TBH the simplest thing to do is just to drop the rad secret program. It not used for anything, and is just a helper script.
> On Jul 16, 2024, at 1:35 PM, Andreas Hasenack <[email protected]> > wrote: > > The freeradius update to 3.2.5 enabled a new binary and two new modules, > as part of the BlastRADIUS vulnerability (CVE-2024-3596) mitigations: > > + * New upstream version 3.2.5+dfsg > + This release adds a few hardening mitigations for the BlastRADIUS > protocol > + vulnerability (CVE-2024-3596). > + - add new radsecret binary > + - add new rlm_dpsk and rlm_eap_teap modules > > The new libconvert-base32-perl and libcrypt-urandom-perl dependencies > come from radsecret, which is this 3-liner: > > #!/usr/bin/env perl > # > # A tool which generates strong shared secrets. > # > use Convert::Base32; > use Crypt::URandom(); > print join('-', unpack("(A4)*", lc > encode_base32(Crypt::URandom::urandom(12)))), "\n"; > > There has to be a different way to do this that does not involve moving > these perl modules to main... > > > $ src/main/radsecret > voaq-pxzx-a5bc-5pvf-woua > > $ src/main/radsecret > e7y3-vqwl-dd2j-bxz2-tmuq > > > ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-3596 > > -- > You received this bug notification because you are subscribed to > freeradius in Ubuntu. > https://bugs.launchpad.net/bugs/2073269 > > Title: > [MIR] libconvert-base32-perl and libcrypt-urandom-perl > > Status in freeradius package in Ubuntu: > Confirmed > Status in libconvert-base32-perl package in Ubuntu: > Incomplete > Status in libcrypt-urandom-perl package in Ubuntu: > Incomplete > > Bug description: > https://ubuntu-archive-team.ubuntu.com/component-mismatches-proposed.svg > shows freeradius depending on libconvert-base32-perl and > libcrypt-urandom-perl now > > > Evaluate the new freeradius please if we want to file MIRs for them OR if we > want to modify the dependencies. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/2073269/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073269 Title: [MIR] libconvert-base32-perl and libcrypt-urandom-perl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/2073269/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
