RE: FreeRadius Security hole
Nope...in the makefile, it looks like he grabs a snapshot and puts it on an approved server. I let him know that a fixed version is up on the *real* CVS. Now that he knows, we'll probably see a pretty quick fix. Many of the ports do point to the proper CVS, so I don't see why this would differ. You *may* want to send him a little note of encouragement to that effect. Developer carries a lot more weight than general user flunky. sp > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Alan DeKok > Sent: Tuesday, February 19, 2002 12:43 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: FreeRadius Security hole > > > "Scott Pell" <[EMAIL PROTECTED]> wrote: > ... > > I just noticed something else: > > > > Trying update and install this port...getting the following: ===> > > > freeradius-devel-20010310 is forbidden: Remotely > exploitable buffer > > Does FreeBSD *really* include the March, 2001 version > snapshot of the server? > > If so, why? That is NOT from an official release, it > appears to be from a CVS snapshot! > > If FreeBSD is including a CVS snapshot of FreeRADIUS in > their 'ports' section, then they SHOULD NOT include a version > that's nearly a year old. They should upgrade it to the > latest snapshot, which has been fixed for almost 3 months now. > > We will have an official release soon which "officially" > fixes the problem. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > --- > Incoming mail > is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.324 / Virus Database: 181 - Release Date: 2/14/2002 > > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.324 / Virus Database: 181 - Release Date: 2/14/2002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius Security hole
Thanks! I will let the port manager know. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Alan DeKok > Sent: Tuesday, February 19, 2002 12:37 PM > To: [EMAIL PROTECTED] > Subject: Re: FreeRadius Security hole > > > "Scott Pell" <[EMAIL PROTECTED]>wrote: > > I am trying to load up the latest snapshot of FreeRadius, > but I have > > been warned by FreeBSD developers to not run the released version > > because of the remotely exploitable buffer overflow security hole. > > Yeah, the latest CVS snapshot should be OK. The fix was done in > November: > http://www.freeradius.org/cvs-log/2001/2001-11-30.09:00:00.html > Is there a patch that covers this? If so, we can get guys to take the > security hold off of the port. If not, is there a timeframe to fix? It's fixed in the latest CVS snapshot. We haven't released another version yet. Hmm... we should probably release another version soon. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.324 / Virus Database: 181 - Release Date: 2/14/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.324 / Virus Database: 181 - Release Date: 2/14/2002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Security hole
"Alan DeKok" <[EMAIL PROTECTED]> wrote: > > Is there a patch that covers this? If so, we can get guys to take the > > security hold off of the port. If not, is there a timeframe to fix? > > It's fixed in the latest CVS snapshot. We haven't released another > version yet. Sorry to follow up again... I had to double-check the archives. My memory isn't what it used to be. Version 0.4 of FreeRADIUS was released in December. It has no known buffer over-runs or exploits. The FreeBSD ports collection should be upgraded to use 0.4, from: ftp://ftp.freeradius.org/pub/radius/freeradius-0.4.tar.gz If a NEWER version of the software has been released, the 0.4 version will be moved to: ftp://ftp.freeradius.org/pub/radius/old/freeradius-0.4.tar.gz Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Security hole
"Scott Pell" <[EMAIL PROTECTED]> wrote: ... I just noticed something else: > > Trying update and install this port...getting the following: ===> > > freeradius-devel-20010310 is forbidden: Remotely exploitable buffer Does FreeBSD *really* include the March, 2001 version snapshot of the server? If so, why? That is NOT from an official release, it appears to be from a CVS snapshot! If FreeBSD is including a CVS snapshot of FreeRADIUS in their 'ports' section, then they SHOULD NOT include a version that's nearly a year old. They should upgrade it to the latest snapshot, which has been fixed for almost 3 months now. We will have an official release soon which "officially" fixes the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Security hole
"Scott Pell" <[EMAIL PROTECTED]>wrote: > I am trying to load up the latest snapshot of FreeRadius, but I have > been warned by FreeBSD developers to not run the released version > because of the remotely exploitable buffer overflow security hole. Yeah, the latest CVS snapshot should be OK. The fix was done in November: http://www.freeradius.org/cvs-log/2001/2001-11-30.09:00:00.html > Is there a patch that covers this? If so, we can get guys to take the > security hold off of the port. If not, is there a timeframe to fix? It's fixed in the latest CVS snapshot. We haven't released another version yet. Hmm... we should probably release another version soon. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Security hole
On Tue, Feb 19, 2002 at 02:19:26PM -0800, Scott Pell wrote: > I am trying to load up the latest snapshot of FreeRadius, but I have > been warned by FreeBSD developers to not run the released version > because of the remotely exploitable buffer overflow security hole. > Is there a patch that covers this? If so, we can get guys to take the > security hold off of the port. If not, is there a timeframe to fix? They seem to be warning you (from the quote below) not to run the version of freeradius that's included in the FreeBSD ports. And indeed, 20010310 is quite old. I'm given to understand that the latest freeradius release, 0.4, has a fix for the security hole in question. Steve Langasek postmodern programmer > [EMAIL PROTECTED] wrote: > > < > said: > > > Trying update and install this port...getting the following: ===> > > freeradius-devel-20010310 is forbidden: Remotely exploitable buffer > > overflow. > > > Any recommendations on how to get this port installed? > > Don't. When I (or anyone else, for that matter) get a > sufficiently-large Round Tuit, the port will be replaced with one for a > released version of FreeRADIUS which doesn't have the security hole. > > -GAWollman > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.324 / Virus Database: 181 - Release Date: 2/14/2002 > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html msg03440/pgp0.pgp Description: PGP signature
