Imminent release of 2.2.5 and 3.0.3

[Stefan Paetow]

> There aren't massive security holes in other libraries.  I'm not sure if other projects are doing this.  
> I know for my sanity, I don't want people blaming FreeRADIUS because they've chosen to use a 
> vulnerable version of OpenSSL.

Well, I doubt anyone reasonably active on the list will, and with sufficient disclaimers on the site, it's good enough what you do/have done.

> Which will happen if FR doesn't check for "bad" versions of OpenSSL.

See above.

> I'm more concerned with ongoing tests.  I've spent much of the last two months adding more 
> sanity checks to the parser, and then adding tests for the parser and sanity checks.  That will do 
> more than anything else to prevent future issues.

The good news is that Heartbleed has shocked the OpenSSL people into asking for more help, and it also has prompted people into starting a crowd-funded effort to audit OpenSSL and improve its... *ahem* code quality. So I'm fairly positive that this is going to improve things in the future. 

Stefan


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238