On Tue, Nov 11, 2003 at 04:30:50PM -0500, Matt Zimmerman wrote: > On Wed, Nov 12, 2003 at 08:03:28AM +1100, Paul Hampson wrote: > > > On Tue, Nov 11, 2003 at 02:02:49PM -0500, Matt Zimmerman wrote: > > > This thing is packed full of strcpy() and strcat(), which is the sort of > > > sloppiness that I don't like to see in a network server. It was a great > > > blessing to find that we weren't shipping this in woody when the last > > > batch > > > of security problems was discovered. > > > > > Have mercy... > > > > Well, then don't use it. :-) > > If it makes it back into Debian, I end up having to support it whether I use > it personally or not.
*blink* Oh, Security Team. :-) Well, I'll do what I can to make sure it never worries you. > > I am however curious about this "last batch of security problems"? Can you > > point me at that? > CAN-2001-1376 and CAN-2001-1377 made the rounds last Spring, with advisories > from Red Hat, FreeBSD, SuSE, Conectiva, CERT, etc. These affected multiple > RADIUS implementations, of which FreeRADIUS was one, and required large > quantities of problematic code to be patched. Last Spring? December 2001/March 2002? And I thought my sense of time/space was poor. :-) [1] The fixed FreeRADIUS was out December 2001[2], 6 days before the vendor notifications came out. These both came from an audit of FreeRADIUS. To be frank, the general advice you'd get from the FreeRADIUS mailing list is "keep untrusted IP addresses" away from your RADIUS server. Both by FreeRADIUS configuration and firewall/TLS/VPN/RFC1918/whatever. Hmm, we have cistron as well, don't we? _And_ xtradius. I can see how you'd be glad we didn't have _three_ cistron-derived RADIUS servers to do security updates for... [1] http://marc.theaimsgroup.com/?l=bugtraq&m=101537153021792&w=2 [2] http://www.freeradius.org/getting.html -- ----------------------------------------------------------- Paul "TBBle" Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] "No survivors? Then where do the stories come from I wonder?" -- Capt. Jack Sparrow, "Pirates of the Caribbean" This email is licensed to the recipient for non-commercial use, duplication and distribution. -----------------------------------------------------------
signature.asc
Description: Digital signature
