Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package freeradius The new upload addresses a security issue: CVE-2017-9148, #863673 % debdiff freeradius_3.0.12+dfsg-4.dsc freeradius_3.0.12+dfsg-5.dsc dpkg-source: warning: extracting unsigned source package (/home/michael/d/out/freeradius/freeradius_3.0.12+dfsg-4.dsc) diff -Nru freeradius-3.0.12+dfsg/debian/changelog freeradius-3.0.12+dfsg/debian/changelog --- freeradius-3.0.12+dfsg/debian/changelog 2016-11-17 22:29:04.000000000 +0100 +++ freeradius-3.0.12+dfsg/debian/changelog 2017-05-30 17:18:34.000000000 +0200 @@ -1,3 +1,9 @@ +freeradius (3.0.12+dfsg-5) unstable; urgency=high + + * disable session cache to address CVE-2017-9148 (closes: #863673) + + -- Michael Stapelberg <stapelb...@debian.org> Tue, 30 May 2017 17:18:34 +0200 + freeradius (3.0.12+dfsg-4) unstable; urgency=medium * fix openssl-1.1.diff: initialize ctx_out diff -Nru freeradius-3.0.12+dfsg/debian/patches/disable-session-cache-CVE-2017-9148.patch freeradius-3.0.12+dfsg/debian/patches/disable-session-cache-CVE-2017-9148.patch --- freeradius-3.0.12+dfsg/debian/patches/disable-session-cache-CVE-2017-9148.patch 1970-01-01 01:00:00.000000000 +0100 +++ freeradius-3.0.12+dfsg/debian/patches/disable-session-cache-CVE-2017-9148.patch 2017-05-30 17:18:34.000000000 +0200 @@ -0,0 +1,49 @@ +Description: disable session caching in the server (as opposed to in the + config, which would be way harder to get right) to address + https://security-tracker.debian.org/tracker/CVE-2017-9148 +Author: Michael Stapelberg <stapelb...@debian.org> +Forwarded: not-needed +Last-Update: 2017-05-30 + +--- + +Index: freeradius/src/main/tls.c +=================================================================== +--- freeradius.orig/src/main/tls.c ++++ freeradius/src/main/tls.c +@@ -579,7 +579,7 @@ tls_session_t *tls_new_session(TALLOC_CT + * + * FIXME: Also do it every N sessions? + */ +- if (conf->session_cache_enable && ++ if (/*conf->session_cache_enable*/0 && + ((conf->session_last_flushed + ((int)conf->session_timeout * 1800)) <= request->timestamp)){ + RDEBUG2("Flushing SSL sessions (of #%ld)", SSL_CTX_sess_number(conf->ctx)); + +@@ -674,7 +674,7 @@ tls_session_t *tls_new_session(TALLOC_CT + state->mtu = vp->vp_integer; + } + +- if (conf->session_cache_enable) state->allow_session_resumption = true; /* otherwise it's false */ ++ if (/*conf->session_cache_enable*/0) state->allow_session_resumption = true; /* otherwise it's false */ + + return state; + } +@@ -2848,7 +2848,7 @@ post_ca: + /* + * Callbacks, etc. for session resumption. + */ +- if (conf->session_cache_enable) { ++ if (/*conf->session_cache_enable*/0) { + /* + * Cache sessions on disk if requested. + */ +@@ -2916,7 +2916,7 @@ post_ca: + /* + * Setup session caching + */ +- if (conf->session_cache_enable) { ++ if (/*conf->session_cache_enable*/0) { + /* + * Create a unique context Id per EAP-TLS configuration. + */ diff -Nru freeradius-3.0.12+dfsg/debian/patches/series freeradius-3.0.12+dfsg/debian/patches/series --- freeradius-3.0.12+dfsg/debian/patches/series 2016-11-17 22:29:04.000000000 +0100 +++ freeradius-3.0.12+dfsg/debian/patches/series 2017-05-30 17:18:34.000000000 +0200 @@ -1,3 +1,4 @@ +disable-session-cache-CVE-2017-9148.patch debian-local/0001-Rename-radius-to-freeradius.patch 0002-gitignore.diff.patch 0006-jradius.diff.patch unblock freeradius/3.0.12+dfsg-5 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel, mipsel, arm64 Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)