freeradius2 2.2.5 refuses to start when built against patched base openssl 1.0.1e
Dr. Peter Voigt
pvoigt at uos.de
Sat May 17 01:00:23 UTC 2014
Am Sat, 17 May 2014 02:09:07 +0200
schrieb "Dr. Peter Voigt" <pvoigt at uos.de>:
> I have just noticed that my freeradius2 2.2.5 server refuses to start
> with the following message:
>
> radiusd: Refusing to start with libssl version OpenSSL 1.0.1e-freebsd
> 11 Feb 2013 (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160
> (Heartbleed)
> radiusd: For more information see http://heartbleed.com
>
> My freeradius2 package is built against the openssl version of the
> base system:
>
> # openssl version
> OpenSSL 1.0.1e-freebsd 11 Feb 2013
>
> The base openssl version did not change after applying the various
> security patches, where "FreeBSD Security Advisory
> FreeBSD-SA-14:06.openssl" in particular solved the heartbleed issue:
>
> # uname -r
> 10.0-RELEASE-p3
>
> So how can I tell freeradius2 that it is built against a heardbleed
> save, e.g. patched, openssl version in spite of the low version
> number?
>
> Regards,
> Peter
Well, I just found the solution after studying the freeradius
changelog:
FreeRADIUS 2.2.5 Monday 28 Apr 2014 15:20:00 EDT, urgency=medium
...
* Forbid running with vulnerable versions of OpenSSL.
See "allow_vulnerable_openssl" in the "security"
subsection of "radiusd.conf"
...
My radius server is now starting again. Sorry for the noise but I used
portmaster to upgrade from version 2.2.4 and this usually deletes the
sources including the changelog. And my radiusd.conf remained untouched
with no hint the the new available switch.
Regards,
Peter
More information about the freebsd-ports
mailing list