On Sat, Nov 03, 2007 at 12:36:01AM +0100, Alan DeKok wrote: > http://freeradius.org/security.html > > You *can* manually upgrade to 1.1.7. It's not hard.
RH always backports security patches. From their 1.0.1 changelog: * Wed Apr 25 2007 Thomas Woerner <[EMAIL PROTECTED]> 1.0.1-3.RHEL4.5 - fixed CVE-2007-2028: EAP-TTLS denial of service Resolves: rhbz#236247 * Fri Mar 24 2006 Thomas Woerner <[EMAIL PROTECTED]> 1.0.1-3.RHEL4.3 - added two lost fixes from (#167676) * Fri Mar 24 2006 Thomas Woerner <[EMAIL PROTECTED]> 1.0.1-3.RHEL4.2 - CVE-2006-1354: security fixes for EAP-MSCHAPv2 (#186083) - other security related fixes (#167676) * Tue Jun 14 2005 Thomas Woerner <[EMAIL PROTECTED]> 1.0.1-3.RHEL4 - Fixed buffer overflow and possible SQL injection attacks in rlm_sql CAN-2005-1454, CAN-2005-1455 (#156941) [...] Deviating from the standard RHEL packages and maintaining your own RPM (this is for a large number of systems) is probably doable (often you encounter incompatibiities with older compilers and libraries, but freeradius is a relatively isolated piece of software, I think), but it also means I have to take care of security problems etc. myself, while RH does that for me now. That's why I only tend to maintain my own version if really necessary. -- -- Jos Vos <[EMAIL PROTECTED]> -- X/OS Experts in Open Systems BV | Phone: +31 20 6938364 -- Amsterdam, The Netherlands | Fax: +31 20 6948204 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html