Bug#976991: Bug#1089629: Freeradius memory leak after upgrade to Debian 12

ATIC Sistemas Rede atic.sistemas.rede at usc.gal
Mon Feb 3 08:14:19 GMT 2025 

Hi,

On January 14th, we installed freeradius 3.2.6 in production enviroment.
During this three weeks, service freeradius operated normally with no isuues. Memory usage was stable around 100MB.
Before applying backport, within three weeks, memory usage could reach 1500MB.
We'll install the backport on all freeradius servers and will waiting to debian trixie full-upgrade.

Thanks.


El 8/1/25 a las 22:45, Bernhard Schmidt escribió:
> [No suele recibir correo electrónico de berni at debian.org. Descubra por qué esto es importante en https://aka.ms/LearnAboutSenderIdentification ]
>
> Control: affects 976991 src:freeradius
>
> Am 08.01.25 um 13:04 schrieb ATIC Sistemas Rede:
>
> Hi,
>
>> We've tested with freeradius 3.2.6 in preproduction enviroment.
>> We've installed these packages from bookworm-backports target release (*).
>> In debug mode (freeradius -X) we could see several warnings like this (**).
>> Authentication EAP-TTLS-PAP seems to work fine.
>> We could make an effort and test in production next week.
>> The memory issue manifests after several weeks; we need a guarantee of
>> proper functionality during this time.
>> The warning seems serious. Could you give us any advice about this?
>>
>>
>> (**)
>>
>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> !! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
>> !! There may be random issues with TLS connections due to this conflict.
>> !! The server may also crash.
>> !! See https://wiki.freeradius.org/modules/Rlm_ldap for more information.
>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> I never noticed it myself (not using rlm_ldap), but it seems like an old
> issue (maybe the warning is new). You can find bugs from 2020 against
> openldap asking for building against openssl specifically due to
> FreeRADIUS warnings.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976991
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000821
>
> However, I'm not aware of any bug report due to this, and
> https://wiki.freeradius.org/modules/Rlm_ldap#errors-with-ldap-over-tls-connections
> is about building LDAP with Mozilla NSS, not with GnuTLS.
>
> I guess switching openldap to openssl is too late before Trixie,
> especially since it may as well affect other openldap reverse
> dependencies that use GnuTLS.
>
> I guess you will have to try it.
>
> Bernhard

-- 
Subdirección de Infraestruturas - Sistemas de rede
Área de Tecnoloxías da Información e Comunicacións

Universidade de Santiago de Compostela
15782 Santiago de Compostela
http://www.usc.es/atic/sistemas

More information about the Pkg-openldap-devel mailing list