not able to install FR 3.0.16+git in (pure) Debian 9

Martin Pauly pauly at hrz.uni-marburg.de
Thu Sep 7 10:22:50 CEST 2017 

Hi,

just got around now to see this:

>> If you would not mind, I would also propose striking out the HeartBleed
>> check from debian/rules in 3.0.x, to be able to install it on Debian 9.
>> Otherwise, the dependencies are not satisfied, and Debian 9 refuses to
>> install the packages.
>> [...]
>> -# Add dependency on distribution specific version of openssl that fixes
>> Heartbleed (CVE-2014-0160).
>> 
>> -ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes)
>> 
>> -       SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1f-1ubuntu2)"
>> 
>> -else
>> 
>> -       SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1e-2+deb7u5)"
>> 
>> -endif

>   That can't happen, sorry.  The server must be secure, even if the underlying OS uses vulnerable versions of OpenSSL.

This is a non-issue, right? At least with Debian stable, the security team ususally fixes such vulnerabilities inside
the code of an existing version and afterwards distributes the fixed source and binary with a specific sub-versioning
(Ubuntu much the same, AFAIK). So this is what the above checks address in the most accurate way.
E.g. with Debian 8 (Jessie) you have openssl 1.0.1t-1+deb8u6 which is way more modern than the version required by rules.

BTW, they also have done exactly this quite recently to FR3.0.12,
citing their Announcement:

----------- From Debian Security Announcements 2017-08-11 -----------------------
All those issues are covered by this single DSA, but it's worth noting
that not all issues affect all releases:

   - CVE-2017-10978 and CVE-2017-10983 affect both jessie and stretch

   - CVE-2017-10979, CVE-2017-10980, CVE-2017-10981 and CVE-2017-10982
     affect only jessie

   - CVE-2017-10984, CVE-2017-10985, CVE-2017-10986 and CVE-2017-10987
     affect only stretch.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.2.5+dfsg-0.2+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 3.0.12+dfsg-5+deb9u1.
----------------------------------------------------------------------------------

So they still distribute 3.0.12, but with everything fixed.

This way of incorporating security-related bug fixes into source
is interesting in a number of ways:
- Sometimes it's simpler: For the TLS-Cache issue with 3.0.12, they simply changed
   the default config by removing the entire cache {} section from the eap config file.
   --> quick, simple, and non-disruptive (could only hamper performance in special cases)
- For the fuzzing issues found in 3.0.14, they incorporated the fixes into their 3.0.12
   source tree -- but it took them 11 days in this case. This includes extensive tests, though.
   So once the update is there, you can install it almost blindly.
- Not everyone likes his sources changed "silently". This had lead to Mozilla forcing Debian
   to rename their security-patched version of Firefox to Iceweasel and Thunderbird to Icedove.
   cf. https://lwn.net/Articles/676799/ (this is about how the dispute was finally resolved)

Cheers, Martin

-- 
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5393 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170907/bbe381d4/attachment.bin>

More information about the Freeradius-Users mailing list