On Tue, Nov 11, 2003 at 07:44:01PM -0500, Matt Zimmerman wrote: > On Wed, Nov 12, 2003 at 09:18:38AM +1100, Paul Hampson wrote: > > On Tue, Nov 11, 2003 at 04:30:50PM -0500, Matt Zimmerman wrote: > > > CAN-2001-1376 and CAN-2001-1377 made the rounds last Spring, with advisories > > > from Red Hat, FreeBSD, SuSE, Conectiva, CERT, etc. These affected multiple > > > RADIUS implementations, of which FreeRADIUS was one, and required large > > > quantities of problematic code to be patched. > > The fixed FreeRADIUS was out December 2001[2], 6 days before the vendor > > notifications came out. > A new release is nice enough for those who are installing from source and > want the latest features, but this: > > 294 files changed, 13608 insertions(+), 2238 deletions(-) > > is not acceptable for a security update. True. Since I'm already being fairly hard-line about what goes into stable versions of FreeRADIUS, I don't expect to have too much trouble backporting security fixes if and when this ends up in a stable Debian release. I wholehartedly agree that a security update isn't an oportunity to upgrade stable to the latest version. I love stable because it's stable. > We ship cistron, livingston/lucent, xtradius and yardradius in woody. > freeradius was in unstable until recently. I'm sure they all share at least > some code. Well, there's two RADIUS families there... I mentioned this in another email, and most of that knowledge comes from the descriptions of the Debian packages involved. > I can't even remember whether xtradius was properly reviewed or not. Of > course, we never heard from the maintainer, even in the year following the > disclosure of the bugs. > This is exactly the kind of situation I don't want going forward...there is > so much neglected software in Debian that bugs like these sometimes go > unnoticed, or even if they are noticed, the maintainer doesn't care enough > about stable to let anyone know about it. Maintainers are our first line of > defense against security problems, and usually the best informed about their > status, and yet maintainers who actively participate in the security update > process represent a minority (a valuable one). Indeed. Since I'm actively targetting stable with this package, as that's where my primary production RADIUS server is, I expect to stay clear of the category "doesn't care enough about stable". I hope the six months or so I've been hammering away at the upstream debian/ directory (amongst other things) stands me in good stead for this. :-) -- ----------------------------------------------------------- Paul "TBBle" Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) Paul.Hampson@Anu.edu.au "No survivors? Then where do the stories come from I wonder?" -- Capt. Jack Sparrow, "Pirates of the Caribbean" This email is licensed to the recipient for non-commercial use, duplication and distribution. -----------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature