Re: 0.9.3 has been released

2003-11-27 Thread Paul Hampson 
On Wed, Nov 26, 2003 at 10:16:20AM -0600, Nick Davis wrote:
> Paul,
>  Here is the email I am referring to:
> 
> http://lists.cistron.nl/pipermail/freeradius-users/2003-July/021375.html
> 
> The dependencies of concern are: freetype fonts, gtk, xfree86, xlibs.  Those 
> dep's were from debian Woody, I didn't actually test if those dependencies 
> had been removed in Sarge since the debian servers were down. As soon as the 
> debian servers are back up to normal, I'll try to use your .deb packages and 
> see what dependencies are required.

*horrible gagging noises*

OK. My next upload will have -iodbc split out to ease backporting. And
it will be reflected in CVS.

However, I'm leaving that until we have _a_ version in Debian... And my
development machine reassembled. (Hopefully in the other order...)

--
Paul "TBBle" Hampson, from an alternate email client.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-26 Thread Alan DeKok 
Bill Campbell <[EMAIL PROTECTED]> wrote:
> Looking at the src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in file,
> I would think that $mysql_lib_dir should be at the beginning of the list of
> directories to check rather than the end.  The mysql configuration succeeds
> with the attached patch.

  I've added the patch to the CVS head, thanks.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-26 Thread Bill Campbell 
On Thu, Nov 20, 2003, Alan DeKok wrote:
>  Bug reports are nice.  Lack of notification is stupid.

I'm running into a problem building 0.9.3 with MySQL support on FreeBSD 4.8
and on SuSE 9.0 Professional Linux.

The problem is that the test for libmysqlclient fails with an undefined
reference to compress and uncompress.  It appears that the configure.in
file should have $old_LIBS after the -lmysqlclient to pick up the -lz
that's found earlier in configure.  On FreeBSD this build was not able to
find the ``floor'' function in the math libraries until I added ``-lm'' to
LIBS before starting the build.

Looking at the src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in file,
I would think that $mysql_lib_dir should be at the beginning of the list of
directories to check rather than the end.  The mysql configuration succeeds
with the attached patch.

Bill
--
INTERNET:   [EMAIL PROTECTED]  Bill Campbell; Celestial Systems, Inc.
UUCP:   camco!bill  PO Box 820; 6641 E. Mercer Way
FAX:(206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

If you think health care is expensive now, wait until you see what it coses
when it's free -- P.J. O'Rourke
diff -uNr 
/csoft/RPM/TMP/freeradius-0.9.3.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure
 ./src/modules/rlm_sql/drivers/rlm_sql_mysql/configure
--- 
/csoft/RPM/TMP/freeradius-0.9.3.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure
2003-09-04 11:14:18.0 -0400
+++ ./src/modules/rlm_sql/drivers/rlm_sql_mysql/configure   2003-11-26 
16:10:33.0 -0500
@@ -978,8 +978,8 @@
old_LIBS="$LIBS"
 
 
-   for try in /usr/lib /usr/lib/mysql /usr/local/lib/mysql 
/usr/local/mysql/lib/mysql $mysql_lib_dir; do
-   LIBS="$old_LIBS -L$try -lmysqlclient"
+   for try in $mysql_lib_dir /usr/lib /usr/lib/mysql /usr/local/lib/mysql 
/usr/local/mysql/lib/mysql; do
+   LIBS="$old_LIBS -L$try -lmysqlclient $old_LIBS"
cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s 
conftest${ac_exeext}; then
   rm -rf conftest*
-  MYSQL_LIBS="-L$try -lmysqlclient"
+  MYSQL_LIBS="-L$try -lmysqlclient $old_LIBS"
 else
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
diff -uNr 
/csoft/RPM/TMP/freeradius-0.9.3.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in
 ./src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in
--- 
/csoft/RPM/TMP/freeradius-0.9.3.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in
 2001-07-11 16:38:09.0 -0400
+++ ./src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in2003-11-26 
16:10:55.0 -0500
@@ -70,10 +70,10 @@
 dnlAC_LOCATE_DIR(mysql_lib_dir,[libmysqlclient.so])
 dnlAC_LOCATE_DIR(mysql_lib_dir,[libmysqlclient.a])
 
-   for try in /usr/lib /usr/lib/mysql /usr/local/lib/mysql 
/usr/local/mysql/lib/mysql $mysql_lib_dir; do
-   LIBS="$old_LIBS -L$try -lmysqlclient"
+   for try in $mysql_lib_dir /usr/lib /usr/lib/mysql /usr/local/lib/mysql 
/usr/local/mysql/lib/mysql; do
+   LIBS="$old_LIBS -L$try -lmysqlclient $old_LIBS"
AC_TRY_LINK([extern char mysql_init();], [mysql_init()],
-   MYSQL_LIBS="-L$try -lmysqlclient",
+   MYSQL_LIBS="-L$try -lmysqlclient $old_LIBS",
MYSQL_LIBS=
)
if test "x$MYSQL_LIBS" != "x"; then

Re: 0.9.3 has been released

2003-11-26 Thread Nick Davis 
Paul,
 Here is the email I am referring to:

http://lists.cistron.nl/pipermail/freeradius-users/2003-July/021375.html

The dependencies of concern are: freetype fonts, gtk, xfree86, xlibs.  Those 
dep's were from debian Woody, I didn't actually test if those dependencies 
had been removed in Sarge since the debian servers were down. As soon as the 
debian servers are back up to normal, I'll try to use your .deb packages and 
see what dependencies are required.

Thanks!

Nick

On Friday 21 November 2003 20:58, Paul Hampson wrote:
> On Fri, Nov 21, 2003 at 09:12:31AM -0600, Nick Davis wrote:
> > On Thursday 20 November 2003 20:07, Paul Hampson wrote:
> >
> > Paul,
> >
> >  I see that these deb packages have the same dependency issues we
> > discussed in September with libiodbc2 and libltdl3. The Depends says:
> >  freeradius: Depends: libiodbc2 (>= 3.51.1-3) but 3.51.1-1 is installed
> >   Depends: libltdl3 (>= 1.5-3) but 1.5-2 is installed
> >  freeradius-mysql: Depends: zlib1g (>= 1:1.2.1) but 1:1.1.4-16 is
> > installed
>
> To be honest, I don't remember discussing this in September, but my mail
> archives are currently in transit, so I can't check what I said.
>
> According to my local Debian mirror, (mirror.aarnet.edu.au), the current
> libiodbc2 in sid (/unstable) is 3.51.1-3, the current libltdl3 is 1.5-7,
> and the current zlib1g is 1:1.2.1-1
>
> > I am running Sarge, and I tried to search through unstable. Where do
> > those versions of those libraries come from? Several of the debian web
> > servers have been compromised and are down for inspection, so I am not
> > able to search for the necessary versions of these libraries.
>
> Ah, that's the problem, testing's not up to date on these libraries.
>
> Since we're going for Debian archive acceptance, they have to be built
> against unstable. I may have previously built against testing, but I
> don't think I put those binaries anywhere, as they were built on a
> powerpc machine.
>
> On Fri, Nov 21, 2003 at 11:00:19AM -0600, Nick Davis wrote:
> > All,
> >  I posted new versions of my slimed down debian packages:
> > http://mrtizmo.com/freeradius/index.html
> >
> > The big thing I did was to remove the need for iodbc, since it has a lot
> > of nasty dependencies.
>
> Apart from libc6, what other dependancies are you seeing from libiodbc2?
>
> (My unstable build machine is currently also in transit, so I can't
> check that myself. Last time I tried to get iodbc broken out into its
> own package, the lack of interesting dependancies was the deciding
> factor. I do intend to readdress this issue once we're in the Debian
> archive)
>
> --
> Paul "TBBle" Hampson, from an alternate email client.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 
Nick Davis 
Associate Systems Administrator 
[EMAIL PROTECTED] 
Internet Exposure, Inc. 
http://www.iexposure.com  

(612)676-1946 
Web Development-Web Marketing-ISP Services


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-21 Thread Paul Hampson 
On Fri, Nov 21, 2003 at 09:12:31AM -0600, Nick Davis wrote:
> On Thursday 20 November 2003 20:07, Paul Hampson wrote:
> > As a bonus, the rlm_ippool pod2man call got fixed for perl < 5.6, and
> > rlm_eap has been silenced in the case where it is called upon a non-EAP
> > packet.
> >
> > There are pacakges for Debian at
> > http://www.tbble.com/freeradius/
> > They're numbered 0.9.2-4 since (a) I'm moving and don't have time to
> > muck with the new source archive; and (b) we're >< this close to getting
> > into Debian/unstable so I don't want to muck with things too much until
> > that's done.
> >
> > Just to reiterate, the 0.9.2-4 packages at http://www.tbble.com/freeradius/
> > are the same as the 0.9.3 tarball above, but with major Debian packaging
> > improvements (bg thanks to Steve Langasek for his guidance here) which
> > will hopefully go into 1.0.0 and 0.9.4's tarballs.

> Paul,

>  I see that these deb packages have the same dependency issues we discussed in 
> September with libiodbc2 and libltdl3. The Depends says:
>  freeradius: Depends: libiodbc2 (>= 3.51.1-3) but 3.51.1-1 is installed
>   Depends: libltdl3 (>= 1.5-3) but 1.5-2 is installed
>  freeradius-mysql: Depends: zlib1g (>= 1:1.2.1) but 1:1.1.4-16 is installed

To be honest, I don't remember discussing this in September, but my mail
archives are currently in transit, so I can't check what I said.

According to my local Debian mirror, (mirror.aarnet.edu.au), the current
libiodbc2 in sid (/unstable) is 3.51.1-3, the current libltdl3 is 1.5-7,
and the current zlib1g is 1:1.2.1-1

> I am running Sarge, and I tried to search through unstable. Where do those 
> versions of those libraries come from? Several of the debian web servers have 
> been compromised and are down for inspection, so I am not able to search for 
> the necessary versions of these libraries.

Ah, that's the problem, testing's not up to date on these libraries.

Since we're going for Debian archive acceptance, they have to be built
against unstable. I may have previously built against testing, but I
don't think I put those binaries anywhere, as they were built on a
powerpc machine.

On Fri, Nov 21, 2003 at 11:00:19AM -0600, Nick Davis wrote:
> All,
>  I posted new versions of my slimed down debian packages:
> http://mrtizmo.com/freeradius/index.html
> 
> The big thing I did was to remove the need for iodbc, since it has a lot of 
> nasty dependencies.

Apart from libc6, what other dependancies are you seeing from libiodbc2?

(My unstable build machine is currently also in transit, so I can't
check that myself. Last time I tried to get iodbc broken out into its
own package, the lack of interesting dependancies was the deciding
factor. I do intend to readdress this issue once we're in the Debian
archive)

--
Paul "TBBle" Hampson, from an alternate email client.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-21 Thread Bill Campbell 
On Fri, Nov 21, 2003, Alan DeKok wrote:
>Bill Campbell <[EMAIL PROTECTED]> wrote:
>> >  For uint8_t arrays, The 'sizeof' the array is the number of elements.
>> 
>> OK.  While that may be the case for uint8_t, it seems to me that good
>> coding practice is to use sizeof here and not depend on knowledge of the
>> internal size of the elements.
>
>  The problem is that the fields are defined in relation to the
>protocol: 16 octets.  sizeof() is a C programming construct, and thus
>there may be padding in a struct.  We do not want that padding to
>affect the programs ability to generate or parse 16 octet fields.

Perhaps it would be good to put some comments in radius.c explaining this,
and be consistent in its use.  This could save some head scratching in the
future, particularly if somebody (like me) who's not all that familiar with
the code is looking at it.

Bill
--
INTERNET:   [EMAIL PROTECTED]  Bill Campbell; Celestial Software LLC
UUCP:   camco!bill  PO Box 820; 6641 E. Mercer Way
FAX:(206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

``Never blame a legislative body for not doing something.  When they do
nothing, that don't hurt anybody.  When they do something is when they
become dangerous.''
Will Rogers

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-21 Thread Alan DeKok 
Bill Campbell <[EMAIL PROTECTED]> wrote:
> >  For uint8_t arrays, The 'sizeof' the array is the number of elements.
> 
> OK.  While that may be the case for uint8_t, it seems to me that good
> coding practice is to use sizeof here and not depend on knowledge of the
> internal size of the elements.

  The problem is that the fields are defined in relation to the
protocol: 16 octets.  sizeof() is a C programming construct, and thus
there may be padding in a struct.  We do not want that padding to
affect the programs ability to generate or parse 16 octet fields.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-21 Thread Bill Campbell 
On Fri, Nov 21, 2003, Alan DeKok wrote:
>Bill Campbell <[EMAIL PROTECTED]> wrote:
>> On a related security note, the src/lib/radius.c program has several
>> references to msg_auth_vector and calc_auth_vector starting around line
>> 1108 with several memcpy and memcmp operations, some of which refer use
>> sizeof(calc_auth_vector) for the length, others with AUTH_VECTOR_LEN.
>> Given that msg_auth_vector is an array of uint8_t size AUTH_VECTOR_LEN, I
>> doubt these lengths would be same.
>
>  Huh? Why?
>
>  For uint8_t arrays, The 'sizeof' the array is the number of elements.

