diff -Naur freeradius-server-2.2.9/src/include/radiusd.h freeradius-server-2.2.9.git/src/include/radiusd.h
--- freeradius-server-2.2.9/src/include/radiusd.h 2015-09-30 22:37:13.000000000 +0200
+++ freeradius-server-2.2.9.git/src/include/radiusd.h 2015-12-29 21:30:34.507302617 +0100
@@ -360,7 +360,7 @@
int proxy_requests;
int reject_delay;
int status_server;
-#ifdef ENABLE_OPENSSL_VERSION_CHECK
+#if defined(HAVE_OPENSSL_CRYPTO_H) && defined(ENABLE_OPENSSL_VERSION_CHECK)
int allow_vulnerable_openssl;
#endif
int max_request_time;
@@ -536,7 +536,8 @@
void pairlist_free(PAIR_LIST **);
/* version.c */
-int ssl_check_version(int allow_vulnerable);
+int ssl_check_version(void);
+int ssl_check_vulnerable(void);
const char *ssl_version(void);
void version(void);
diff -Naur freeradius-server-2.2.9/src/main/mainconfig.c freeradius-server-2.2.9.git/src/main/mainconfig.c
--- freeradius-server-2.2.9/src/main/mainconfig.c 2015-09-30 22:37:13.000000000 +0200
+++ freeradius-server-2.2.9.git/src/main/mainconfig.c 2015-12-29 21:30:34.509302616 +0100
@@ -172,7 +172,7 @@
{ "max_attributes", PW_TYPE_INTEGER, 0, &fr_max_attributes, Stringify(0) },
{ "reject_delay", PW_TYPE_INTEGER, 0, &mainconfig.reject_delay, Stringify(0) },
{ "status_server", PW_TYPE_BOOLEAN, 0, &mainconfig.status_server, "no"},
-#ifdef ENABLE_OPENSSL_VERSION_CHECK
+#if defined(HAVE_OPENSSL_CRYPTO_H) && defined(ENABLE_OPENSSL_VERSION_CHECK)
{ "allow_vulnerable_openssl", PW_TYPE_BOOLEAN, 0, &mainconfig.allow_vulnerable_openssl, "no"},
#endif
{ NULL, -1, 0, NULL, NULL }
diff -Naur freeradius-server-2.2.9/src/main/radiusd.c freeradius-server-2.2.9.git/src/main/radiusd.c
--- freeradius-server-2.2.9/src/main/radiusd.c 2015-09-30 22:37:13.000000000 +0200
+++ freeradius-server-2.2.9.git/src/main/radiusd.c 2015-12-29 21:30:34.509302616 +0100
@@ -293,11 +293,22 @@
* Mismatch between build time OpenSSL and linked SSL,
* better to die here than segfault later.
*/
-#ifdef ENABLE_OPENSSL_VERSION_CHECK
- if (ssl_check_version(mainconfig.allow_vulnerable_openssl) < 0) {
+ if (ssl_check_version() < 0) {
exit(1);
}
-#endif
+
+ /*
+ * Check for known vulnerabilities that compromise the
+ * security of the server.
+ */
+# ifdef ENABLE_OPENSSL_VERSION_CHECK
+ if (!mainconfig.allow_vulnerable_openssl) {
+ if (ssl_check_vulnerable() < 0) {
+ exit(1);
+ }
+ }
+# endif
+
#endif
/* Load the modules AFTER doing SSL checks */
diff -Naur freeradius-server-2.2.9/src/main/version.c freeradius-server-2.2.9.git/src/main/version.c
--- freeradius-server-2.2.9/src/main/version.c 2015-09-30 22:37:13.000000000 +0200
+++ freeradius-server-2.2.9.git/src/main/version.c 2015-12-29 21:30:34.509302616 +0100
@@ -62,8 +62,8 @@
*
* @return 0 if ok, else -1
*/
-#if defined(HAVE_OPENSSL_CRYPTO_H) && defined(ENABLE_OPENSSL_VERSION_CHECK)
-int ssl_check_version(int allow_vulnerable)
+#ifdef HAVE_OPENSSL_CRYPTO_H
+int ssl_check_version()
{
long ssl_linked;
@@ -94,20 +94,42 @@
*/
} else if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000)) goto mismatch;
- if (!allow_vulnerable) {
- /* Check for bad versions */
- /* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */
- if ((ssl_linked >= 0x010001000) && (ssl_linked < 0x010001070)) {
- radlog(L_ERR, "Refusing to start with libssl version %s (in range 1.0.1 - 1.0.1f). "
- "Security advisory CVE-2014-0160 (Heartbleed)", ssl_version());
- radlog(L_ERR, "For more information see http://heartbleed.com");
+ return 0;
+}
+
+/** Check OpenSSL version for known vulnerabilities.
+ *
+ * OpenSSL version number consists of:
+ * MNNFFPPS: major minor fix patch status
+ *
+ * Where status >= 0 && < 10 means beta, and status 10 means release.
+ *
+ * Startup check for whether the linked version of OpenSSL is a version known to
+ * have serious vulnerabilities impacting FreeRADIUS.
+ *
+ * @return 0 if ok, else -1
+ */
+# ifdef ENABLE_OPENSSL_VERSION_CHECK
+int ssl_check_vulnerable()
+{
+ long ssl_linked;
+
+ ssl_linked = SSLeay();
+
+ /* Check for bad versions */
+ /* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */
+ if ((ssl_linked >= 0x010001000) && (ssl_linked < 0x010001070)) {
+ radlog(L_ERR, "Refusing to start with libssl version %s (in range 1.0.1 - 1.0.1f). "
+ "Security advisory CVE-2014-0160 (Heartbleed)", ssl_version());
+ radlog(L_ERR, "For more information see http://heartbleed.com");
- return -1;
- }
+ return -1;
}
return 0;
}
+# endif
+
#endif
/*
diff -Naur freeradius-server-2.2.9/src/modules/rlm_eap/libeap/cb.c freeradius-server-2.2.9.git/src/modules/rlm_eap/libeap/cb.c
--- freeradius-server-2.2.9/src/modules/rlm_eap/libeap/cb.c 2015-09-30 22:37:13.000000000 +0200
+++ freeradius-server-2.2.9.git/src/modules/rlm_eap/libeap/cb.c 2015-12-29 21:27:20.344316846 +0100
@@ -98,6 +98,13 @@
tls_session_t *state = (tls_session_t *)arg;
/*
+ * Work around for pseudo content types in OpenSSL 1.0.2
+ */
+ if ((msg_version == 0) && (content_type > 255)) return;
+
+ if ((write_p != 0) && (write_p != 1)) return;
+
+ /*
* Work around bug #298, where we may be called with a NULL
* argument. We should really log a serious error
*/
diff -Naur freeradius-server-2.2.9/src/modules/rlm_ldap/rlm_ldap.c freeradius-server-2.2.9.git/src/modules/rlm_ldap/rlm_ldap.c
--- freeradius-server-2.2.9/src/modules/rlm_ldap/rlm_ldap.c 2015-09-30 22:37:13.000000000 +0200
+++ freeradius-server-2.2.9.git/src/modules/rlm_ldap/rlm_ldap.c 2015-12-29 21:30:21.083303600 +0100
@@ -324,7 +324,7 @@
{"groupname_attribute", PW_TYPE_STRING_PTR,
offsetof(ldap_instance,groupname_attr), NULL, "cn"},
{"groupmembership_filter", PW_TYPE_STRING_PTR,
- offsetof(ldap_instance,groupmemb_filt), NULL, "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"},
+ offsetof(ldap_instance,groupmemb_filt), NULL, "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"},
{"groupmembership_attribute", PW_TYPE_STRING_PTR,
offsetof(ldap_instance,groupmemb_attr), NULL, NULL},
distrib
>
Mageia
>
5
>
x86_64
>
media
>
core-updates-src
>
by-pkgid
>
b19be6cc234edd5082d0875fb6bd104c
>
files
>
10
