On Fri, 26 Jul 2024, Bernhard Schmidt wrote: > Control: reassign -1 eapoltest > Control: found -1 2:2.10-8 > > > freeradius with openssl 3.0.13-1~deb12u1 cannot successfully communicate > > with eapol_test from bullseye (2:2.10-8~bpo11+2, openssl 1.1.1w-0+deb11u1). > > eapol_test is used by our monitoring system to verify the functionality > > of our freeradius services. > > > > Server log shows the received Access-Request is handled and Access-Challenge > > is sent. However eapol_test simply ignores it and re-sends Access-Request > > packets again and again: > > This sounds like a bug in eapoltest, not in Freeradius. Reassigning > accordingly. > > Note that the version in bullseye-backports is older than the one in bookworm > it should base on. The version in bullseye-backports is missing these fixes > from bookworm (stable). Some of those sound related. > > I'm not sure whether bullseye-backports is still updateable, if yes it might > be a good idea to backport the current stable-security version. > > wpa (2:2.10-12+deb12u1) bookworm; urgency=high > > * Non-maintainer upload on behalf of the Security Team. > * Fix CVE-2023-52160 (Closes: #1064061): > The implementation of PEAP in wpa_supplicant allows > authentication bypass. For a successful attack, > wpa_supplicant must be configured to not verify > the network's TLS certificate during Phase 1 > authentication, and an eap_peap_decrypt vulnerability > can then be abused to skip Phase 2 authentication. > The attack vector is sending an EAP-TLV Success packet > instead of starting Phase 2. This allows an adversary > to impersonate Enterprise Wi-Fi networks. > > -- Bastien Roucariès <[email protected]> Tue, 30 Apr 2024 22:45:18 +0000 > > wpa (2:2.10-12) unstable; urgency=medium > > * Prevent hostapd units from being started if there’s > no config provided (Closes: #1028088). > * hostapd: Enable 802.11ax support (Closes: #1013732). > > -- Andrej Shadura <[email protected]> Fri, 24 Feb 2023 14:01:35 +0100 > > wpa (2:2.10-11) unstable; urgency=medium > > * Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1 > (Closes: #1011121, LP: #1958267) > * Drop dependency on lsb-base. > > -- Andrej Shadura <[email protected]> Tue, 31 Jan 2023 12:58:02 +0100 > > wpa (2:2.10-10) unstable; urgency=medium > > * Configure wpa_supplicant.service to create control sockets owned by group > netdev > (Closes: #1012844) > > -- Andrej Shadura <[email protected]> Wed, 21 Dec 2022 10:03:29 +0100 > > wpa (2:2.10-9) unstable; urgency=medium > > [ Sebastien Bacher ] > * debian/patches/allow-legacy-renegotiation.patch: > Allow legacy renegotiation to fix PEAP issues with some servers > (Closes: #1010603, LP: #1962541) > > -- Andrej Shadura <[email protected]> Thu, 05 May 2022 11:23:33 +0100
I have just downloaded the source code of eapol_test from bookworm (wpa-2.10), recompiled on a bullseye system and run the same test. It did not help, eapol_test cannot successfully communicate with the freeradius server. So the results so far: eapol_test from bullseye with libssl.so.1.1 failure eapol_test from bookworm with libssl.so.1.1 failure eapol_test from bookworm with libssl.so.3 ok Best regards, Jozsef -- E-mail : [email protected] Address: Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary
