Control: tags -1 help security
Am 09.07.24 um 18:15 schrieb Herwin Weststrate:
Package: freeradius
Version: 3.2.1+dfsg-4+deb12u1
FreeRADIUS 3.2.5 has just been released, which includes some security
fixes for BlastRADIUS: a vulnerability with a name and a website[0] and
a logo (hadn't seen one of those in a while).
The FreeRADIUS security page[1] (scroll to "2024.07.09", there is no
anchor to link directly to the relevant article) describes some new
configuration options to resolve everything. Since this will be the
first thing people read, it would be nice to have those backported to
the Debian packages.
At first glance, it looks like this requires just two commits[2] [3] to
be cherry-picked, but there may be some hidden dependencies in previous
commits.
[2]
https://github.com/FreeRADIUS/freeradius-server/commit/0947439f2569d2b8c2b4949be24250263934e260
[3]
https://github.com/FreeRADIUS/freeradius-server/commit/6616be90346beb6050446bd00c8ed5bca1b8ef29
I haven't looked closer yet, but the patches do not apply at all
dpkg-source: info: applying 0947439f2569d2b8c2b4949be24250263934e260.patch
patching file raddb/radiusd.conf.in
Hunk #1 FAILED at 625.
Hunk #2 FAILED at 643.
2 out of 2 hunks FAILED
patching file src/include/clients.h
Hunk #2 FAILED at 52.
1 out of 2 hunks FAILED
patching file src/include/libradius.h
Hunk #1 FAILED at 411.
1 out of 1 hunk FAILED
patching file src/include/radiusd.h
Hunk #1 FAILED at 178.
Hunk #2 succeeded at 564 (offset -6 lines).
1 out of 2 hunks FAILED
patching file src/lib/radius.c
Hunk #1 succeeded at 2631 (offset -128 lines).
Hunk #2 FAILED at 2770.
Hunk #3 FAILED at 2790.
2 out of 3 hunks FAILED
patching file src/main/client.c
Hunk #1 succeeded at 489 (offset -2 lines).
Hunk #2 FAILED at 515.
Hunk #3 succeeded at 904 (offset -16 lines).
Hunk #4 succeeded at 914 (offset -16 lines).
Hunk #5 succeeded at 1173 (offset -30 lines).
1 out of 5 hunks FAILED
patching file src/main/listen.c
Hunk #1 succeeded at 508 (offset -22 lines).
Hunk #2 FAILED at 683.
Hunk #3 succeeded at 1763 (offset -271 lines).
Hunk #4 FAILED at 2109.
Hunk #5 succeeded at 1846 (offset -271 lines).
2 out of 5 hunks FAILED
patching file src/main/mainconfig.c
Hunk #2 FAILED at 88.
Hunk #3 FAILED at 164.
Hunk #4 succeeded at 849 (offset -24 lines).
Hunk #5 FAILED at 1173.
3 out of 5 hunks FAILED
dpkg-source: info: applying 6616be90346beb6050446bd00c8ed5bca1b8ef29.patch
patching file raddb/clients.conf
Hunk #1 FAILED at 137.
Hunk #2 FAILED at 152.
2 out of 2 hunks FAILED
patching file raddb/proxy.conf
Hunk #1 FAILED at 255.
1 out of 1 hunk FAILED
patching file raddb/radiusd.conf.in
Hunk #1 FAILED at 604.
Hunk #2 FAILED at 632.
Hunk #3 FAILED at 691.
3 out of 3 hunks FAILED
patching file src/include/clients.h
Reversed (or previously applied) patch detected! Skipping patch.
2 out of 2 hunks ignored
patching file src/include/libradius.h
Hunk #1 succeeded at 942 (offset -28 lines).
patching file src/include/radiusd.h
Hunk #1 FAILED at 176.
1 out of 1 hunk FAILED
patching file src/include/realms.h
Hunk #1 FAILED at 71.
1 out of 1 hunk FAILED
patching file src/main/client.c
Hunk #1 FAILED at 491.
Hunk #2 FAILED at 514.
Hunk #3 FAILED at 727.
Hunk #4 FAILED at 920.
Hunk #5 FAILED at 930.
Hunk #6 FAILED at 1203.
Hunk #7 succeeded at 1494 (offset -37 lines).
6 out of 7 hunks FAILED
patching file src/main/listen.c
Hunk #1 FAILED at 532.
Hunk #2 FAILED at 543.
Hunk #3 FAILED at 683.
Hunk #4 FAILED at 2114.
Hunk #5 FAILED at 2546.
5 out of 5 hunks FAILED
patching file src/main/mainconfig.c
Hunk #1 FAILED at 73.
Hunk #2 FAILED at 211.
Hunk #3 FAILED at 921.
Hunk #4 FAILED at 1225.
4 out of 4 hunks FAILED
patching file src/main/process.c
Hunk #1 FAILED at 2806.
Hunk #2 FAILED at 2823.
2 out of 2 hunks FAILED
patching file src/main/realms.c
Hunk #1 FAILED at 481.
Hunk #2 FAILED at 789.
2 out of 2 hunks FAILED
Even with fuzz 80% of the hunks do not apply.
Given that the freeradius codebase is really complicated I'm not
entirely sure whether we can do this (_I_ can't), or ask the security
team for a newer upstream version in stable.
But I'll give 3.2.5 a go in unstable ASAP.
Bernhard
