Re: 0.9.3 has been released
On Wed, Nov 26, 2003 at 10:16:20AM -0600, Nick Davis wrote: > Paul, > Here is the email I am referring to: > > http://lists.cistron.nl/pipermail/freeradius-users/2003-July/021375.html > > The dependencies of concern are: freetype fonts, gtk, xfree86, xlibs. Those > dep's were from debian Woody, I didn't actually test if those dependencies > had been removed in Sarge since the debian servers were down. As soon as the > debian servers are back up to normal, I'll try to use your .deb packages and > see what dependencies are required. *horrible gagging noises* OK. My next upload will have -iodbc split out to ease backporting. And it will be reflected in CVS. However, I'm leaving that until we have _a_ version in Debian... And my development machine reassembled. (Hopefully in the other order...) -- Paul "TBBle" Hampson, from an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
Bill Campbell <[EMAIL PROTECTED]> wrote: > Looking at the src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in file, > I would think that $mysql_lib_dir should be at the beginning of the list of > directories to check rather than the end. The mysql configuration succeeds > with the attached patch. I've added the patch to the CVS head, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Thu, Nov 20, 2003, Alan DeKok wrote: > Bug reports are nice. Lack of notification is stupid. I'm running into a problem building 0.9.3 with MySQL support on FreeBSD 4.8 and on SuSE 9.0 Professional Linux. The problem is that the test for libmysqlclient fails with an undefined reference to compress and uncompress. It appears that the configure.in file should have $old_LIBS after the -lmysqlclient to pick up the -lz that's found earlier in configure. On FreeBSD this build was not able to find the ``floor'' function in the math libraries until I added ``-lm'' to LIBS before starting the build. Looking at the src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in file, I would think that $mysql_lib_dir should be at the beginning of the list of directories to check rather than the end. The mysql configuration succeeds with the attached patch. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Systems, Inc. UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ If you think health care is expensive now, wait until you see what it coses when it's free -- P.J. O'Rourke diff -uNr /csoft/RPM/TMP/freeradius-0.9.3.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure ./src/modules/rlm_sql/drivers/rlm_sql_mysql/configure --- /csoft/RPM/TMP/freeradius-0.9.3.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure 2003-09-04 11:14:18.0 -0400 +++ ./src/modules/rlm_sql/drivers/rlm_sql_mysql/configure 2003-11-26 16:10:33.0 -0500 @@ -978,8 +978,8 @@ old_LIBS="$LIBS" - for try in /usr/lib /usr/lib/mysql /usr/local/lib/mysql /usr/local/mysql/lib/mysql $mysql_lib_dir; do - LIBS="$old_LIBS -L$try -lmysqlclient" + for try in $mysql_lib_dir /usr/lib /usr/lib/mysql /usr/local/lib/mysql /usr/local/mysql/lib/mysql; do + LIBS="$old_LIBS -L$try -lmysqlclient $old_LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* - MYSQL_LIBS="-L$try -lmysqlclient" + MYSQL_LIBS="-L$try -lmysqlclient $old_LIBS" else echo "configure: failed program was:" >&5 cat conftest.$ac_ext >&5 diff -uNr /csoft/RPM/TMP/freeradius-0.9.3.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in ./src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in --- /csoft/RPM/TMP/freeradius-0.9.3.orig/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in 2001-07-11 16:38:09.0 -0400 +++ ./src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.in2003-11-26 16:10:55.0 -0500 @@ -70,10 +70,10 @@ dnlAC_LOCATE_DIR(mysql_lib_dir,[libmysqlclient.so]) dnlAC_LOCATE_DIR(mysql_lib_dir,[libmysqlclient.a]) - for try in /usr/lib /usr/lib/mysql /usr/local/lib/mysql /usr/local/mysql/lib/mysql $mysql_lib_dir; do - LIBS="$old_LIBS -L$try -lmysqlclient" + for try in $mysql_lib_dir /usr/lib /usr/lib/mysql /usr/local/lib/mysql /usr/local/mysql/lib/mysql; do + LIBS="$old_LIBS -L$try -lmysqlclient $old_LIBS" AC_TRY_LINK([extern char mysql_init();], [mysql_init()], - MYSQL_LIBS="-L$try -lmysqlclient", + MYSQL_LIBS="-L$try -lmysqlclient $old_LIBS", MYSQL_LIBS= ) if test "x$MYSQL_LIBS" != "x"; then
Re: 0.9.3 has been released
