Package: freeradius / 3.0.17+dfsg-1.1

Metadata

Package Version Patches format
freeradius 3.0.17+dfsg-1.1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
disable session cache CVE 2017 9148.patch | (download)

src/main/tls.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 disable session caching in the server (as opposed to in the
 config, which would be way harder to get right) to address
 https://security-tracker.debian.org/tracker/CVE-2017-9148
debian local/0001 Rename radius to freeradius.patch | (download)

Make.inc.in | 2 1 + 1 - 0 !
man/man8/radiusd.8 | 10 5 + 5 - 0 !
raddb/radiusd.conf.in | 6 3 + 3 - 0 !
raddb/sites-available/control-socket | 4 2 + 2 - 0 !
scripts/monit/freeradius.monitrc | 6 3 + 3 - 0 !
src/main/radiusd.c | 11 2 + 9 - 0 !
6 files changed, 16 insertions(+), 23 deletions(-)

 rename radius to freeradius
Last-Updated: 2016-09-16
0002 gitignore.diff.patch | (download)

.gitignore | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 gitignore.diff


0006 jradius.diff.patch | (download)

src/modules/stable | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 jradius.diff


0009 dhcp sqlipool Comment out mysql.patch | (download)

raddb/mods-available/dhcp_sqlippool | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 dhcp sqlipool: comment out mysql

So freeradius does not depend on freeradius-mysql

debian local/0010 version.c disable openssl version check.patch | (download)

src/main/radiusd.c | 8 0 + 8 - 0 !
1 file changed, 8 deletions(-)

 version.c: disable openssl version check

For Debian we don't want to require that the built OpenSSL be the same
as the linked OpenSSL.  Debian will be responsible for changing the
soname if the ABI changes.  The version check causes the freeradius
packages to fail whenever a new OpenSSL is built.

Patch-Category: debian-local

spelling fixes.diff | (download)

man/man5/dictionary.5 | 2 1 + 1 - 0 !
man/man5/radrelay.conf.5 | 2 1 + 1 - 0 !
man/man5/unlang.5 | 18 9 + 9 - 0 !
src/lib/debug.c | 2 1 + 1 - 0 !
src/modules/rlm_krb5/rlm_krb5.c | 2 1 + 1 - 0 !
src/modules/rlm_mschap/rlm_mschap.c | 2 1 + 1 - 0 !
6 files changed, 14 insertions(+), 14 deletions(-)

---
dont install tests.diff | (download)

src/main/radattr.mk | 1 1 + 0 - 0 !
src/tests/map/map_unit.mk | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+)

---
mkdirp.diff | (download)

install-sh | 698 474 + 224 - 0 !
1 file changed, 474 insertions(+), 224 deletions(-)

 fixes parallel build
snakeoil certs.diff | (download)

raddb/mods-available/eap | 6 3 + 3 - 0 !
raddb/mods-available/inner-eap | 6 3 + 3 - 0 !
raddb/sites-available/abfab-tls | 6 3 + 3 - 0 !
raddb/sites-available/tls | 12 6 + 6 - 0 !
4 files changed, 15 insertions(+), 15 deletions(-)

 use snakeoil certificates.
CVE 2019 11234 1.patch | (download)

src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 22 22 + 0 - 0 !
1 file changed, 22 insertions(+)

 [patch] when processing an eap-pwd commit frame, the peer's scalar
 and elliptic curve point were not validated. This allowed an adversary to
 bypass authentication, and impersonate any user.

Fix this vulnerability by assuring the received scalar lies within the valid
range, and by checking that the received element is not the point at infinity
and lies on the elliptic curve being used.

CVE 2019 11234 2.patch | (download)

src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] fix incorrectly named variable