not able to install FR 3.0.16+git in (pure) Debian 9
Alan DeKok
aland at deployingradius.com
Thu Sep 7 17:59:54 CEST 2017
On Sep 7, 2017, at 10:55 AM, Martin Pauly <pauly at hrz.uni-marburg.de> wrote:
>
> Am 07.09.2017 um 15:06 schrieb Alan DeKok:
>> So removing security checks is just not going to happen.
> Yeah, I actually wanted to second that.
>
> But since everyone including FR relies on the dynamically linked libraries (SSL here),
> this specific security check boils down to checking the exact version, right?
Yes, because that's all we have.
> I thought the discussion started by Rui is about this snippet from debian/rules:
> ----------------------------------------------------------------------------------------------------
> # Add dependency on distribution specific version of openssl that fixes Heartbleed (CVE-2014-0160).
> ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes)
> SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1f-1ubuntu2)"
> else
> SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1e-2+deb7u5)"
> endif
> -----------------------------------------------------------------------------------------------------
> Or have I missed some additional checks?
The issue is that package managers fix (for example) 0.9.8j, and then release it as "0.9.8j-debian-alpha1". But that is the *package* name. The OpenSSL version is still "0.9.8j".
And we have no way of knowing that the patch has been added.
>>> So they still distribute 3.0.12, but with everything fixed.
>> No. 3.0.15 would be "everything fixed".
> correct myself: They still distribute 3.0.12, but with security holes fixed in default config.
And missing lots of other fixes, documentation updates, etc.
Alan DeKok.
More information about the Freeradius-Users
mailing list