On Wed, Nov 12, 2003 at 09:18:38AM +1100, Paul Hampson wrote: > On Tue, Nov 11, 2003 at 04:30:50PM -0500, Matt Zimmerman wrote: > > CAN-2001-1376 and CAN-2001-1377 made the rounds last Spring, with advisories > > from Red Hat, FreeBSD, SuSE, Conectiva, CERT, etc. These affected multiple > > RADIUS implementations, of which FreeRADIUS was one, and required large > > quantities of problematic code to be patched. > > Last Spring? December 2001/March 2002? And I thought my sense of > time/space was poor. :-) [1]
Spring of last year is when the vendor advisories were coming out to fix these bugs. I don't recall which were about freeradius, cistron, etc. They were a lot of the same bugs in many implementations, including freeradius. > The fixed FreeRADIUS was out December 2001[2], 6 days before the vendor > notifications came out. A new release is nice enough for those who are installing from source and want the latest features, but this: 294 files changed, 13608 insertions(+), 2238 deletions(-) is not acceptable for a security update. > These both came from an audit of FreeRADIUS. To be frank, the general > advice you'd get from the FreeRADIUS mailing list is "keep untrusted IP > addresses" away from your RADIUS server. Both by FreeRADIUS configuration > and firewall/TLS/VPN/RFC1918/whatever. Properly filtering UDP traffic by source requires a level of features that is generally lacking in low-end edge equipment like NAS boxes. If I recall correctly, one of the two vulnerabilities mentioned above did not require that the attacker know the shared secret, either, so I don't think that security is something that a RADIUS implementation can punt on. > Hmm, we have cistron as well, don't we? _And_ xtradius. I can see how > you'd be glad we didn't have _three_ cistron-derived RADIUS servers to do > security updates for... We ship cistron, livingston/lucent, xtradius and yardradius in woody. freeradius was in unstable until recently. I'm sure they all share at least some code. I can't even remember whether xtradius was properly reviewed or not. Of course, we never heard from the maintainer, even in the year following the disclosure of the bugs. This is exactly the kind of situation I don't want going forward...there is so much neglected software in Debian that bugs like these sometimes go unnoticed, or even if they are noticed, the maintainer doesn't care enough about stable to let anyone know about it. Maintainers are our first line of defense against security problems, and usually the best informed about their status, and yet maintainers who actively participate in the security update process represent a minority (a valuable one). -- - mdz