OK.  While that may be the case for uint8_t, it seems to me that good
coding practice is to use sizeof here and not depend on knowledge of the
internal size of the elements.  I may be a bit paranoid about this, because
I've been know to shoot myself in the feet as a result of structure padding
and such.

Bill
--
INTERNET:   [EMAIL PROTECTED]  Bill Campbell; Celestial Software LLC
UUCP:   camco!bill  PO Box 820; 6641 E. Mercer Way
FAX:(206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

``The trouble with fighting for human freedom is that one spends most of
one's time defending scoundrels. For it is against scoundrels that
oppressive laws are first aimed, and oppression must be stopped at the
beginning if it is to be stopped at all.'' -- H. L. Mencken

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-21 Thread Chris Parker 
At 12:26 PM 11/21/2003, Bill Campbell wrote:
On Fri, Nov 21, 2003, Chris Parker wrote:
>At 11:18 AM 11/21/2003, Bill Campbell wrote:
>>On Fri, Nov 21, 2003, Alan DeKok wrote:
>>>Oliver Graf <[EMAIL PROTECTED]> wrote:
 >   With that said, 0.9.3 has been released.  It's in the normal places:

 I submitted a security report and a new package ebuild to the gentoo
 ( http://gentoo.org/ ) community.
>>>
>>>  Thanks.  This just re-iterates my beleif that RADIUS servers should
>>>on private networks, far away from any possible source of malicious
>>>packets.
>>
>>Either that, or packet filters that restrict the hosts that can
>>access the radius servers.
>
>Wouldn't work in this case, since packets are UDP a packet with spoofed
>source of a valid client will pass the filter.  :\  All you'd need to
>DOS a radius server is a valid client IP.  The RADIUS protocol makes
>it very hard to enforce additional restrictions, as the packet format
>is all in cleartext ( excepting certain Password attributes ) with
>no validation or signing.
It's kinda hard to have the radius server on a private network if it's
doing authentication for wholesale dialup connections :-).
Yes.  Kinda a problem there.  However, an Auth-Req from a proxy target
will not match the clients list and will be discarded.  You could
run a private network between the NAS and the Radius, but then Radius
running on multihomed systems has always been interesting.  Certainly
doable though, given enough time.
IPSec is another tool that could help.

Or they're running Nortel (Bay) Annex boxes which use broken MD5 hashes,
and Nortel makes it difficult to get updated software.
That's a problem with Nortel.  If the rest of the world can figure out
how to do Radius securely and safely, we shouldn't compromise the whole
for the few that can't figure out how to follow the RFC's.
-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-21 Thread Alan DeKok 
Bill Campbell <[EMAIL PROTECTED]> wrote:
> On a related security note, the src/lib/radius.c program has several
> references to msg_auth_vector and calc_auth_vector starting around line
> 1108 with several memcpy and memcmp operations, some of which refer use
> sizeof(calc_auth_vector) for the length, others with AUTH_VECTOR_LEN.
> Given that msg_auth_vector is an array of uint8_t size AUTH_VECTOR_LEN, I
> doubt these lengths would be same.

  Huh? Why?

  For uint8_t arrays, The 'sizeof' the array is the number of elements.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-21 Thread Bill Campbell 
On Fri, Nov 21, 2003, Chris Parker wrote:
>At 11:18 AM 11/21/2003, Bill Campbell wrote:
>>On Fri, Nov 21, 2003, Alan DeKok wrote:
>>>Oliver Graf <[EMAIL PROTECTED]> wrote:
 >   With that said, 0.9.3 has been released.  It's in the normal places:

 I submitted a security report and a new package ebuild to the gentoo
 ( http://gentoo.org/ ) community.
>>>
>>>  Thanks.  This just re-iterates my beleif that RADIUS servers should
>>>on private networks, far away from any possible source of malicious
>>>packets.
>>
>>Either that, or packet filters that restrict the hosts that can
>>access the radius servers.
>
>Wouldn't work in this case, since packets are UDP a packet with spoofed
>source of a valid client will pass the filter.  :\  All you'd need to
>DOS a radius server is a valid client IP.  The RADIUS protocol makes
>it very hard to enforce additional restrictions, as the packet format
>is all in cleartext ( excepting certain Password attributes ) with
>no validation or signing.

