Re: radiusd-freeradius history and future
On Wed, Nov 12, 2003 at 08:03:28AM +1100, Paul Hampson wrote:
> On Tue, Nov 11, 2003 at 02:02:49PM -0500, Matt Zimmerman wrote:
> > This thing is packed full of strcpy() and strcat(), which is the sort of
> > sloppiness that I don't like to see in a network server. It was a great
> > blessing to find that we weren't shipping this in woody when the last batch
> > of security problems was discovered.
> > Have mercy...
> Well, then don't use it. :-)
If it makes it back into Debian, I end up having to support it whether I use
it personally or not.
> No, seriously, I'll put that on my TODO list. Mind you, we do some rather
> heavy input validation and are particularly strict on the RADIUS protocol,
> so I'm fairly confident that it's not going to be a problem.
> I am however curious about this "last batch of security problems"? Can you
> point me at that?
CAN-2001-1376 and CAN-2001-1377 made the rounds last Spring, with advisories
from Red Hat, FreeBSD, SuSE, Conectiva, CERT, etc. These affected multiple
RADIUS implementations, of which FreeRADIUS was one, and required large
quantities of problematic code to be patched.