Paul, Here is the email I am referring to: http://lists.cistron.nl/pipermail/freeradius-users/2003-July/021375.html The dependencies of concern are: freetype fonts, gtk, xfree86, xlibs. Those dep's were from debian Woody, I didn't actually test if those dependencies had been removed in Sarge since the debian servers were down. As soon as the debian servers are back up to normal, I'll try to use your .deb packages and see what dependencies are required. Thanks! Nick On Friday 21 November 2003 20:58, Paul Hampson wrote: > On Fri, Nov 21, 2003 at 09:12:31AM -0600, Nick Davis wrote: > > On Thursday 20 November 2003 20:07, Paul Hampson wrote: > > > > Paul, > > > > I see that these deb packages have the same dependency issues we > > discussed in September with libiodbc2 and libltdl3. The Depends says: > > freeradius: Depends: libiodbc2 (>= 3.51.1-3) but 3.51.1-1 is installed > > Depends: libltdl3 (>= 1.5-3) but 1.5-2 is installed > > freeradius-mysql: Depends: zlib1g (>= 1:1.2.1) but 1:1.1.4-16 is > > installed > > To be honest, I don't remember discussing this in September, but my mail > archives are currently in transit, so I can't check what I said. > > According to my local Debian mirror, (mirror.aarnet.edu.au), the current > libiodbc2 in sid (/unstable) is 3.51.1-3, the current libltdl3 is 1.5-7, > and the current zlib1g is 1:1.2.1-1 > > > I am running Sarge, and I tried to search through unstable. Where do > > those versions of those libraries come from? Several of the debian web > > servers have been compromised and are down for inspection, so I am not > > able to search for the necessary versions of these libraries. > > Ah, that's the problem, testing's not up to date on these libraries. > > Since we're going for Debian archive acceptance, they have to be built > against unstable. I may have previously built against testing, but I > don't think I put those binaries anywhere, as they were built on a > powerpc machine. > > On Fri, Nov 21, 2003 at 11:00:19AM -0600, Nick Davis wrote: > > All, > > I posted new versions of my slimed down debian packages: > > http://mrtizmo.com/freeradius/index.html > > > > The big thing I did was to remove the need for iodbc, since it has a lot > > of nasty dependencies. > > Apart from libc6, what other dependancies are you seeing from libiodbc2? > > (My unstable build machine is currently also in transit, so I can't > check that myself. Last time I tried to get iodbc broken out into its > own package, the lack of interesting dependancies was the deciding > factor. I do intend to readdress this issue once we're in the Debian > archive) > > -- > Paul "TBBle" Hampson, from an alternate email client. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Fri, Nov 21, 2003 at 09:12:31AM -0600, Nick Davis wrote: > On Thursday 20 November 2003 20:07, Paul Hampson wrote: > > As a bonus, the rlm_ippool pod2man call got fixed for perl < 5.6, and > > rlm_eap has been silenced in the case where it is called upon a non-EAP > > packet. > > > > There are pacakges for Debian at > > http://www.tbble.com/freeradius/ > > They're numbered 0.9.2-4 since (a) I'm moving and don't have time to > > muck with the new source archive; and (b) we're >< this close to getting > > into Debian/unstable so I don't want to muck with things too much until > > that's done. > > > > Just to reiterate, the 0.9.2-4 packages at http://www.tbble.com/freeradius/ > > are the same as the 0.9.3 tarball above, but with major Debian packaging > > improvements (bg thanks to Steve Langasek for his guidance here) which > > will hopefully go into 1.0.0 and 0.9.4's tarballs. > Paul, > I see that these deb packages have the same dependency issues we discussed in > September with libiodbc2 and libltdl3. The Depends says: > freeradius: Depends: libiodbc2 (>= 3.51.1-3) but 3.51.1-1 is installed > Depends: libltdl3 (>= 1.5-3) but 1.5-2 is installed > freeradius-mysql: Depends: zlib1g (>= 1:1.2.1) but 1:1.1.4-16 is installed To be honest, I don't remember discussing this in September, but my mail archives are currently in transit, so I can't check what I said. According to my local Debian mirror, (mirror.aarnet.edu.au), the current libiodbc2 in sid (/unstable) is 3.51.1-3, the current libltdl3 is 1.5-7, and the current zlib1g is 1:1.2.1-1 > I am running Sarge, and I tried to search through unstable. Where do those > versions of those libraries come from? Several of the debian web servers have > been compromised and are down for inspection, so I am not able to search for > the necessary versions of these libraries. Ah, that's the problem, testing's not up to date on these libraries. Since we're going for Debian archive acceptance, they have to be built against unstable. I may have previously built against testing, but I don't think I put those binaries anywhere, as they were built on a powerpc machine. On Fri, Nov 21, 2003 at 11:00:19AM -0600, Nick Davis wrote: > All, > I posted new versions of my slimed down debian packages: > http://mrtizmo.com/freeradius/index.html > > The big thing I did was to remove the need for iodbc, since it has a lot