It's kinda hard to have the radius server on a private network if it's
doing authentication for wholesale dialup connections :-).

>The Message-Authenticator value would serve this purpose, however
>it is not required, and as such doesn't help in this case, either,
>and won't until or unless it is made mandatory.  That would then
>break old clients/servers that don't support Message-Authenticator.
>
>http://www.freeradius.org/rfc/rfc2869.html#Message-Authenticator

Or they're running Nortel (Bay) Annex boxes which use broken MD5 hashes,
and Nortel makes it difficult to get updated software.

Bill
--
INTERNET:   [EMAIL PROTECTED]  Bill Campbell; Celestial Software LLC
UUCP:   camco!bill  PO Box 820; 6641 E. Mercer Way
FAX:(206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

``No matter how much I may exaggerate it, it must have a certain amount of
truth...Now rumor travels fast but it don't stay put as long as truth''
Will Rogers

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-21 Thread Chris Parker 
At 11:18 AM 11/21/2003, Bill Campbell wrote:
On Fri, Nov 21, 2003, Alan DeKok wrote:
>Oliver Graf <[EMAIL PROTECTED]> wrote:
>> >   With that said, 0.9.3 has been released.  It's in the normal places:
>>
>> I submitted a security report and a new package ebuild to the gentoo
>> ( http://gentoo.org/ ) community.
>
>  Thanks.  This just re-iterates my beleif that RADIUS servers should
>on private networks, far away from any possible source of malicious
>packets.
Either that, or packet filters that restrict the hosts that can
access the radius servers.
Wouldn't work in this case, since packets are UDP a packet with spoofed
source of a valid client will pass the filter.  :\  All you'd need to
DOS a radius server is a valid client IP.  The RADIUS protocol makes
it very hard to enforce additional restrictions, as the packet format
is all in cleartext ( excepting certain Password attributes ) with
no validation or signing.
The Message-Authenticator value would serve this purpose, however
it is not required, and as such doesn't help in this case, either,
and won't until or unless it is made mandatory.  That would then
break old clients/servers that don't support Message-Authenticator.
http://www.freeradius.org/rfc/rfc2869.html#Message-Authenticator

The light at the end of the tunnel is that is *was* made mandatory
for any packet with EAP-Message attributes.
-Chris
--
   \\\|||///  \  StarNet Inc.  \ Chris Parker
   \ ~   ~ /   \   WX *is* Wireless!\   Director, Engineering
   | @   @ |\   http://www.starnetwx.net \  (847) 963-0116
oOo---(_)---oOo--\--
  \ Wholesale Internet Services - http://www.megapop.net


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-21 Thread Bill Campbell 
On Fri, Nov 21, 2003, Alan DeKok wrote:
>Oliver Graf <[EMAIL PROTECTED]> wrote:
>> >   With that said, 0.9.3 has been released.  It's in the normal places:
>> 
>> I submitted a security report and a new package ebuild to the gentoo
>> ( http://gentoo.org/ ) community.
>
>  Thanks.  This just re-iterates my beleif that RADIUS servers should
>on private networks, far away from any possible source of malicious
>packets.

Either that, or packet filters that restrict the hosts that can
access the radius servers.

On a related security note, the src/lib/radius.c program has several
references to msg_auth_vector and calc_auth_vector starting around line
1108 with several memcpy and memcmp operations, some of which refer use
sizeof(calc_auth_vector) for the length, others with AUTH_VECTOR_LEN.
Given that msg_auth_vector is an array of uint8_t size AUTH_VECTOR_LEN, I
doubt these lengths would be same.

Bill
--
INTERNET:   [EMAIL PROTECTED]  Bill Campbell; Celestial Systems, Inc.
UUCP:   camco!bill  PO Box 820; 6641 E. Mercer Way
FAX:(206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

``The meek shall inherit the Earth, the rest of us will go to the stars...''
-Dr. Isaac Asimov

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-21 Thread Alan DeKok 
Oliver Graf <[EMAIL PROTECTED]> wrote:
> >   With that said, 0.9.3 has been released.  It's in the normal places:
> 
> I submitted a security report and a new package ebuild to the gentoo
> ( http://gentoo.org/ ) community.

