Imminent release of 2.2.5 and 3.0.3

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Apr 17 02:09:38 CEST 2014


On 16 Apr 2014, at 19:12, HCC Mailing Lists <hcc.lists at gmail.com> wrote:

> I just did a git clone of 3.0.3 onto an Ubuntu 12.04.4 LTS system and
> did these steps:
> 
> $ tar zxf freeradius-server-2.X.Y.tar.gz
> $ cd freeradius-server-2.X.Y
> $ fakeroot dpkg-buildpackage -b -uc
> $ sudo dpkg -i ../*freeradius*_2.X.Y-*_*.deb
> 
> as documented at
> http://wiki.freeradius.org/building/Build#Building-Debian-packages.
> 
> I ended up with a number of .deb files which I expected. During the
> install phase I get an error saying that libssl1.0.0 is not new
> enough, the actual message scrolled off too far to find again, but it
> needs 1.0.1e-2+deb7u6 but has 1.0.1-4ubuntu5.12. Clearly this is more
> fallout of Heartbleed and the version installed is supposedly fixed.

Great.

> Why they distribution maintainers cannot just use the actual version
> numbers is beyond me. 

Their arguments for applying patches to already released systems are
bullshit. It makes it impossible to tell whether a given version of 
a library has the correct fixes applied.

They are one of the biggest obstacles to security. They take the one
universal method of determining whether vulnerabilities have been 
patched, and make it useless without providing an alternative.

> So the question is, how do I change the version requirement for
> Ubuntu? 

*sigh* i'll have a look.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140416/e4afc817/attachment.pgp>


More information about the Freeradius-Users mailing list