of > nasty dependencies. Apart from libc6, what other dependancies are you seeing from libiodbc2? (My unstable build machine is currently also in transit, so I can't check that myself. Last time I tried to get iodbc broken out into its own package, the lack of interesting dependancies was the deciding factor. I do intend to readdress this issue once we're in the Debian archive) -- Paul "TBBle" Hampson, from an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Fri, Nov 21, 2003, Alan DeKok wrote: >Bill Campbell <[EMAIL PROTECTED]> wrote: >> > For uint8_t arrays, The 'sizeof' the array is the number of elements. >> >> OK. While that may be the case for uint8_t, it seems to me that good >> coding practice is to use sizeof here and not depend on knowledge of the >> internal size of the elements. > > The problem is that the fields are defined in relation to the >protocol: 16 octets. sizeof() is a C programming construct, and thus >there may be padding in a struct. We do not want that padding to >affect the programs ability to generate or parse 16 octet fields. Perhaps it would be good to put some comments in radius.c explaining this, and be consistent in its use. This could save some head scratching in the future, particularly if somebody (like me) who's not all that familiar with the code is looking at it. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``Never blame a legislative body for not doing something. When they do nothing, that don't hurt anybody. When they do something is when they become dangerous.'' Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
Bill Campbell <[EMAIL PROTECTED]> wrote: > > For uint8_t arrays, The 'sizeof' the array is the number of elements. > > OK. While that may be the case for uint8_t, it seems to me that good > coding practice is to use sizeof here and not depend on knowledge of the > internal size of the elements. The problem is that the fields are defined in relation to the protocol: 16 octets. sizeof() is a C programming construct, and thus there may be padding in a struct. We do not want that padding to affect the programs ability to generate or parse 16 octet fields. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Fri, Nov 21, 2003, Alan DeKok wrote: >Bill Campbell <[EMAIL PROTECTED]> wrote: >> On a related security note, the src/lib/radius.c program has several >> references to msg_auth_vector and calc_auth_vector starting around line >> 1108 with several memcpy and memcmp operations, some of which refer use >> sizeof(calc_auth_vector) for the length, others with AUTH_VECTOR_LEN. >> Given that msg_auth_vector is an array of uint8_t size AUTH_VECTOR_LEN, I >> doubt these lengths would be same. > > Huh? Why? > > For uint8_t arrays, The 'sizeof' the array is the number of elements. OK. While that may be the case for uint8_t, it seems to me that good coding practice is to use sizeof here and not depend on knowledge of the internal size of the elements. I may be a bit paranoid about this, because I've been know to shoot myself in the feet as a result of structure padding and such. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.'' -- H. L. Mencken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
At 12:26 PM 11/21/2003, Bill Campbell wrote: On Fri, Nov 21, 2003, Chris Parker wrote: >At 11:18 AM 11/21/2003, Bill Campbell wrote: >>On Fri, Nov 21, 2003, Alan DeKok wrote: >>>Oliver Graf <[EMAIL PROTECTED]> wrote: > With that said, 0.9.3 has been released. It's in the normal places: I submitted a security report and a new package ebuild to the gentoo ( http://gentoo.org/ ) community. >>> >>> Thanks. This just re-iterates my beleif that RADIUS servers should >>>on private networks, far away from any possible source of malicious >>>packets. >> >>Either that, or packet filters that restrict the hosts that can >>access the radius servers. > >Wouldn't work in this case, since packets are UDP a packet with spoofed >source of a valid client will pass the filter. :\ All you'd need to >DOS a radius server is a valid client IP. The RADIUS protocol makes >it very hard to enforce additional restrictions, as the packet format >is all in cleartext ( excepting certain Password attributes ) with >no validation or signing. It's kinda hard to have the radius server on a private network if it's doing authentication for wholesale dialup connections :-). Yes. Kinda a problem there. However, an Auth-Req from a proxy target will not match the clients list and will be discarded. You could run a private network between the NAS and the Radius, but then Radius running on multihomed systems has always been interesting. Certainly doable though, given enough time. IPSec is another tool that could help. Or they're running Nortel (Bay) Annex boxes which use broken MD5 hashes, and Nortel makes it difficult to get updated software. That's a problem with Nortel. If the rest of the world can figure out how to do Radius securely and safely, we shouldn't compromise the whole for the few that can't figure out how to follow the RFC's. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