  Thanks.  This just re-iterates my beleif that RADIUS servers should
on private networks, far away from any possible source of malicious
packets.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-21 Thread Nick Davis 
On Thursday 20 November 2003 20:07, Paul Hampson wrote:
> As a bonus, the rlm_ippool pod2man call got fixed for perl < 5.6, and
> rlm_eap has been silenced in the case where it is called upon a non-EAP
> packet.
>
> There are pacakges for Debian at
> http://www.tbble.com/freeradius/
> They're numbered 0.9.2-4 since (a) I'm moving and don't have time to
> muck with the new source archive; and (b) we're >< this close to getting
> into Debian/unstable so I don't want to muck with things too much until
> that's done.
>
> Just to reiterate, the 0.9.2-4 packages at http://www.tbble.com/freeradius/
> are the same as the 0.9.3 tarball above, but with major Debian packaging
> improvements (bg thanks to Steve Langasek for his guidance here) which
> will hopefully go into 1.0.0 and 0.9.4's tarballs.
>
> --

Paul,
 Ignore the prevous msg, I put Dec instead of Sept in the first line.

 I see that these deb packages have the same dependency issues we discussed in 
September with libiodbc2 and libltdl3. The Depends says:
 freeradius: Depends: libiodbc2 (>= 3.51.1-3) but 3.51.1-1 is installed
  Depends: libltdl3 (>= 1.5-3) but 1.5-2 is installed
 freeradius-mysql: Depends: zlib1g (>= 1:1.2.1) but 1:1.1.4-16 is installed

I am running Sarge, and I tried to search through unstable. Where do those 
versions of those libraries come from? Several of the debian web servers have 
been compromised and are down for inspection, so I am not able to search for 
the necessary versions of these libraries.

http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt

I am going to get the cvs and build my own deb packages without these 
dependencies and without the extra modules like before, but I just wanted to 
see what your current thoughts are on this issue.

Thanks for your work!

Nick

-- 
Nick Davis 
Associate Systems Administrator 
[EMAIL PROTECTED] 
Internet Exposure, Inc. 
http://www.iexposure.com  

(612)676-1946 
Web Development-Web Marketing-ISP Services


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-21 Thread Nick Davis 
On Thursday 20 November 2003 20:07, Paul Hampson wrote:
> As a bonus, the rlm_ippool pod2man call got fixed for perl < 5.6, and
> rlm_eap has been silenced in the case where it is called upon a non-EAP
> packet.
>
> There are pacakges for Debian at
> http://www.tbble.com/freeradius/
> They're numbered 0.9.2-4 since (a) I'm moving and don't have time to
> muck with the new source archive; and (b) we're >< this close to getting
> into Debian/unstable so I don't want to muck with things too much until
> that's done.
>
> Just to reiterate, the 0.9.2-4 packages at http://www.tbble.com/freeradius/
> are the same as the 0.9.3 tarball above, but with major Debian packaging
> improvements (bg thanks to Steve Langasek for his guidance here) which
> will hopefully go into 1.0.0 and 0.9.4's tarballs.
>
> --

Paul,

 I see that these deb packages have the same dependency issues we discussed in 
December with libiodbc2 and libltdl3. The Depends says:
 freeradius: Depends: libiodbc2 (>= 3.51.1-3) but 3.51.1-1 is installed
  Depends: libltdl3 (>= 1.5-3) but 1.5-2 is installed
 freeradius-mysql: Depends: zlib1g (>= 1:1.2.1) but 1:1.1.4-16 is installed

I am running Sarge, and I tried to search through unstable. Where do those 
versions of those libraries come from? Several of the debian web servers have 
been compromised and are down for inspection, so I am not able to search for 
the necessary versions of these libraries.

http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt

I am going to get the cvs and build my own deb packages without these 
dependencies and without the extra modules like before, but I just wanted to 
see what your current thoughts are on this issue.

Thanks for your work!

Nick

-- 
Nick Davis 
Associate Systems Administrator 
[EMAIL PROTECTED] 
Internet Exposure, Inc. 
http://www.iexposure.com  

(612)676-1946 
Web Development-Web Marketing-ISP Services


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-21 Thread 3APA3A 
Dear Alan DeKok,


--Thursday, November 20, 2003, 11:51:13 PM, you wrote to [EMAIL PROTECTED]:


AD>   As it turns out, however, the problem isn't as bad as it could have
AD> been.  The bug he reported can cause the server to crash, but is
AD> difficult to exploit.  Any attack code MUST be in the form of a valid
AD> RADIUS packet, which significantly limits the possible exploits.

