not able to install FR 3.0.16+git in (pure) Debian 9

Alan DeKok aland at deployingradius.com
Thu Sep 7 15:06:29 CEST 2017


On Sep 7, 2017, at 4:22 AM, Martin Pauly <pauly at hrz.uni-marburg.de> wrote:
>>  That can't happen, sorry.  The server must be secure, even if the underlying OS uses vulnerable versions of OpenSSL.
> 
> This is a non-issue, right? At least with Debian stable, the security team ususally fixes such vulnerabilities inside
> the code of an existing version and afterwards distributes the fixed source and binary with a specific sub-versioning
> (Ubuntu much the same, AFAIK). So this is what the above checks address in the most accurate way.
> E.g. with Debian 8 (Jessie) you have openssl 1.0.1t-1+deb8u6 which is way more modern than the version required by rules.

  There is no way for FreeRADIUS to know if OpenSSL has been fixed.  The OpenSSL & Debian people (in their infinite wisdom) make it impossible.

  All we know is that OpenSSL version X.Y.Z is installed.  We don't know if it's vulnerable or not.

  So removing security checks is just not going to happen.

> BTW, they also have done exactly this quite recently to FR3.0.12,
> citing their Announcement:

  Yeah... distributions seem fanatical about not updating FreeRADIUS to a recent version.  I don't know why.

> So they still distribute 3.0.12, but with everything fixed.

  No.  3.0.15 would be "everything fixed".

> This way of incorporating security-related bug fixes into source
> is interesting in a number of ways:
> - Sometimes it's simpler: For the TLS-Cache issue with 3.0.12, they simply changed
>  the default config by removing the entire cache {} section from the eap config file.

  Which is a lazy fix, and breaks functionality people need.

>  --> quick, simple, and non-disruptive (could only hamper performance in special cases)

  In *most* cases.  When users are being authenticated via Active Directory, the *only* thing making it high performance is the TLS session cache.  AD is just a pig that way,

> - For the fuzzing issues found in 3.0.14, they incorporated the fixes into their 3.0.12
>  source tree -- but it took them 11 days in this case. This includes extensive tests, though.

  As if we didn't do extensive tests on the patches.  I mean, come on...

>  So once the update is there, you can install it almost blindly.

  Which is the point of *our* new releases.  We work hard to have new versions compatible with old ones.

> - Not everyone likes his sources changed "silently". This had lead to Mozilla forcing Debian
>  to rename their security-patched version of Firefox to Iceweasel and Thunderbird to Icedove.
>  cf. https://lwn.net/Articles/676799/ (this is about how the dispute was finally resolved)

  That's more of a trademark thing.  If Debian isn't shipping firefox, they shouldn't call it firefox.

  Alan DeKok.




More information about the Freeradius-Users mailing list