not able to install FR 3.0.16+git in (pure) Debian 9

Alan DeKok aland at deployingradius.com
Thu Sep 7 17:59:54 CEST 2017


On Sep 7, 2017, at 10:55 AM, Martin Pauly <pauly at hrz.uni-marburg.de> wrote:
> 
> Am 07.09.2017 um 15:06 schrieb Alan DeKok:
>> So removing security checks is just not going to happen.
> Yeah, I actually wanted to second that.
> 
> But since everyone including FR relies on the dynamically linked libraries (SSL here),
> this specific security check boils down to checking the exact version, right?

  Yes, because that's all we have.

> I thought the discussion started by Rui is about this snippet from debian/rules:
> ----------------------------------------------------------------------------------------------------
> # Add dependency on distribution specific version of openssl that fixes Heartbleed (CVE-2014-0160).
> ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes)
>       SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1f-1ubuntu2)"
> else
>       SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1e-2+deb7u5)"
> endif
> -----------------------------------------------------------------------------------------------------
> Or have I missed some additional checks?

  The issue is that package managers fix (for example) 0.9.8j, and then release it as "0.9.8j-debian-alpha1".  But that is the *package* name.  The OpenSSL version is still "0.9.8j".

  And we have no way of knowing that the patch has been added.

>>> So they still distribute 3.0.12, but with everything fixed.
>>   No.  3.0.15 would be "everything fixed".
> correct myself: They still distribute 3.0.12, but with security holes fixed in default config.

  And missing lots of other fixes, documentation updates, etc.

  Alan DeKok.




More information about the Freeradius-Users mailing list