OpenSSL Security issues
Phil Mayers
p.mayers at imperial.ac.uk
Tue Apr 8 13:32:09 CEST 2014
On 08/04/14 11:02, Arran Cudbard-Bell wrote:
> As it stands the next versions on all branches will refuse to build
> against libssl 1.0.1-1.0.1f because of the potential security risk.
Please don't do that, for the exact reasons you outlined.
Hardcoding a version number blacklist into the build environment just
means everyone building against an enterprise distro will have to patch
your changes out.
I realise it's a serious vulnerability, but "configure.in" of a project
using the library is not the right place to address this.
You'd be better off adding a runtime check and refusing to start without
"allow_unsafe_openssl" global set or similar, if you must. At least that
way people can configure the server to start once they've patched.
More information about the Freeradius-Users
mailing list