Bill Campbell <[EMAIL PROTECTED]> wrote: > On a related security note, the src/lib/radius.c program has several > references to msg_auth_vector and calc_auth_vector starting around line > 1108 with several memcpy and memcmp operations, some of which refer use > sizeof(calc_auth_vector) for the length, others with AUTH_VECTOR_LEN. > Given that msg_auth_vector is an array of uint8_t size AUTH_VECTOR_LEN, I > doubt these lengths would be same. Huh? Why? For uint8_t arrays, The 'sizeof' the array is the number of elements. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Fri, Nov 21, 2003, Chris Parker wrote: >At 11:18 AM 11/21/2003, Bill Campbell wrote: >>On Fri, Nov 21, 2003, Alan DeKok wrote: >>>Oliver Graf <[EMAIL PROTECTED]> wrote: > With that said, 0.9.3 has been released. It's in the normal places: I submitted a security report and a new package ebuild to the gentoo ( http://gentoo.org/ ) community. >>> >>> Thanks. This just re-iterates my beleif that RADIUS servers should >>>on private networks, far away from any possible source of malicious >>>packets. >> >>Either that, or packet filters that restrict the hosts that can >>access the radius servers. > >Wouldn't work in this case, since packets are UDP a packet with spoofed >source of a valid client will pass the filter. :\ All you'd need to >DOS a radius server is a valid client IP. The RADIUS protocol makes >it very hard to enforce additional restrictions, as the packet format >is all in cleartext ( excepting certain Password attributes ) with >no validation or signing. It's kinda hard to have the radius server on a private network if it's doing authentication for wholesale dialup connections :-). >The Message-Authenticator value would serve this purpose, however >it is not required, and as such doesn't help in this case, either, >and won't until or unless it is made mandatory. That would then >break old clients/servers that don't support Message-Authenticator. > >http://www.freeradius.org/rfc/rfc2869.html#Message-Authenticator Or they're running Nortel (Bay) Annex boxes which use broken MD5 hashes, and Nortel makes it difficult to get updated software. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``No matter how much I may exaggerate it, it must have a certain amount of truth...Now rumor travels fast but it don't stay put as long as truth'' Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
At 11:18 AM 11/21/2003, Bill Campbell wrote: On Fri, Nov 21, 2003, Alan DeKok wrote: >Oliver Graf <[EMAIL PROTECTED]> wrote: >> > With that said, 0.9.3 has been released. It's in the normal places: >> >> I submitted a security report and a new package ebuild to the gentoo >> ( http://gentoo.org/ ) community. > > Thanks. This just re-iterates my beleif that RADIUS servers should >on private networks, far away from any possible source of malicious >packets. Either that, or packet filters that restrict the hosts that can access the radius servers. Wouldn't work in this case, since packets are UDP a packet with spoofed source of a valid client will pass the filter. :\ All you'd need to DOS a radius server is a valid client IP. The RADIUS protocol makes it very hard to enforce additional restrictions, as the packet format is all in cleartext ( excepting certain Password attributes ) with no validation or signing. The Message-Authenticator value would serve this purpose, however it is not required, and as such doesn't help in this case, either, and won't until or unless it is made mandatory. That would then break old clients/servers that don't support Message-Authenticator. http://www.freeradius.org/rfc/rfc2869.html#Message-Authenticator The light at the end of the tunnel is that is *was* made mandatory for any packet with EAP-Message attributes. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Fri, Nov 21, 2003, Alan DeKok wrote: >Oliver Graf <[EMAIL PROTECTED]> wrote: >> > With that said, 0.9.3 has been released. It's in the normal places: >> >> I submitted a security report and a new package ebuild to the gentoo >> ( http://gentoo.org/ ) community. > > Thanks. This just re-iterates my beleif that RADIUS servers should >on private networks, far away from any possible source of malicious >packets. Either that, or packet filters that restrict the hosts that can access the radius servers. On a related security note, the src/lib/radius.c program has several references to msg_auth_vector and calc_auth_vector starting around line 1108 with several memcpy and memcmp operations, some of which refer use sizeof(calc_auth_vector) for the length, others with AUTH_VECTOR_LEN. Given that msg_auth_vector is an array of uint8_t size AUTH_VECTOR_LEN, I doubt these lengths would be same. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Systems, Inc. UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``The meek shall inherit the Earth, the rest of us will go to the stars...'' -Dr. Isaac Asimov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
