Bug#1116983: trixie-pu: package freeradius/3.2.7+dfsg-1+deb13u1

To: submit@bugs.debian.org
Subject: Bug#1116983: trixie-pu: package freeradius/3.2.7+dfsg-1+deb13u1
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Wed, 1 Oct 2025 21:36:36 +0200
Message-id: <[🔎] 20251001193636.PJdUmkmP@breakpoint.cc>
Reply-to: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>, 1116983@bugs.debian.org

Package: release.debian.org
Control: affects -1 + src:freeradius
X-Debbugs-Cc: freeradius@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: trixie
X-Debbugs-Cc: sebastian@breakpoint.cc
Severity: normal

freeradius in Trixie sets an openssl specific option in the wrong way.
This had no effect with the openssl version in Trixie (3.5.1) but
starting with the following version (3.5.2) it causes a failure
freeradius and it can't accept any TLS connection.
This has been corrected in freeradius upstream and is in unstable since
freeradius 3.2.7+dfsg-2. This is a backport of the fix (as in -2) for
Trixie. It will avoid a failure after updating openssl.

Please find attached a diff against current version in stable.

Sebastian

diff -Nru freeradius-3.2.7+dfsg/debian/changelog freeradius-3.2.7+dfsg/debian/changelog
--- freeradius-3.2.7+dfsg/debian/changelog	2025-02-10 22:50:22.000000000 +0100
+++ freeradius-3.2.7+dfsg/debian/changelog	2025-10-01 19:36:38.000000000 +0200
@@ -1,3 +1,10 @@
+freeradius (3.2.7+dfsg-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport patch to fix compatibility with OpenSSL 3.5.2 (Closes: #1111328)
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 01 Oct 2025 19:36:38 +0200
+
 freeradius (3.2.7+dfsg-1) unstable; urgency=medium
 
   * New upstream version 3.2.7+dfsg
diff -Nru freeradius-3.2.7+dfsg/debian/patches/fips.patch freeradius-3.2.7+dfsg/debian/patches/fips.patch
--- freeradius-3.2.7+dfsg/debian/patches/fips.patch	1970-01-01 01:00:00.000000000 +0100
+++ freeradius-3.2.7+dfsg/debian/patches/fips.patch	2025-08-21 14:05:00.000000000 +0200
@@ -0,0 +1,16 @@
+Author: Alan T. DeKok <aland@freeradius.org>
+Description: change "fips=no" to "-fips"
+Origin: upstream, https://github.com/FreeRADIUS/freeradius-server/commit/59e262f1134fef8d53d15ae963885a08c9ea8315
+Forwarded: https://github.com/FreeRADIUS/freeradius-server/issues/5631
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111328
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3644,7 +3644,7 @@
+ 	CONF_modules_load_file(NULL, NULL, 0);
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	EVP_set_default_properties(NULL, "fips=no");
++	EVP_set_default_properties(NULL, "-fips");
+ #endif
+ 
+ 	/*
diff -Nru freeradius-3.2.7+dfsg/debian/patches/series freeradius-3.2.7+dfsg/debian/patches/series
--- freeradius-3.2.7+dfsg/debian/patches/series	2025-02-10 22:50:22.000000000 +0100
+++ freeradius-3.2.7+dfsg/debian/patches/series	2025-10-01 19:31:39.000000000 +0200
@@ -5,3 +5,4 @@
 debian-local/0010-version.c-disable-openssl-version-check.patch
 dont-install-tests.diff
 snakeoil-certs.diff
+fips.patch

Reply to:

Follow-Ups:
- Processed: trixie-pu: package freeradius/3.2.7+dfsg-1+deb13u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: trixie-pu: package freeradius/3.2.7+dfsg-1+deb13u1
Next by Date: Processed: bookworm-pu: package openrefine/3.6.2-2+deb12u3
Previous by thread: Processed: gdk-pixbuf: switch to glycin loaders
Next by thread: Processed: trixie-pu: package freeradius/3.2.7+dfsg-1+deb13u1
Index(es):
- Date
- Thread