[Pkg-freeradius-maintainers] Bug#1077159: freeradius: Not backward compatible with eapol_test from bullseye

Bernhard Schmidt berni at debian.org
Fri Jul 26 09:39:58 BST 2024 

Control: reassign -1 eapoltest
Control: found -1 2:2.10-8

> freeradius with openssl 3.0.13-1~deb12u1 cannot successfully communicate
> with eapol_test from bullseye (2:2.10-8~bpo11+2, openssl 1.1.1w-0+deb11u1).
> eapol_test is used by our monitoring system to verify the functionality
> of our freeradius services.
> 
> Server log shows the received Access-Request is handled and Access-Challenge
> is sent. However eapol_test simply ignores it and re-sends Access-Request
> packets again and again:

This sounds like a bug in eapoltest, not in Freeradius. Reassigning 
accordingly.

Note that the version in bullseye-backports is older than the one in 
bookworm it should base on. The version in bullseye-backports is missing 
these fixes from bookworm (stable). Some of those sound related.

I'm not sure whether bullseye-backports is still updateable, if yes it 
might be a good idea to backport the current stable-security version.

wpa (2:2.10-12+deb12u1) bookworm; urgency=high

   * Non-maintainer upload on behalf of the Security Team.
   * Fix CVE-2023-52160 (Closes: #1064061):
     The implementation of PEAP in wpa_supplicant allows
     authentication bypass. For a successful attack,
     wpa_supplicant must be configured to not verify
     the network's TLS certificate during Phase 1
     authentication, and an eap_peap_decrypt vulnerability
     can then be abused to skip Phase 2 authentication.
     The attack vector is sending an EAP-TLV Success packet
     instead of starting Phase 2. This allows an adversary
     to impersonate Enterprise Wi-Fi networks.

  -- Bastien Roucariès <rouca at debian.org>  Tue, 30 Apr 2024 22:45:18 +0000

wpa (2:2.10-12) unstable; urgency=medium

   * Prevent hostapd units from being started if there’s
     no config provided (Closes: #1028088).
   * hostapd: Enable 802.11ax support (Closes: #1013732).

  -- Andrej Shadura <andrewsh at debian.org>  Fri, 24 Feb 2023 14:01:35 +0100

wpa (2:2.10-11) unstable; urgency=medium

   * Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1
     (Closes: #1011121, LP: #1958267)
   * Drop dependency on lsb-base.

  -- Andrej Shadura <andrewsh at debian.org>  Tue, 31 Jan 2023 12:58:02 +0100

wpa (2:2.10-10) unstable; urgency=medium

   * Configure wpa_supplicant.service to create control sockets owned by 
group netdev
     (Closes: #1012844)

  -- Andrej Shadura <andrewsh at debian.org>  Wed, 21 Dec 2022 10:03:29 +0100

wpa (2:2.10-9) unstable; urgency=medium

   [ Sebastien Bacher ]
   * debian/patches/allow-legacy-renegotiation.patch:
     Allow legacy renegotiation to fix PEAP issues with some servers
     (Closes: #1010603, LP: #1962541)

  -- Andrej Shadura <andrewsh at debian.org>  Thu, 05 May 2022 11:23:33 +0100

> Tcpdump shows the Access-Challenge packet is indeed delivered to the client.
> If the same configuration (both on server and eapol_test sides) is tested
> with eapoltest from bookworm (2:2.10-12+deb12u1, openssl 3.0.13-1~deb12u1),
> it is successful.
> 
> The issue is critical becasue possibly all clients with openssl 1.1.1w-0+deb11u1
> might be affected.

We can't rule that out, but we haven't heard of any reports.

Bernhard

More information about the Pkg-freeradius-maintainers mailing list