Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package freeradius
The new upload addresses a security issue: CVE-2017-9148, #863673
% debdiff freeradius_3.0.12+dfsg-4.dsc freeradius_3.0.12+dfsg-5.dsc
dpkg-source: warning: extracting unsigned source package
(/home/michael/d/out/freeradius/freeradius_3.0.12+dfsg-4.dsc)
diff -Nru freeradius-3.0.12+dfsg/debian/changelog
freeradius-3.0.12+dfsg/debian/changelog
--- freeradius-3.0.12+dfsg/debian/changelog 2016-11-17 22:29:04.000000000
+0100
+++ freeradius-3.0.12+dfsg/debian/changelog 2017-05-30 17:18:34.000000000
+0200
@@ -1,3 +1,9 @@
+freeradius (3.0.12+dfsg-5) unstable; urgency=high
+
+ * disable session cache to address CVE-2017-9148 (closes: #863673)
+
+ -- Michael Stapelberg <stapelb...@debian.org> Tue, 30 May 2017 17:18:34 +0200
+
freeradius (3.0.12+dfsg-4) unstable; urgency=medium
* fix openssl-1.1.diff: initialize ctx_out
diff -Nru
freeradius-3.0.12+dfsg/debian/patches/disable-session-cache-CVE-2017-9148.patch
freeradius-3.0.12+dfsg/debian/patches/disable-session-cache-CVE-2017-9148.patch
---
freeradius-3.0.12+dfsg/debian/patches/disable-session-cache-CVE-2017-9148.patch
1970-01-01 01:00:00.000000000 +0100
+++
freeradius-3.0.12+dfsg/debian/patches/disable-session-cache-CVE-2017-9148.patch
2017-05-30 17:18:34.000000000 +0200
@@ -0,0 +1,49 @@
+Description: disable session caching in the server (as opposed to in the
+ config, which would be way harder to get right) to address
+ https://security-tracker.debian.org/tracker/CVE-2017-9148
+Author: Michael Stapelberg <stapelb...@debian.org>
+Forwarded: not-needed
+Last-Update: 2017-05-30
+
+---
+
+Index: freeradius/src/main/tls.c
+===================================================================
+--- freeradius.orig/src/main/tls.c
++++ freeradius/src/main/tls.c
+@@ -579,7 +579,7 @@ tls_session_t *tls_new_session(TALLOC_CT
+ *
+ * FIXME: Also do it every N sessions?
+ */
+- if (conf->session_cache_enable &&
++ if (/*conf->session_cache_enable*/0 &&
+ ((conf->session_last_flushed + ((int)conf->session_timeout * 1800))
<= request->timestamp)){
+ RDEBUG2("Flushing SSL sessions (of #%ld)",
SSL_CTX_sess_number(conf->ctx));
+
+@@ -674,7 +674,7 @@ tls_session_t *tls_new_session(TALLOC_CT
+ state->mtu = vp->vp_integer;
+ }
+
+- if (conf->session_cache_enable) state->allow_session_resumption = true;
/* otherwise it's false */
++ if (/*conf->session_cache_enable*/0) state->allow_session_resumption =
true; /* otherwise it's false */
+
+ return state;
+ }
+@@ -2848,7 +2848,7 @@ post_ca:
+ /*
+ * Callbacks, etc. for session resumption.
+ */
+- if (conf->session_cache_enable) {
++ if (/*conf->session_cache_enable*/0) {
+ /*
+ * Cache sessions on disk if requested.
+ */
+@@ -2916,7 +2916,7 @@ post_ca:
+ /*
+ * Setup session caching
+ */
+- if (conf->session_cache_enable) {
++ if (/*conf->session_cache_enable*/0) {
+ /*
+ * Create a unique context Id per EAP-TLS configuration.
+ */
diff -Nru freeradius-3.0.12+dfsg/debian/patches/series
freeradius-3.0.12+dfsg/debian/patches/series
--- freeradius-3.0.12+dfsg/debian/patches/series 2016-11-17
22:29:04.000000000 +0100
+++ freeradius-3.0.12+dfsg/debian/patches/series 2017-05-30
17:18:34.000000000 +0200
@@ -1,3 +1,4 @@
+disable-session-cache-CVE-2017-9148.patch
debian-local/0001-Rename-radius-to-freeradius.patch
0002-gitignore.diff.patch
0006-jradius.diff.patch
unblock freeradius/3.0.12+dfsg-5
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500,
'testing-debug'), (500, 'unstable')
Architecture: amd64
(x86_64)
Foreign Architectures: i386, armel, mipsel, arm64
Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