Oliver Graf <[EMAIL PROTECTED]> wrote: > > With that said, 0.9.3 has been released. It's in the normal places: > > I submitted a security report and a new package ebuild to the gentoo > ( http://gentoo.org/ ) community. Thanks. This just re-iterates my beleif that RADIUS servers should on private networks, far away from any possible source of malicious packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Thursday 20 November 2003 20:07, Paul Hampson wrote: > As a bonus, the rlm_ippool pod2man call got fixed for perl < 5.6, and > rlm_eap has been silenced in the case where it is called upon a non-EAP > packet. > > There are pacakges for Debian at > http://www.tbble.com/freeradius/ > They're numbered 0.9.2-4 since (a) I'm moving and don't have time to > muck with the new source archive; and (b) we're >< this close to getting > into Debian/unstable so I don't want to muck with things too much until > that's done. > > Just to reiterate, the 0.9.2-4 packages at http://www.tbble.com/freeradius/ > are the same as the 0.9.3 tarball above, but with major Debian packaging > improvements (bg thanks to Steve Langasek for his guidance here) which > will hopefully go into 1.0.0 and 0.9.4's tarballs. > > -- Paul, Ignore the prevous msg, I put Dec instead of Sept in the first line. I see that these deb packages have the same dependency issues we discussed in September with libiodbc2 and libltdl3. The Depends says: freeradius: Depends: libiodbc2 (>= 3.51.1-3) but 3.51.1-1 is installed Depends: libltdl3 (>= 1.5-3) but 1.5-2 is installed freeradius-mysql: Depends: zlib1g (>= 1:1.2.1) but 1:1.1.4-16 is installed I am running Sarge, and I tried to search through unstable. Where do those versions of those libraries come from? Several of the debian web servers have been compromised and are down for inspection, so I am not able to search for the necessary versions of these libraries. http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt I am going to get the cvs and build my own deb packages without these dependencies and without the extra modules like before, but I just wanted to see what your current thoughts are on this issue. Thanks for your work! Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Thursday 20 November 2003 20:07, Paul Hampson wrote: > As a bonus, the rlm_ippool pod2man call got fixed for perl < 5.6, and > rlm_eap has been silenced in the case where it is called upon a non-EAP > packet. > > There are pacakges for Debian at > http://www.tbble.com/freeradius/ > They're numbered 0.9.2-4 since (a) I'm moving and don't have time to > muck with the new source archive; and (b) we're >< this close to getting > into Debian/unstable so I don't want to muck with things too much until > that's done. > > Just to reiterate, the 0.9.2-4 packages at http://www.tbble.com/freeradius/ > are the same as the 0.9.3 tarball above, but with major Debian packaging > improvements (bg thanks to Steve Langasek for his guidance here) which > will hopefully go into 1.0.0 and 0.9.4's tarballs. > > -- Paul, I see that these deb packages have the same dependency issues we discussed in December with libiodbc2 and libltdl3. The Depends says: freeradius: Depends: libiodbc2 (>= 3.51.1-3) but 3.51.1-1 is installed Depends: libltdl3 (>= 1.5-3) but 1.5-2 is installed freeradius-mysql: Depends: zlib1g (>= 1:1.2.1) but 1:1.1.4-16 is installed I am running Sarge, and I tried to search through unstable. Where do those versions of those libraries come from? Several of the debian web servers have been compromised and are down for inspection, so I am not able to search for the necessary versions of these libraries. http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt I am going to get the cvs and build my own deb packages without these dependencies and without the extra modules like before, but I just wanted to see what your current thoughts are on this issue. Thanks for your work! Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
Dear Alan DeKok, --Thursday, November 20, 2003, 11:51:13 PM, you wrote to [EMAIL PROTECTED]: AD> As it turns out, however, the problem isn't as bad as it could have AD> been. The bug he reported can cause the server to crash, but is AD> difficult to exploit. Any attack code MUST be in the form of a valid AD> RADIUS packet, which significantly limits the possible exploits. AD> However, there was another bug which the reporter did NOT discover, AD> which causes the server to de-reference a NULL pointer, and thus AD> crash, whenever an Access-Request packet containing a Tunnel-Password AD> attribute is received. Both bugs are not exploitable to code execution (first one because target buffer is on heap, not on stack and it's impossible to overwrite local variable inside memcpy, like in case of apache-nosejob exploit, so memcpy will always segfault and never return). It's fully identical to bug (2) described in http://www.security.nnov.ru/search/document.asp?docid=2578 Either I missed this bug during audit 1,5 years ago or it was introduced later. On the moment of audit tunneling support code presented in the sources in non-working state. -- ~/ZARAZA Человек это тайна... я занимаюсь этой тайной чтобы быть человеком. (Достоевский) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
On Thu, Nov 20, 2003 at 03:51:13PM -0500, Alan DeKok wrote: > Bug reports are nice. Lack of notification is stupid. > > With that said, 0.9.3 has been released. It's in the normal places: I submitted a security report and a new package ebuild to the gentoo ( http://gentoo.org/ ) community. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 0.9.3 has been released
> From: Alan DeKok > Sent: Friday, 21 November 2003 7:51 AM > Bug reports are nice. Lack of notification is stupid. > With that said, 0.9.3 has been released. It's in the normal places: > > ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz > > With PGP signature at: > > ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig > > It is just 0.9.2 with a bug fixed, and the version number updated. As a bonus, the rlm_ippool pod2man call got fixed for perl < 5.6, and rlm_eap has been silenced in the case where it is called upon a non-EAP packet. There are pacakges for Debian at http://www.tbble.com/freeradius/ They're numbered 0.9.2-4 since (a) I'm moving and don't have time to muck with the new source archive; and (b) we're >< this close to getting into Debian/unstable so I don't want to muck with things too much until that's done. Just to reiterate, the 0.9.2-4 packages at http://www.tbble.com/freeradius/ are the same as the 0.9.3 tarball above, but with major Debian packaging improvements (bg thanks to Steve Langasek for his guidance here) which will hopefully go into 1.0.0 and 0.9.4's tarballs. -- Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
"Kaczmarek, Thaddeus" <[EMAIL PROTECTED]> wrote: > On Redhat 9 upgrading wacked my dictionary entries. > I had to redo /ect/raddb/dictionary. I don't see why. The server does NOT replace /etc/raddb/dictionary, EVER. The location of the dictionaries changed in 0.9.0, but that was a while ago. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
Title: Re: 0.9.3 has been released On Redhat 9 upgrading wacked my dictionary entries. I had to redo /ect/raddb/dictionary. Ted On Thu, 2003-11-20 at 16:43, Matthew Schumacher wrote: > Alan, > > Thanks for your hard work... we all appreciate it. > > Alan DeKok wrote: > > Bug reports are nice. Lack of notification is stupid. > > > > With that said, 0.9.3 has been released. It's in the normal places: > > > > ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz > > > > With PGP signature at: > > > > ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig > > > > It is just 0.9.2 with a bug fixed, and the version number updated. > > > > > > The original reporter threatened to release an exploit when I told > > him I was unhappy with his lack of notification prior to the public > > release of the vulnerability information. Blackmail is stupid. > > > > As it turns out, however, the problem isn't as bad as it could have > > been. The bug he reported can cause the server to crash, but is > > difficult to exploit. Any attack code MUST be in the form of a valid > > RADIUS packet, which significantly limits the possible exploits. > > > > However, there was another bug which the reporter did NOT discover, > > which causes the server to de-reference a NULL pointer, and thus > > crash, whenever an Access-Request packet containing a Tunnel-Password > > attribute is received. > > > > Both bugs have been fixed in 0.9.3, and in the CVS head. > > > > We recommend that everyone upgrade to 0.9.3 as soon as possible. > > > > Alan DeKok. > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications.
