.0.1k 8 Jan 2015 0x100010bf (1.0.1k release) (in range 1.0.1 release - 1.0.1t rele) Security advisory CVE-2016-6304 (OCSP status request extension) For more information see https://www.openssl.org/news/secadv/20160922.txt Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2016-6304' radius-int-1:/usr/local/freeradius #
tls_global_version_check() doesn't accept individual CVE numbers any more - I'm not sure it's intentional though as the error message still references it. 'allow_vulnerable_ssl' = yes should let you continue. Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
On Sep 26, 2016, at 7:38 AM, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
tls_global_version_check() doesn't accept individual CVE numbers any more - I'm not sure it's intentional though as the error message still references it.
I'll push a fix. That wasn't intentional. Alan DeKok.
participants (5)
-
Adam Bishop -
Alan DeKok -
Matthew Newton -
Stefan Paetow -
Stefan Winter