not able to install FR 3.0.16+git in (pure) Debian 9

Alan Buxey alan.buxey at
Thu Sep 7 11:11:13 CEST 2017


> So they still distribute 3.0.12, but with everything fixed.

no. not everything fixed. everythign fixed would be eg 3.0.15 - I
still dont understand why they dont just upgrade the version rather
than do backports.

> This way of incorporating security-related bug fixes into source
> is interesting in a number of ways:
> - Sometimes it's simpler: For the TLS-Cache issue with 3.0.12, they simply
> changed
>   the default config by removing the entire cache {} section from the eap
> config file.
>   --> quick, simple, and non-disruptive (could only hamper performance in
> special cases)

ummm, okay - so for any sites doing lots of EAP, performance sucks.
those people then come to the list and
we tell them to 'just enable the cache option in eap module - et
voila! now server insecure because the version in
use was not patched!

their solution is awful!  :(

> - For the fuzzing issues found in 3.0.14, they incorporated the fixes into
> their 3.0.12
>   source tree -- but it took them 11 days in this case. This includes
> extensive tests, though.

..why not just use 3.0.14?  what a waste of their time/resources .  :/

sorry, if someone says they are using 3.0.12 then I can only assume
its the same code as I know/see - if someone else
has been playing around with it, removing things, changing things then
who knows what else is broken or not working?

fundamentally, there are more issues/errors than just some security
issues - theres a reason why 3.0.15 exists, for example,
and why we say people should use it - many other things , many other
fixes/features.  no break on upgrade.


More information about the Freeradius-Users mailing list