Am 12.07.24 um 13:34 schrieb Herwin Weststrate:
Dear Herwin,
FreeRADIUS 3.2.5 has just been released, which includes some security
fixes for BlastRADIUS: a vulnerability with a name and a website[0] and
a logo (hadn't seen one of those in a while).
[...]
Given that the freeradius codebase is really complicated I'm not entirely
sure whether we can do this (_I_ can't), or ask the security team for a
newer upstream version in stable.
I looked a bit deeper into it: there was a lot more needed than just
these two commits. Pretty much every commit of July 8 was relevant.
Thanks a lot for checking this out.
I have not yet tested the proxy settings, it takes a while to set that
up and I would first like to know if there is a chance that this patch
set will be accepted, if it gets rejected right away for whatever reason
I'd rather save myself the trouble.
> All the commits have been cherry-picked in order from the upstream
> changes, so a code review can compare these commits side by side.
I'm open to it, but ultimatively it's up to the security team to decide.
We can either go for this 100k patch cherry-picked from upstream, or ask
for 3.2.5 in stable. Or ignore it, which is in my opinion still on the
table (I don't consider BlastRADIUS that bad, but it has a website and a
logo so ...)
@Security Team: What do you think? Herwin did a spectacular job here
already and I can also offer to get it some life testing in a production
environment, but in the end we would have to jump into very cold waters.
Bernhard
