OpenSSL Security issues

stefan.paetow at diamond.ac.uk stefan.paetow at diamond.ac.uk
Tue Apr 8 13:30:08 CEST 2014


It's not really up to the FreeRADIUS people to make that call, but rather the OpenSSL guys. But I agree that this is rather annoying. I would have preferred a 1.0.1g upgrade myself.

I'll forward this question on to the RHEL OpenSSL guy and find out.
 
S.


> -----Original Message-----
> From: Arran Cudbard-Bell [mailto:a.cudbardb at freeradius.org]
> Sent: 08 April 2014 11:03
> To: FreeRadius users mailing list
> Subject: Re: OpenSSL Security issues
> 
> 
> On 8 Apr 2014, at 10:35, Jonathan Gazeley
> <Jonathan.Gazeley at bristol.ac.uk> wrote:
> 
> > On 08/04/14 01:11, stefan.paetow at diamond.ac.uk wrote:
> >> I'm back in the office tomorrow and will check the CentOS updates
> >
> > Seems that CentOS 5 is not affected, but CentOS 6 is. An patched
> update has been released for for RHEL 6 and will presumably make its
> way into CentOS before too long...
> >
> > https://rhn.redhat.com/errata/RHSA-2014-0376.html
> 
> Question to representatives of various distributions on the lists.
> 
> As instead of fix the issues correctly by upgrading to 1.0.1g, you are
> patching existing versions of libssl, how can we determine whether a
> version of libssl is vulnerable or not at configure time?
> 
> As it stands the next versions on all branches will refuse to build
> against libssl 1.0.1-1.0.1f because of the potential security risk.
> 
> Arran Cudbard-Bell <a.cudbardb at freeradius.org> FreeRADIUS Development
> Team
> 
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


-- 
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. 
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
 





More information about the Freeradius-Users mailing list