Imminent release of 2.2.5 and 3.0.3
Alan DeKok
aland at deployingradius.com
Thu Apr 17 16:38:28 CEST 2014
Nick Lowe wrote:
> I agree entirely with what Phil says. Is this not a layering
> violation? As much as you think you might be helping in this
> belt-and-braces way, I don't think it should be the concern of
> FreeRADIUS to care about this - and how far do you take it?
The goal is to have FreeRADIUS be secure. i.e. there is no
installation which defaults to insecure.
The way we do this is to either disable features, or disable
vulnerabilities.
> I am also curious who might actually tangibly benefit. Isn't the
> reality that a version of FreeRADIUS that contains these checks will
> only ever get packaged by the distributions with a non-vulnerable
> version of OpenSSL going forward anyway in a new major release that
> they make?
Most of the time, yes. But not everyone uses packages.
Security is about *always* being secure. You don't say "well, this
won't happen often, so we can ignore it".
Alan DeKok.
More information about the Freeradius-Users
mailing list