An advisory has been issued today (June 22): http://www.ocert.org/advisories/ocert-2015-008.html It sounds like the issue will be fixed in an upcoming 2.2.8 release. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Blocks: (none) => 16176
Updated packages uploaded for Mageia 3 and Mageia 4. Testing procedure is in Bug 8726. Advisory: ======================== Updated freeradius packages fix security vulnerability: The FreeRADIUS server relies on OpenSSL to perform certificate validation, including Certificate Revocation List (CRL) checks. The FreeRADIUS usage of OpenSSL, in CRL application, limits the checks to leaf certificates, therefore not detecting revocation of intermediate CA certificates. An unexpired client certificate, issued by an intermediate CA with a revoked certificate, is therefore accepted by FreeRADIUS (CVE-2015-4680). The freeradius package has been updated to version 2.2.8, which fixes this issue, as well as the failure to run on Mageia 5 due to an OpenSSL issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4680 http://freeradius.org/security.html http://freeradius.org/press/index.html#2.2.8 http://www.ocert.org/advisories/ocert-2015-008.html https://bugs.mageia.org/show_bug.cgi?id=16176 https://bugs.mageia.org/show_bug.cgi?id=16175 ======================== Updated packages in core/updates_testing: ======================== freeradius-2.2.8-1.mga4 freeradius-krb5-2.2.8-1.mga4 freeradius-ldap-2.2.8-1.mga4 freeradius-postgresql-2.2.8-1.mga4 freeradius-mysql-2.2.8-1.mga4 freeradius-unixODBC-2.2.8-1.mga4 freeradius-sqlite-2.2.8-1.mga4 freeradius-yubikey-2.2.8-1.mga4 libfreeradius1-2.2.8-1.mga4 libfreeradius-devel-2.2.8-1.mga4 freeradius-web-2.2.8-1.mga4 freeradius-2.2.8-1.mga5 freeradius-krb5-2.2.8-1.mga5 freeradius-ldap-2.2.8-1.mga5 freeradius-postgresql-2.2.8-1.mga5 freeradius-mysql-2.2.8-1.mga5 freeradius-unixODBC-2.2.8-1.mga5 freeradius-sqlite-2.2.8-1.mga5 freeradius-yubikey-2.2.8-1.mga5 libfreeradius1-2.2.8-1.mga5 libfreeradius-devel-2.2.8-1.mga5 freeradius-web-2.2.8-1.mga5 from SRPMS: freeradius-2.2.8-1.mga4.src.rpm freeradius-2.2.8-1.mga5.src.rpm
CC: (none) => oeVersion: Cauldron => 5Assignee: oe => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO has_procedure
"as well as the failure to run on Mageia 5 due to an OpenSSL issue." I just reported on bug #16176 that this package doesn't fix that issue.
CC: (none) => luca
Openssl was pushed to updates this morning Luca. Please retest with the updated packages.
Indeed, it's expected to not work if you haven't installed the openssl update (which it was built against). If you look at the code, as long as the openssl you're using is equal to or newer than the one it was built against, it will allow it. This is appropriate.
So, are you saying that the updated version of openssl is not binary compatible with the one it replaces? If that's not the case it shouldn't matter if freeradius is updated before or after openssl. I don't know which one urpmi would update first (since there's no strict dependency in freeradius), but if it updates freeradius before openssl, it would leave radiusd not running (and with no message on the command line that the restart failed).
BTW, I can confirm that the new radiusd works once openssl has been updated, but I'm still worried that it could fail again in the future.
freeradius requires libopenssl1.0.0, so RPM would update libopenssl1.0.0 first if both updates were being installed together (assuming no circular dependencies in the transaction). As far as why FreeRADIUS does the version checks (and a comment in the code says that OpenSSH uses the same approach that they do now), you'd have to ask them. The bottom line is that we wouldn't ever release a build of freeradius that's built against a newer openssl than what's current in the distro, so in practice this will never be an issue.
CC: (none) => davidwhodginsWhiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure advisory
Luca, what arch have you tested on?
In Mageia 4 64 bits, I just installed freeradius and lib64freeradius1 from updates testing. Service start fails, and there's nothing that I could find in logs but maybe someone will have an idea where to look. [root@localhost ~]# service radiusd start Redirecting to /bin/systemctl start radiusd.service Job for radiusd.service failed. See 'systemctl status radiusd.service' and 'journalctl -xn' for details. [root@localhost ~]# systemctl status radiusd.service radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled) Active: failed (Result: exit-code) since mer. 2015-07-22 18:16:06 CEST; 7s ago Process: 28234 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=1/FAILURE) juil. 22 18:16:06 localhost.localdomain systemd[1]: radiusd.service: control process exited, code=exited status=1 juil. 22 18:16:06 localhost.localdomain systemd[1]: Failed to start FreeRADIUS high performance RADIUS server.. juil. 22 18:16:06 localhost.localdomain systemd[1]: Unit radiusd.service entered failed state.
Whiteboard: MGA4TOO has_procedure advisory => MGA4TOO has_procedure advisory feedback
But maybe I should look at the documentation and need to alter some configuration.
Whiteboard: MGA4TOO has_procedure advisory feedback => MGA4TOO has_procedure advisory
When I first installed it in mga4 it didn't start either with the provided configuration files (IIRC it referenced a missing mysql or postgresql or somesuchsql module, sorry if I cannot be more specific). I didn't give too much thought at the time because I don't think there can be a suitable radius default configuration. With my configuration the packages in comment 1 work.
BTW, to check the configuration you can use (as root) /usr/sbin/radiusd -CX (but see the caveats in the manpage)
MGA4-32 on Acer D620 Xfce No apparent installation issues Radius service does not start Giving command "radiusd -CX" at CLI gives at the end: WARNING: No such configuration item certdir /etc/raddb/eap.conf[304]: Reference "${certdir}/bootstrap" not found Errors reading or parsing /etc/raddb/radiusd.conf Something missing?
CC: (none) => herman.viaene
Followed procedure as per bug 8726 Comment 2 and Comment 3 : tests succeed.
Whiteboard: MGA4TOO has_procedure advisory => MGA4TOO has_procedure advisory MGA4-32-OK
I am going to test on MGA5-64. Stay tuned.
CC: (none) => shlomif
(In reply to Shlomi Fish from comment #15) > I am going to test on MGA5-64. Stay tuned. sorry, but I'm not getting along too well with testing this - you people can test it instead. I'll try to test some other bugs.
After upgrading from MGA4-32 to MGA5-32 yesterday I run into that problem, too. I installed freeradius-2.2.8-1.mga5 libfreeradius1-2.2.8-1.mga5 from core/updates_testing and can confirm that radiusd starts and works again as expected with the updated version on MGA5-32. Thanks for fixing!
CC: (none) => s.puch
Thanks for testing.
Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0291.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/652803/