AD>   However, there was another bug which the reporter did NOT discover,
AD> which causes the server to de-reference a NULL pointer, and thus
AD> crash, whenever an Access-Request packet containing a Tunnel-Password
AD> attribute is received.

Both  bugs  are  not  exploitable  to  code execution (first one because
target  buffer is on heap, not on stack and it's impossible to overwrite
local variable inside memcpy, like in case of apache-nosejob exploit, so
memcpy  will  always segfault and never return).

It's fully identical to bug (2) described in
http://www.security.nnov.ru/search/document.asp?docid=2578  Either I
missed  this  bug during audit 1,5 years ago or it was introduced later.
On  the  moment of audit tunneling support code presented in the sources
in non-working state.


-- 
~/ZARAZA
Человек это тайна... я занимаюсь этой тайной чтобы быть человеком. (Достоевский)


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-21 Thread Oliver Graf 
On Thu, Nov 20, 2003 at 03:51:13PM -0500, Alan DeKok wrote:
>   Bug reports are nice.  Lack of notification is stupid.
> 
>   With that said, 0.9.3 has been released.  It's in the normal places:

I submitted a security report and a new package ebuild to the gentoo
( http://gentoo.org/ ) community.

Oliver.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: 0.9.3 has been released

2003-11-20 Thread Paul Hampson 
> From: Alan DeKok
> Sent: Friday, 21 November 2003 7:51 AM

>   Bug reports are nice.  Lack of notification is stupid.

>   With that said, 0.9.3 has been released.  It's in the normal places:
> 
> ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz
> 
>   With PGP signature at:
> 
> ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig
> 
>   It is just 0.9.2 with a bug fixed, and the version number updated.

As a bonus, the rlm_ippool pod2man call got fixed for perl < 5.6, and
rlm_eap has been silenced in the case where it is called upon a non-EAP
packet.

There are pacakges for Debian at
http://www.tbble.com/freeradius/
They're numbered 0.9.2-4 since (a) I'm moving and don't have time to
muck with the new source archive; and (b) we're >< this close to getting
into Debian/unstable so I don't want to muck with things too much until
that's done.

Just to reiterate, the 0.9.2-4 packages at http://www.tbble.com/freeradius/
are the same as the 0.9.3 tarball above, but with major Debian packaging
improvements (bg thanks to Steve Langasek for his guidance here) which
will hopefully go into 1.0.0 and 0.9.4's tarballs.

--
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

On a sidewalk near Portland State
University someone wrote `Trust Jesus', and
someone else wrote `But Cut the Cards'.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-20 Thread Alan DeKok 
"Kaczmarek, Thaddeus" <[EMAIL PROTECTED]> wrote:
> On Redhat 9 upgrading wacked my dictionary entries.
> I had to redo /ect/raddb/dictionary.

  I don't see why.  The server does NOT replace /etc/raddb/dictionary,
EVER.

  The location of the dictionaries changed in 0.9.0, but that was a
while ago.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-20 Thread Kaczmarek, Thaddeus 
Title: Re: 0.9.3 has been released





On Redhat 9 upgrading wacked my dictionary entries.
I had to redo /ect/raddb/dictionary.


Ted
On Thu, 2003-11-20 at 16:43, Matthew Schumacher wrote:
> Alan,
> 
> Thanks for your hard work... we all appreciate it.
> 
> Alan DeKok wrote:
> >   Bug reports are nice.  Lack of notification is stupid.
> > 
> >   With that said, 0.9.3 has been released.  It's in the normal places:
> > 
> > ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz
> > 
> >   With PGP signature at:
> > 
> > ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig
> > 
> >   It is just 0.9.2 with a bug fixed, and the version number updated.
> > 
> > 
> >   The original reporter threatened to release an exploit when I told
> > him I was unhappy with his lack of notification prior to the public
> > release of the vulnerability information.  Blackmail is stupid.
> > 
> >   As it turns out, however, the problem isn't as bad as it could have
> > been.  The bug he reported can cause the server to crash, but is
> > difficult to exploit.  Any attack code MUST be in the form of a valid
> > RADIUS packet, which significantly limits the possible exploits.
> > 
> >   However, there was another bug which the reporter did NOT discover,
> > which causes the server to de-reference a NULL pointer, and thus
> > crash, whenever an Access-Request packet containing a Tunnel-Password
> > attribute is received.
> > 
> >   Both bugs have been fixed in 0.9.3, and in the CVS head.
> > 
> >   We recommend that everyone upgrade to 0.9.3 as soon as possible.
> > 
> >   Alan DeKok.
> > 
> > - 
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DISCLAIMER
e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof.

