[Pkg-freeradius-maintainers] Bug#1076022: Additional patch for bullseye's FreeRADIUS (was: Backport some security settings from upstream 3.2.5 release to mitigate BlastRADIUS)

[Bernhard Schmidt]

On 22/08/24 08:36 PM, Bernhard Schmidt wrote:

> FTR, I've tested the binaries on our radius setup today and they worked as
> expected.

Unfortunately I'm still lacking time, but today I had two unexpected
consequences. 

A clients.conf entry spanning large subnets was upgraded automatically
from require_message_authenticator auto -> yes due to the first package
being received. Consequently messages from another Radius client within
the same clients.conf entry was dropped silently.

So far as expected, but I would have assumed FreeRADIUS to log an error
when a request without Message-Authenticator attribute comes in and it
is (auto-)configured to expect one. But I did not see anything. Is this
correct?

Another thing to watch out, although I would not want it to be in the
official changelog/news, Checkpoint Firewalls are known to be broken by
FreeRADIUS returning a Message-Authenticator attribute, see
https://support.checkpoint.com/results/sk/sk42184 . Apparently there is
an internal workaround available, but only to paying users.

I could not find a quick way to disable FreeRADIUS always _sending_ the
Message-Authenticator header.

All of that only quickly tested on the Bullseye package, I had no time
yet to dig deeper.

Bernhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20240823/d733b9f4/attachment.sig>