Maintaining a (very) dynamic user list with freeradius
Jos Vos
jos at xos.nl
Sat Nov 3 09:32:45 CET 2007
On Sat, Nov 03, 2007 at 12:36:01AM +0100, Alan DeKok wrote:
> http://freeradius.org/security.html
>
> You *can* manually upgrade to 1.1.7. It's not hard.
RH always backports security patches. From their 1.0.1 changelog:
* Wed Apr 25 2007 Thomas Woerner <twoerner at redhat.com> 1.0.1-3.RHEL4.5
- fixed CVE-2007-2028: EAP-TTLS denial of service
Resolves: rhbz#236247
* Fri Mar 24 2006 Thomas Woerner <twoerner at redhat.com> 1.0.1-3.RHEL4.3
- added two lost fixes from (#167676)
* Fri Mar 24 2006 Thomas Woerner <twoerner at redhat.com> 1.0.1-3.RHEL4.2
- CVE-2006-1354: security fixes for EAP-MSCHAPv2 (#186083)
- other security related fixes (#167676)
* Tue Jun 14 2005 Thomas Woerner <twoerner at redhat.com> 1.0.1-3.RHEL4
- Fixed buffer overflow and possible SQL injection attacks in rlm_sql
CAN-2005-1454, CAN-2005-1455 (#156941)
[...]
Deviating from the standard RHEL packages and maintaining your own RPM
(this is for a large number of systems) is probably doable (often you
encounter incompatibiities with older compilers and libraries, but
freeradius is a relatively isolated piece of software, I think), but it
also means I have to take care of security problems etc. myself, while
RH does that for me now. That's why I only tend to maintain my own
version if really necessary.
--
-- Jos Vos <jos at xos.nl>
-- X/OS Experts in Open Systems BV | Phone: +31 20 6938364
-- Amsterdam, The Netherlands | Fax: +31 20 6948204
More information about the Freeradius-Users
mailing list