[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: radiusd-freeradius history and future

On Tue, Nov 11, 2003 at 04:30:50PM -0500, Matt Zimmerman wrote:
> On Wed, Nov 12, 2003 at 08:03:28AM +1100, Paul Hampson wrote:
> 
> > On Tue, Nov 11, 2003 at 02:02:49PM -0500, Matt Zimmerman wrote:
> > > This thing is packed full of strcpy() and strcat(), which is the sort of
> > > sloppiness that I don't like to see in a network server.  It was a great
> > > blessing to find that we weren't shipping this in woody when the last batch
> > > of security problems was discovered.
> > 
> > > Have mercy...
> > 
> > Well, then don't use it. :-)
> 
> If it makes it back into Debian, I end up having to support it whether I use
> it personally or not.

*blink* Oh, Security Team. :-)

Well, I'll do what I can to make sure it never worries you.

> > I am however curious about this "last batch of security problems"? Can you
> > point me at that?

> CAN-2001-1376 and CAN-2001-1377 made the rounds last Spring, with advisories
> from Red Hat, FreeBSD, SuSE, Conectiva, CERT, etc.  These affected multiple
> RADIUS implementations, of which FreeRADIUS was one, and required large
> quantities of problematic code to be patched.

Last Spring? December 2001/March 2002? And I thought my sense of
time/space was poor. :-) [1]

The fixed FreeRADIUS was out December 2001[2], 6 days before the vendor
notifications came out.

These both came from an audit of FreeRADIUS. To be frank, the general
advice you'd get from the FreeRADIUS mailing list is "keep untrusted
IP addresses" away from your RADIUS server. Both by FreeRADIUS
configuration and firewall/TLS/VPN/RFC1918/whatever.

Hmm, we have cistron as well, don't we? _And_ xtradius. I can see how
you'd be glad we didn't have _three_ cistron-derived RADIUS servers to
do security updates for...

[1] http://marc.theaimsgroup.com/?l=bugtraq&m=101537153021792&w=2
[2] http://www.freeradius.org/getting.html

-- 
-----------------------------------------------------------
Paul "TBBle" Hampson, MCSE
6th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)
Paul.Hampson@Anu.edu.au

"No survivors? Then where do the stories come from I wonder?"
-- Capt. Jack Sparrow, "Pirates of the Caribbean"

This email is licensed to the recipient for non-commercial
use, duplication and distribution.
-----------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

Reply to: