Re: freeradius won't start due to heartbleed
--nextPart5757702.ESnIpzvh0q
Content-Type: Text/Plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
On Tuesday, June 10, 2014 06:25:38 PM Dave B wrote:
> 'scuse my ignorance.
>=20
> But though I understand how that proves the point, surely
> the correct fix now would be to replace the openssl
> libs' to a version without the vulnerability, and reset
> that configuration option to "no"
>=20
> AFIK, FBSD 10.0 was released before the HeartBleed bug
> was found, so unles you know you've updated it to a
> fixed version, there could be trouble ahead.
>=20
> Just curious...
>=20
> Dave B. (I run '9.2 release' at home, that never had
> the trouble, AFIK.)
OpenSSL versions 1.0.1 through to 1.0.1f are affected by=20
Heartbleed, as you already know.
An interim fix for the base OpenSSL implementation in=20
=46reeBSD-10 (which was 1.0.1e) was pushed out, without=20
changing the version number. So FreeRADIUS assumes anything=20
prior to 1.0.1g in the 1.0.1 train is vulnerable, regardless=20
of whether a fix is actually implemented or not. Hence the=20
need for this switch in the FreeRADIUS configuration.
So provided you know this, and provided your base FreeSBD=20
installation is patched, it's a safe option to use.
If you use the OpenSSL release in the ports, or when=20
=46reeBSD's base OpenSSL version is 1.0.1g or later, you won't=20
need that FreeRADIUS option anymore.
Hope this helps.
Cheers,
Mark.
--nextPart5757702.ESnIpzvh0q
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
iQIcBAABAgAGBQJTl1IWAAoJEGcZuYTeKm+Gz9YP/1vUNosShRduXkTefH6bhZnx
I506TjpDmPsVjqgaxzHcTi5XJuywHO/0+hsO00kHVYwJGqTldR8KTxkvO8ZTgGEI
EQuUtmDk+BH5bML5zh3OM4ZgPcUcI3LNFRM6/agdmItgbiPIDrz/09Gm9XAi0xHK
EdkQCM7rS0+GzZEtRrZtyUZC2drsDwx6cQHlRPo2ofRR5ytvC4Vv6+BjT8r1cBxs
xgLWqMNV6Umm8viOcnQflP0rMJx8jfmOU+XcTLuQNrvr0UsZwJoHa8VWk91dLv0b
9DLzmk6W7/8juvCLV1noHyBRfwqeBzZ4qVZ5l/LtZEu59fMpcdN82XMr+aGala+/
/gr+VCnJiUb80iYs9dSkQOHhRYXiS6HonEJ7Tv6l3rcu+I440FaF3j7G90Qd2TTy
tzGq/wq01TpKjozLpH5KZEQsNI3f29rbRg11ET5SHGd3ZlW8X4+ezA90Ax1amcd8
GnlDvMgvy7bpOifccha6lLgUHAz09OTIcOUYZWRrD8F7koymshq7c1fOrL811XTV
zPAymBf/TeJCO8notiwC+lPaEl7Za3bnV15nn27Yu7fr+1DAoUuEmBQnJBwhsj9b
TGxvGAs/KGx7XfPcYfbqznkKSES1Nmt5RGmSdZ6k6Ahgjrh15nEwZkjdRd2Ox80p
MQHfro8ZLP2K/rDDH8Pe
=VMK8
-----END PGP SIGNATURE-----
--nextPart5757702.ESnIpzvh0q--
討論串 (同標題文章)
完整討論串 (本文為第 5 之 7 篇):