Can you send a patch please? It’s been like that since before I touched the package.
On Sun, Jan 13, 2019 at 11:39 PM Sam Hartman <hartm...@debian.org> wrote: > package: freeradius > tags: security > version: 3.0.17+dfsg-1 > severity: important > justification: Inappropriately broad default authorization > > The debian freeradius package changes the default eap configuration to > use the default list of Debian certification authorities as the default > CAs for verifying client certificates for incoming EAP connections. > > The package leaves the following notice in > /etc/freeradius/3.0/mods-available/eap: > > # See also: > # > # http://www.dslreports.com/forum/remark,9286052~mode=flat > # > # Note that you should NOT use a globally known CA here! > # e.g. using a Verisign cert as a "known CA" means that > # ANYONE who has a certificate signed by them can > > And then proceeds to do something even worse: it sets the default CA to > the entire list of Debian trusted CAs. > > As discussed by the freeradius docs, you want the default for EAP > certificates to be an organization-specific CA. > > --Sam > > _______________________________________________ > Pkg-freeradius-maintainers mailing list > pkg-freeradius-maintain...@alioth-lists.debian.net > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-freeradius-maintainers > -- Best regards, Michael