[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security liabilities (Re: radiusd-freeradius history and future)

On Tue, Nov 11, 2003 at 07:44:01PM -0500, Matt Zimmerman wrote:
> On Wed, Nov 12, 2003 at 09:18:38AM +1100, Paul Hampson wrote:
> > On Tue, Nov 11, 2003 at 04:30:50PM -0500, Matt Zimmerman wrote:
> > > CAN-2001-1376 and CAN-2001-1377 made the rounds last Spring, with advisories
> > > from Red Hat, FreeBSD, SuSE, Conectiva, CERT, etc.  These affected multiple
> > > RADIUS implementations, of which FreeRADIUS was one, and required large
> > > quantities of problematic code to be patched.

> > The fixed FreeRADIUS was out December 2001[2], 6 days before the vendor
> > notifications came out.

> A new release is nice enough for those who are installing from source and
> want the latest features, but this:
>   294 files changed, 13608 insertions(+), 2238 deletions(-)
> is not acceptable for a security update.

True. Since I'm already being fairly hard-line about what goes into
stable versions of FreeRADIUS, I don't expect to have too much trouble
backporting security fixes if and when this ends up in a stable Debian

I wholehartedly agree that a security update isn't an oportunity to
upgrade stable to the latest version. I love stable because it's stable.

> We ship cistron, livingston/lucent, xtradius and yardradius in woody.
> freeradius was in unstable until recently.  I'm sure they all share at least
> some code.

Well, there's two RADIUS families there... I mentioned this in another
email, and most of that knowledge comes from the descriptions of the
Debian packages involved.

> I can't even remember whether xtradius was properly reviewed or not.  Of
> course, we never heard from the maintainer, even in the year following the
> disclosure of the bugs.

> This is exactly the kind of situation I don't want going forward...there is
> so much neglected software in Debian that bugs like these sometimes go
> unnoticed, or even if they are noticed, the maintainer doesn't care enough
> about stable to let anyone know about it.  Maintainers are our first line of
> defense against security problems, and usually the best informed about their
> status, and yet maintainers who actively participate in the security update
> process represent a minority (a valuable one).

Indeed. Since I'm actively targetting stable with this package, as
that's where my primary production RADIUS server is, I expect to stay
clear of the category "doesn't care enough about stable". I hope the six
months or so I've been hammering away at the upstream debian/ directory
(amongst other things) stands me in good stead for this. :-)

Paul "TBBle" Hampson, MCSE
6th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)

"No survivors? Then where do the stories come from I wonder?"
-- Capt. Jack Sparrow, "Pirates of the Caribbean"

This email is licensed to the recipient for non-commercial
use, duplication and distribution.

Attachment: signature.asc
Description: Digital signature

Reply to: