Imminent release of 2.2.5 and 3.0.3

Alan DeKok aland at deployingradius.com
Wed Apr 16 17:03:46 CEST 2014


Maja Wolniewicz wrote:
> I'm testing the v3.0.x branch  - FreeRADIUS Version 3.1.0 (git #21acbbf)

  That isn't the v3.0.x branch.  3.1.0 is the "master" branch.


> rpm -q --changelog openssl | grep CVE-2014-0160
> - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
>
> I'm getting
> Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013
> 0x01000105f (1.0.1e-15) (in range 1.0.1-0 - 1.0.1f-15)

  Yes.  And if you read the NEXT message that the server prints out, it
tells you how to work around the issue.

  There is no way for FreeRADIUS to tell that OpenSSL has been fixed.
You have to configure the server to accept the problematic version of
OpenSSL.

  Alan DeKok.


More information about the Freeradius-Users mailing list