Bug#1120927: marked as done (freeradius: Segmentation fault with 3-chain certificate)

Sat, 20 Dec 2025 05:57:57 -0800 

Your message dated Sat, 20 Dec 2025 13:17:12 +0000
with message-id <[email protected]>
and subject line Bug#1120927: fixed in freeradius 3.2.7+dfsg-1+deb13u2
has caused the Debian Bug report #1120927,
regarding freeradius: Segmentation fault with 3-chain certificate
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1120927: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120927
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: freeradius
Version: 3.2.7+dfsg-1+deb13u1
Severity: serious

Dear Maintainer,

Our setup is working fine, with a Sectigo DV certificate chain in
/etc/freeradius/ssl/fullchain.pem & /etc/freeradius/ssl/privkey.pem, with a
Radsec setup (so private_key_file and certificate_file are set in
3.0/sites-available/tls, as well as in 3.0/mods-available/eap), we routinely
verify this via a distant rad_eap test (doing Radius-over-Radsec-over-Radius).

Today, I had to update that certificate (which is close to expiring), moving
from this chain:

* certificate
* Sectigo ECC Domain Validation Secure Server CA
* USERTrust ECC Certification Authority

to this chain:

* certificate
* Sectigo Public Server Authentication CA DV E36
* Sectigo Public Server Authentication Root E46
* USERTrust ECC Certification Authority

… and it now segfaults whenever we try to access the radius-to-radsec proxy.

In other words, the fullchain.pem which before contained 2 certificates (the
certificate and 1 intermediary), now contains 3 certificates (the certificate,
and 2 intermediaries), and with this the server segfaults.

I have not yet managed to extract a stacktrace or a core dump, I would be all
ears to get this solved.

Best,
OdyX

-- System Information:
Debian Release: 13.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.41+deb13-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages freeradius depends on:
ii  freeradius-common  3.2.7+dfsg-1+deb13u1
ii  freeradius-config  3.2.7+dfsg-1+deb13u1
ii  libc6              2.41-12
ii  libcrypt1          1:4.4.38-1
ii  libct4             1.3.17+ds-2+deb13u1
ii  libfreeradius3     3.2.7+dfsg-1+deb13u1
ii  libgdbm6t64        1.24-2
ii  libjson-c5         0.18+ds-1
ii  libpam0g           1.7.0-5
ii  libperl5.40        5.40.1-6
ii  libreadline8t64    8.2-6
ii  libsqlite3-0       3.46.1-7
ii  libssl3t64         3.5.4-1~deb13u1
ii  libsystemd0        257.9-1~deb13u1
ii  libtalloc2         2:2.4.3+samba4.22.6+dfsg-0+deb13u1
ii  libwbclient0       2:4.22.6+dfsg-0+deb13u1
ii  perl               5.40.1-6

Versions of packages freeradius recommends:
ii  freeradius-utils  3.2.7+dfsg-1+deb13u1

Versions of packages freeradius suggests:
pn  freeradius-krb5        <none>
ii  freeradius-ldap        3.2.7+dfsg-1+deb13u1
pn  freeradius-mysql       <none>
pn  freeradius-postgresql  <none>
pn  freeradius-python3     <none>
pn  snmp                   <none>

--- End Message ---
--- Begin Message --- 
Source: freeradius
Source-Version: 3.2.7+dfsg-1+deb13u2
Done: Bernhard Schmidt <[email protected]>

We believe that the bug you reported is fixed in the latest version of
freeradius, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernhard Schmidt <[email protected]> (supplier of updated freeradius package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Dec 2025 21:56:45 +0100
Source: freeradius
Architecture: source
Version: 3.2.7+dfsg-1+deb13u2
Distribution: trixie
Urgency: medium
Maintainer: Debian FreeRADIUS Packaging Team 
<[email protected]>
Changed-By: Bernhard Schmidt <[email protected]>
Closes: 1120927
Changes:
 freeradius (3.2.7+dfsg-1+deb13u2) trixie; urgency=medium
 .
   [ Didier Raboud ]
   * Backport patch to fix segfaults on TLS connections with more than one
     intermediate certificate (Closes: #1120927)
 .
   [ Bernhard Schmidt ]
   * Add d/gbp.conf for Trixie branch
Checksums-Sha1:
 21dd68fc2dd6e2c130e40276ce613b23ea047075 3646 
freeradius_3.2.7+dfsg-1+deb13u2.dsc
 7b81e3f029e850a78bd44e6d8356287b0d059d57 58504 
freeradius_3.2.7+dfsg-1+deb13u2.debian.tar.xz
 9c406ec643909e7c6582418bf31cfbd4582032bd 20296 
freeradius_3.2.7+dfsg-1+deb13u2_amd64.buildinfo
Checksums-Sha256:
 000b0eb794d45fca2790269279ac1c7315f981f57c5ba0c2c73a8c5941827fd2 3646 
freeradius_3.2.7+dfsg-1+deb13u2.dsc
 65ed301dcf0f1bfc08d526da9ece8816edef33ba8b4fd7296fb7efcd6974e17b 58504 
freeradius_3.2.7+dfsg-1+deb13u2.debian.tar.xz
 cfe815749db610f0f7ff7b7c7106469d3f6b8682f4a76b138e4c281bb02e3732 20296 
freeradius_3.2.7+dfsg-1+deb13u2_amd64.buildinfo
Files:
 933ef3efc396a66fa46f733403b83a50 3646 net optional 
freeradius_3.2.7+dfsg-1+deb13u2.dsc
 a23e24c4a92e4f3a205297a2ef28858e 58504 net optional 
freeradius_3.2.7+dfsg-1+deb13u2.debian.tar.xz
 7b363f6626abae2df44f265f8e9676f6 20296 net optional 
freeradius_3.2.7+dfsg-1+deb13u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmk0oXsRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJP5zg/7BxGjk7FNTH7KRU/jlC3fDaqbGjFUZY0D
6BkEG8l8oWjMu+yUcjLMcNRp9/Dsg3ooEpsiHv0hMohzB+PSGc0JfrMIkfY1ZQf6
Ylp2LaD1sToG9cNUkRdl15U4ELcxivwcsJTdxTIChuUMVwFwpwlLuD4TQ7m2PnLA
M6mPE2kEENxfqc05XznPemLT6p81mZI9qjMLg1UU2UXN40lw8fcGZsRRETI6+5et
xyWkSq+TIOWyHz2hyK5g5JGUPfkuMobOec7J5YRilAXvDz7yZJKiiFiHWbJvb5SZ
uGJhxHd13OjJdx2MQdHPmZ4RIrsc7d6z5kYkdQqnXR2FrT6DDVdq3WY2LArldfC3
r4nIWjC/b81zoZL4USM0mLAU5RsaeAOm29VrIfZFhvK3NDsYNMFsAcNJaWISTrKs
FwO9CfRQUUDztNbfAQItBBA4zn6+1NAwVBdmK4GInPlDjYVvCzfkQ6+O+xhViFgg
oRbgmxAsJK2HnExpAzzeWFg+QMsCNtr8u/yI0W0U9n4cVJirkACQp37baaxYD2mc
4OlEwTS5y5N7X3XWuCrF97+a6bzSUWcPWCBjMMMWKa2iIaHT2WRjwPZar29UinU/
bMefsiW6C5FvlE+2LumNy9Ei5Wc6nJNgAXmDl7VX92tl2JFBEY56PvyQRdGiQfnC
wu0p8yeLy6w=
=PLYB
-----END PGP SIGNATURE-----

Attachment: pgp0UmY8_Y_KS.pgp
Description: PGP signature


--- End Message ---

Reply via email to