[Pkg-freeradius-maintainers] Bug#919236: Bug#919236: Inappropriately broad default CA for EAP configuration
Michael Stapelberg
stapelberg at debian.org
Mon Jan 14 07:31:27 GMT 2019
Can you send a patch please? It’s been like that since before I touched the
package.
On Sun, Jan 13, 2019 at 11:39 PM Sam Hartman <hartmans at debian.org> wrote:
> package: freeradius
> tags: security
> version: 3.0.17+dfsg-1
> severity: important
> justification: Inappropriately broad default authorization
>
> The debian freeradius package changes the default eap configuration to
> use the default list of Debian certification authorities as the default
> CAs for verifying client certificates for incoming EAP connections.
>
> The package leaves the following notice in
> /etc/freeradius/3.0/mods-available/eap:
>
> # See also:
> #
> # http://www.dslreports.com/forum/remark,9286052~mode=flat
> #
> # Note that you should NOT use a globally known CA here!
> # e.g. using a Verisign cert as a "known CA" means that
> # ANYONE who has a certificate signed by them can
>
> And then proceeds to do something even worse: it sets the default CA to
> the entire list of Debian trusted CAs.
>
> As discussed by the freeradius docs, you want the default for EAP
> certificates to be an organization-specific CA.
>
> --Sam
>
> _______________________________________________
> Pkg-freeradius-maintainers mailing list
> Pkg-freeradius-maintainers at alioth-lists.debian.net
>
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-freeradius-maintainers
>
--
Best regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20190114/7b51a310/attachment.html>
More information about the Pkg-freeradius-maintainers
mailing list