Hello everyone, we have now done further testing and have verified that the OpenSSL vulnerability described in CVE-2014-0160 [1] affects Radiator too. Please see the CVE for more information about the vulnerability. The URL is below.
We strongly recommend that the administrators update the OpenSSL installation Radiator uses to a version that is not vulnerable. To help with the OpenSSL update, we have identified a number of possibilities. Note: this list is not meant to be exhaustive. With Linux and other Unix type of systems, the required OpenSSL update typically means applying the patches from the operating system provider. These patches are already available for many operating systems. Windows ActivePerl and Strawberry Perl users should see what updates are available from these Perl providers. An additional possibility on any system for updating OpenSSL to a non vulnerable version is to locally compile a new version of OpenSSL. This may also require compiling Perl Net-SSLeay that links to the OpenSSL libraries. As an interim option, Windows ActivePerl and Strawberry Perl users may also consider the precompiled Net-SSLeay PPM modules OSC has previously made available. These modules come with OpenSSL 0.9.8 which is not vulnerable according to CVE-2014-0160. Net-SSLeay is often used by Radiator when SSL/TLS is needed, so this module will help to mitigate the vulnerability while all the vulnerable OpenSSL versions are being updated. We have tested the precompiled Net-SSLeay PPM modules with 32 and 64 bit ActivePerl and Strawberry Perl versions 5.16.3 and 5.14.4 and found them non-vulnerable. We have not tested with other Perl versions, but we believe the precompiled Net-SSLeay PPM modules for the other Perl versions are not vulnerable either. The precompiled Net-SSLeay PPM modules are available from OSC's web site: https://www.open.com.au/radiator/free-downloads/ The future Radiator versions will try to detect OpenSSL with this vulnerability with an option to turn off the detection if required. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
