Imminent release of 2.2.5 and 3.0.3
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Wed Apr 16 17:14:34 CEST 2014
Hi,
> I'm testing the v3.0.x branch - FreeRADIUS Version 3.1.0 (git #21acbbf)
> on CentOS 6.5 with system openssl and all patches:
thats the 3.1.x release which isnt the future 3.0.3 ;-) but still...
> rpm -q --changelog openssl | grep CVE-2014-0160
> - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
>
> I'm getting
> Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013
> 0x01000105f (1.0.1e-15) (in range 1.0.1-0 - 1.0.1f-15)
yes - 1.0.1e could be affected.... unfortunately theres no way of actually
checking if the code is safe - there was a discussion about this feature. you just need to
disable the OpenSSL check (as per the docs).
allow_vulnerable_openssl = yes
in radiusd.conf
> The other problem I ran into is that when the cui is enabled then the
> server fails when trying to remove an empty value:
that looks like a big bang....which with the new panic action code means that gdb
can be immediately attached onto it - worth looking at using the new panic action
on this and seeing what the values/issues are - in the usual docs/bugs method
alan
More information about the Freeradius-Users
mailing list