E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission.

REGARDING PRIVACY AND CONFIDENTIALITY
Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.

Re: 0.9.3 has been released

2003-11-20 Thread Alan DeKok 
[EMAIL PROTECTED] wrote:
> Do either of these bugs affect (within the best of your ability to guess, 
> of course!) versions of FR prior to 0.9 ?  (All other good reasons to 
> upgrade to 0.9 notwithstanding...)

  I've done a quick check, and it's there since at least 0.4.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-20 Thread Matthew Schumacher 
Alan,

Thanks for your hard work... we all appreciate it.

Alan DeKok wrote:
  Bug reports are nice.  Lack of notification is stupid.

  With that said, 0.9.3 has been released.  It's in the normal places:

ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz

  With PGP signature at:

ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig

  It is just 0.9.2 with a bug fixed, and the version number updated.

  The original reporter threatened to release an exploit when I told
him I was unhappy with his lack of notification prior to the public
release of the vulnerability information.  Blackmail is stupid.
  As it turns out, however, the problem isn't as bad as it could have
been.  The bug he reported can cause the server to crash, but is
difficult to exploit.  Any attack code MUST be in the form of a valid
RADIUS packet, which significantly limits the possible exploits.
  However, there was another bug which the reporter did NOT discover,
which causes the server to de-reference a NULL pointer, and thus
crash, whenever an Access-Request packet containing a Tunnel-Password
attribute is received.
  Both bugs have been fixed in 0.9.3, and in the CVS head.

  We recommend that everyone upgrade to 0.9.3 as soon as possible.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-20 Thread Alan DeKok 
Kevin Bonner <[EMAIL PROTECTED]> wrote:
> > ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig
> 
> I don't see this file yet.  Still creating/uploading, or just overlooked in
> the frenzy of releasing as quick as possible?

  Overlooked, sorry.  It should be there now.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-20 Thread Vincent_Giovannone 
[EMAIL PROTECTED] wrote on 11/20/2003 02:51:13 PM:

>   Bug reports are nice.  Lack of notification is stupid.
> 
>   With that said, 0.9.3 has been released.  It's in the normal places:
> 
> ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz
> 
>   With PGP signature at:
> 
> ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig
> 
>   It is just 0.9.2 with a bug fixed, and the version number updated.
> 
> 
>   The original reporter threatened to release an exploit when I told
> him I was unhappy with his lack of notification prior to the public
> release of the vulnerability information.  Blackmail is stupid.
> 
>   As it turns out, however, the problem isn't as bad as it could have
> been.  The bug he reported can cause the server to crash, but is
> difficult to exploit.  Any attack code MUST be in the form of a valid
> RADIUS packet, which significantly limits the possible exploits.
> 
>   However, there was another bug which the reporter did NOT discover,
> which causes the server to de-reference a NULL pointer, and thus
> crash, whenever an Access-Request packet containing a Tunnel-Password
> attribute is received.
> 
>   Both bugs have been fixed in 0.9.3, and in the CVS head.
> 
>   We recommend that everyone upgrade to 0.9.3 as soon as possible.

Do either of these bugs affect (within the best of your ability to guess, 
of course!) versions of FR prior to 0.9 ?  (All other good reasons to 
upgrade to 0.9 notwithstanding...)

Just trying to gauge if I should put this on the "do soon" pile, or the 
"do right now" pile.

Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush University Medical Center
(312) 942-4242

"When I was four I wanted an Action Man armoured personnel carrier. I 
didn't have any genuine Action Men - my parents couldn't afford them; 
instead of a professional army I had a ragtag band of Korean and Chinese 
irregulars whose political commitment, I hoped, made up for their having 
no knee or elbow joints." 
-- Mil Millington


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 0.9.3 has been released

2003-11-20 Thread Kevin Bonner 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thanks for pushing the fix out quickly, given the short notice.

>   With PGP signature at:
> ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig

I don't see this file yet.  Still creating/uploading, or just overlooked in 
the frenzy of releasing as quick as possible?

Kevin Bonner
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/vS9J/9i/ml3OBYMRAlY9AJoDBu823UA8HUFGpiq6pPwtW2bUKQCgk9OS
KLCtpkG614JXtAKnbRrkj70=
=VLbK
-END PGP SIGNATURE-


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html