Re: freeradius won't start due to heartbleed

On 10 Jun 2014 19:44, "Mark Tinka" <mark.tinka@seacom.mu> wrote:
>
> On Tuesday, June 10, 2014 06:25:38 PM Dave B wrote:
>
> > 'scuse my ignorance.
> >
> > But though I understand how that proves the point, surely
> > the correct fix now would be to replace the openssl
> > libs' to a version without the vulnerability, and reset
> > that configuration option to "no"
> >
> > AFIK, FBSD 10.0 was released before the HeartBleed bug
> > was found, so unles you know you've updated it to a
> > fixed version, there could be trouble ahead.
> >
> > Just curious...
> >
> > Dave B.    (I run '9.2 release' at home, that never had
> > the trouble, AFIK.)
>
> OpenSSL versions 1.0.1 through to 1.0.1f are affected by
> Heartbleed, as you already know.
>
> An interim fix for the base OpenSSL implementation in
> FreeBSD-10 (which was 1.0.1e) was pushed out, without
> changing the version number. So FreeRADIUS assumes anything
> prior to 1.0.1g in the 1.0.1 train is vulnerable, regardless
> of whether a fix is actually implemented or not. Hence the
> need for this switch in the FreeRADIUS configuration.
>
> So provided you know this, and provided your base FreeSBD
> installation is patched, it's a safe option to use.
>
> If you use the OpenSSL release in the ports, or when
> FreeBSD's base OpenSSL version is 1.0.1g or later, you won't
> need that FreeRADIUS option anymore.
>
> Hope this helps.
>
> Cheers,
>
> Mark.

Cheers Mark.

I do now remember hearing something about a non version'd patch, though
even if successful, it only adds to the confusion :)

Other than that, you confirmed my suspicions.

Best Regards.

Dave B.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"