Release 1.0.5?

Nicolas Baradakis nbk at sitadelle.com
Mon Aug 22 19:14:52 CEST 2005


Alan DeKok wrote:

> > - A post on the mailing list suggests to change the case-insensitive
> >   searches for PostgreSQL. We need someone who has a setup with
> >   PostgreSQL to test these changes and sends a patch for postgresql.conf.
> 
>   Peter Nixon?

Thor Spruyt is familiar with PostgreSQL, and has sent a few patches to
fix known issues with postgresql.conf and db_postgresql.sql.

> > - I'm not running LDAP on my site, but if bug #261 is reproductible,
> >   it should be fixed in 1.0.5 (attributes retrieved from ldap are
> >   truncated at first space)
> 
>   It's more complicated than that.  It gets excited over '=', too.
> 
>   The LDAP module has *always* worked that way, so it's not a priority
> for 1.0.5.

That's right, but it seems easy to fix this issue. If I understand
correctly the code in ldap_pairget(), we should have either "[value]"
or "[operator] [value]" in a one-to-one-mapped attribute.

If the statement above is correct, the code should be:

	ptr = str_from_ldap;
	operator = gettoken(&ptr);
	if (operator is valid)
		value = ptr;
	else
		value = str_from_ldap;

> > Maybe bug #73, too ? (libldap and libsasl problems)
>
> Sounds good.  I don't use LDAP, so I can't test it.

I've had a wonderful time with autoconf... but it should be fixed now.

On other news, Primoz Bratanic is testing his tool of "automated
vulnerability search" on the source code of FreeRADIUS. Thanks to him,
I was able to fix three possible buffer overflows in xlat.c and
rlm_sqlcounter.c. (see the Automatic CVS report)

Primoz also found out that the SQL query in rlm_sqlcounter isn't
correctly escaped. (possible SQL injection vulnerability) As the
function 'sql_escape_func' is static in module 'rlm_sql', I don't
know if we should copy/paste the code or make the function publicly
available?

We should also fix this in 1.0.5, before the people from Gentoo start
to make publicity about this.

-- 
Nicolas Baradakis




More information about the Freeradius-Devel mailing list