[Pkg-freeradius-maintainers] Bug#1076022: Backport some security settings from upstream 3.2.5 release to mitigate BlastRADIUS
Bernhard Schmidt
berni at debian.org
Tue Jul 9 22:44:58 BST 2024
Control: tags -1 help security
Am 09.07.24 um 18:15 schrieb Herwin Weststrate:
> Package: freeradius
> Version: 3.2.1+dfsg-4+deb12u1
>
> FreeRADIUS 3.2.5 has just been released, which includes some security
> fixes for BlastRADIUS: a vulnerability with a name and a website[0] and
> a logo (hadn't seen one of those in a while).
>
> The FreeRADIUS security page[1] (scroll to "2024.07.09", there is no
> anchor to link directly to the relevant article) describes some new
> configuration options to resolve everything. Since this will be the
> first thing people read, it would be nice to have those backported to
> the Debian packages.
>
> At first glance, it looks like this requires just two commits[2] [3] to
> be cherry-picked, but there may be some hidden dependencies in previous
> commits.
> [2] https://github.com/FreeRADIUS/freeradius-server/commit/0947439f2569d2b8c2b4949be24250263934e260
> [3] https://github.com/FreeRADIUS/freeradius-server/commit/6616be90346beb6050446bd00c8ed5bca1b8ef29
I haven't looked closer yet, but the patches do not apply at all
dpkg-source: info: applying 0947439f2569d2b8c2b4949be24250263934e260.patch
patching file raddb/radiusd.conf.in
Hunk #1 FAILED at 625.
Hunk #2 FAILED at 643.
2 out of 2 hunks FAILED
patching file src/include/clients.h
Hunk #2 FAILED at 52.
1 out of 2 hunks FAILED
patching file src/include/libradius.h
Hunk #1 FAILED at 411.
1 out of 1 hunk FAILED
patching file src/include/radiusd.h
Hunk #1 FAILED at 178.
Hunk #2 succeeded at 564 (offset -6 lines).
1 out of 2 hunks FAILED
patching file src/lib/radius.c
Hunk #1 succeeded at 2631 (offset -128 lines).
Hunk #2 FAILED at 2770.
Hunk #3 FAILED at 2790.
2 out of 3 hunks FAILED
patching file src/main/client.c
Hunk #1 succeeded at 489 (offset -2 lines).
Hunk #2 FAILED at 515.
Hunk #3 succeeded at 904 (offset -16 lines).
Hunk #4 succeeded at 914 (offset -16 lines).
Hunk #5 succeeded at 1173 (offset -30 lines).
1 out of 5 hunks FAILED
patching file src/main/listen.c
Hunk #1 succeeded at 508 (offset -22 lines).
Hunk #2 FAILED at 683.
Hunk #3 succeeded at 1763 (offset -271 lines).
Hunk #4 FAILED at 2109.
Hunk #5 succeeded at 1846 (offset -271 lines).
2 out of 5 hunks FAILED
patching file src/main/mainconfig.c
Hunk #2 FAILED at 88.
Hunk #3 FAILED at 164.
Hunk #4 succeeded at 849 (offset -24 lines).
Hunk #5 FAILED at 1173.
3 out of 5 hunks FAILED
dpkg-source: info: applying 6616be90346beb6050446bd00c8ed5bca1b8ef29.patch
patching file raddb/clients.conf
Hunk #1 FAILED at 137.
Hunk #2 FAILED at 152.
2 out of 2 hunks FAILED
patching file raddb/proxy.conf
Hunk #1 FAILED at 255.
1 out of 1 hunk FAILED
patching file raddb/radiusd.conf.in
Hunk #1 FAILED at 604.
Hunk #2 FAILED at 632.
Hunk #3 FAILED at 691.
3 out of 3 hunks FAILED
patching file src/include/clients.h
Reversed (or previously applied) patch detected! Skipping patch.
2 out of 2 hunks ignored
patching file src/include/libradius.h
Hunk #1 succeeded at 942 (offset -28 lines).
patching file src/include/radiusd.h
Hunk #1 FAILED at 176.
1 out of 1 hunk FAILED
patching file src/include/realms.h
Hunk #1 FAILED at 71.
1 out of 1 hunk FAILED
patching file src/main/client.c
Hunk #1 FAILED at 491.
Hunk #2 FAILED at 514.
Hunk #3 FAILED at 727.
Hunk #4 FAILED at 920.
Hunk #5 FAILED at 930.
Hunk #6 FAILED at 1203.
Hunk #7 succeeded at 1494 (offset -37 lines).
6 out of 7 hunks FAILED
patching file src/main/listen.c
Hunk #1 FAILED at 532.
Hunk #2 FAILED at 543.
Hunk #3 FAILED at 683.
Hunk #4 FAILED at 2114.
Hunk #5 FAILED at 2546.
5 out of 5 hunks FAILED
patching file src/main/mainconfig.c
Hunk #1 FAILED at 73.
Hunk #2 FAILED at 211.
Hunk #3 FAILED at 921.
Hunk #4 FAILED at 1225.
4 out of 4 hunks FAILED
patching file src/main/process.c
Hunk #1 FAILED at 2806.
Hunk #2 FAILED at 2823.
2 out of 2 hunks FAILED
patching file src/main/realms.c
Hunk #1 FAILED at 481.
Hunk #2 FAILED at 789.
2 out of 2 hunks FAILED
Even with fuzz 80% of the hunks do not apply.
Given that the freeradius codebase is really complicated I'm not
entirely sure whether we can do this (_I_ can't), or ask the security
team for a newer upstream version in stable.
But I'll give 3.2.5 a go in unstable ASAP.
Bernhard
More information about the Pkg-freeradius-maintainers
mailing list