not able to install FR 3.0.16+git in (pure) Debian 9

Martin Pauly pauly at hrz.uni-marburg.de
Thu Sep 7 16:55:07 CEST 2017


Am 07.09.2017 um 15:06 schrieb Alan DeKok:
> So removing security checks is just not going to happen.
Yeah, I actually wanted to second that.

But since everyone including FR relies on the dynamically linked libraries (SSL here),
this specific security check boils down to checking the exact version, right?

I thought the discussion started by Rui is about this snippet from debian/rules:
----------------------------------------------------------------------------------------------------
  # Add dependency on distribution specific version of openssl that fixes Heartbleed (CVE-2014-0160).
ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes)
        SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1f-1ubuntu2)"
else
        SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1e-2+deb7u5)"
endif
-----------------------------------------------------------------------------------------------------
Or have I missed some additional checks?

>> So they still distribute 3.0.12, but with everything fixed.
>    No.  3.0.15 would be "everything fixed".
correct myself: They still distribute 3.0.12, but with security holes fixed in default config.

I find it hard to judge the Debian approach to security patches. Clinging to a particular
version like that often means overdoing things. On the other hand, AFAIR with Heartbleed,
they did a real good job by very quickly delivering a bugfix-only update. But as things are,
I will continue compiling FR myself. Just good you provide all the prerequites.
I do appreciate scurity-bugfix-only updates, though ;-)

Cheers, Martin

-- 
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5393 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170907/56377a8f/attachment-0001.bin>


More information about the Freeradius-Users mailing list