[Pkg-freeradius-maintainers] Bug#1076022: Backport some security settings from upstream 3.2.5 release to mitigate BlastRADIUS
Herwin Weststrate
debian at herwinw.nl
Tue Jul 9 17:15:33 BST 2024
Package: freeradius
Version: 3.2.1+dfsg-4+deb12u1
FreeRADIUS 3.2.5 has just been released, which includes some security
fixes for BlastRADIUS: a vulnerability with a name and a website[0] and
a logo (hadn't seen one of those in a while).
The FreeRADIUS security page[1] (scroll to "2024.07.09", there is no
anchor to link directly to the relevant article) describes some new
configuration options to resolve everything. Since this will be the
first thing people read, it would be nice to have those backported to
the Debian packages.
At first glance, it looks like this requires just two commits[2] [3] to
be cherry-picked, but there may be some hidden dependencies in previous
commits.
[0] https://www.blastradius.fail/
[1] https://www.freeradius.org/security/
[2] https://github.com/FreeRADIUS/freeradius-server/commit/0947439f2569d2b8c2b4949be24250263934e260
[3] https://github.com/FreeRADIUS/freeradius-server/commit/6616be90346beb6050446bd00c8ed5bca1b8ef29
More information about the Pkg-freeradius-maintainers
mailing list