Re: 0.9.3 has been released
[EMAIL PROTECTED] wrote: > Do either of these bugs affect (within the best of your ability to guess, > of course!) versions of FR prior to 0.9 ? (All other good reasons to > upgrade to 0.9 notwithstanding...) I've done a quick check, and it's there since at least 0.4. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
Alan, Thanks for your hard work... we all appreciate it. Alan DeKok wrote: Bug reports are nice. Lack of notification is stupid. With that said, 0.9.3 has been released. It's in the normal places: ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz With PGP signature at: ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig It is just 0.9.2 with a bug fixed, and the version number updated. The original reporter threatened to release an exploit when I told him I was unhappy with his lack of notification prior to the public release of the vulnerability information. Blackmail is stupid. As it turns out, however, the problem isn't as bad as it could have been. The bug he reported can cause the server to crash, but is difficult to exploit. Any attack code MUST be in the form of a valid RADIUS packet, which significantly limits the possible exploits. However, there was another bug which the reporter did NOT discover, which causes the server to de-reference a NULL pointer, and thus crash, whenever an Access-Request packet containing a Tunnel-Password attribute is received. Both bugs have been fixed in 0.9.3, and in the CVS head. We recommend that everyone upgrade to 0.9.3 as soon as possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
Kevin Bonner <[EMAIL PROTECTED]> wrote: > > ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig > > I don't see this file yet. Still creating/uploading, or just overlooked in > the frenzy of releasing as quick as possible? Overlooked, sorry. It should be there now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
[EMAIL PROTECTED] wrote on 11/20/2003 02:51:13 PM: > Bug reports are nice. Lack of notification is stupid. > > With that said, 0.9.3 has been released. It's in the normal places: > > ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz > > With PGP signature at: > > ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig > > It is just 0.9.2 with a bug fixed, and the version number updated. > > > The original reporter threatened to release an exploit when I told > him I was unhappy with his lack of notification prior to the public > release of the vulnerability information. Blackmail is stupid. > > As it turns out, however, the problem isn't as bad as it could have > been. The bug he reported can cause the server to crash, but is > difficult to exploit. Any attack code MUST be in the form of a valid > RADIUS packet, which significantly limits the possible exploits. > > However, there was another bug which the reporter did NOT discover, > which causes the server to de-reference a NULL pointer, and thus > crash, whenever an Access-Request packet containing a Tunnel-Password > attribute is received. > > Both bugs have been fixed in 0.9.3, and in the CVS head. > > We recommend that everyone upgrade to 0.9.3 as soon as possible. Do either of these bugs affect (within the best of your ability to guess, of course!) versions of FR prior to 0.9 ? (All other good reasons to upgrade to 0.9 notwithstanding...) Just trying to gauge if I should put this on the "do soon" pile, or the "do right now" pile. Vincent Giovannone Network Infrastructure Group Information Services Division Rush University Medical Center (312) 942-4242 "When I was four I wanted an Action Man armoured personnel carrier. I didn't have any genuine Action Men - my parents couldn't afford them; instead of a professional army I had a ragtag band of Korean and Chinese irregulars whose political commitment, I hoped, made up for their having no knee or elbow joints." -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.3 has been released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks for pushing the fix out quickly, given the short notice. > With PGP signature at: > ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz.sig I don't see this file yet. Still creating/uploading, or just overlooked in the frenzy of releasing as quick as possible? Kevin Bonner -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/vS9J/9i/ml3OBYMRAlY9AJoDBu823UA8HUFGpiq6pPwtW2bUKQCgk9OS KLCtpkG614JXtAKnbRrkj70= =VLbK -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html