Bug 1101794

Summary:	Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013
Product:	[Fedora] Fedora	Reporter:	pgaltieri <pgaltieri>
Component:	freeradius	Assignee:	Nikolai Kondrashov <nikolai.kondrashov>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	urgent	Docs Contact:
Priority:	unspecified
Version:	19	CC:	jdennis, lemenkov, nikolai.kondrashov
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	freeradius-2.2.5-2.fc19	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-06-12 06:25:56 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description pgaltieri 2014-05-27 23:20:12 UTC

Description of problem:
After update can no longer start radiusd

Version-Release number of selected component (if applicable):
2.2.5-1.fc19

How reproducible:
Every time

Steps to Reproduce:
1. systemctl start radiusd
2.
3.

Actual results:
Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 (in range 1.0.1 - 1.0.1f).  Security advisory CVE-2014-0160 (Heartbleed)


Expected results:
It starts

Additional info:

Comment 1 Nikolai Kondrashov 2014-05-28 09:04:24 UTC

As the upstream ChangeLog (installed with freeradius-doc) notes, running with vulnerable versions of OpenSSL is forbidden, unless enabled with "allow_vulnerable_openssl" in radiusd.conf. The comments above the option in radiusd.conf have more details on this matter.

Comment 2 Nikolai Kondrashov 2014-06-03 12:56:01 UTC

I admit this could have been handled more gracefully. A new package explicitly requiring the fixed version of OpenSSL and disabling vulnerability check is being pushed to Fedora 19.

Comment 3 Fedora Update System 2014-06-03 12:56:30 UTC

freeradius-2.2.5-2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/freeradius-2.2.5-2.fc19

Comment 4 Fedora Update System 2014-06-04 07:51:45 UTC

Package freeradius-2.2.5-2.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeradius-2.2.5-2.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-7015/freeradius-2.2.5-2.fc19
then log in and leave karma (feedback).

Comment 5 pgaltieri 2014-06-10 19:33:50 UTC

Just downloaded and installed the new version of freeradius and here's what I get when I start it up:

Jun 10 12:30:24 jackstraw radiusd[9510]: Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 (in range 1.0.1 - 1.0.1f).  Security advisory CVE-2014-0160 (Heartbleed)
Jun 10 12:30:24 jackstraw radiusd[9510]: For more information see http://heartbleed.com
Jun 10 12:30:24 jackstraw systemd[1]: Starting FreeRADIUS high performance RADIUS server....
Jun 10 12:30:24 jackstraw systemd[1]: radiusd.service: control process exited, code=exited status=1
Jun 10 12:30:24 jackstraw systemd[1]: Failed to start FreeRADIUS high performance RADIUS server..
Jun 10 12:30:24 jackstraw systemd[1]: Unit radiusd.service entered failed state.
Jun 10 12:30:34 jackstraw fprintd[9405]: ** Message: No devices in use, exit

I'm running version 2.2.5-2.fc19

It appears the problem is not fixed.

Comment 6 Nikolai Kondrashov 2014-06-11 09:42:50 UTC

Ah, yes, in a hurry to fix this I forgot that radiusd.conf won't be updated on upgrade, so you'll still need to add "allow_vulnerable_openssl = yes" to the "security" section manually. See also /etc/raddb/radiusd.conf.rpmnew after the upgrade.

Comment 7 John Dennis 2014-06-11 13:09:53 UTC

re comment *6

Hi Nick: You're right that the config file won't be overwritten because it's marked as config(noreplace) and most users fail to pay attention to .rpmnew files after upgrading. However one thing you can do to mitigate the problem for those who have already installed the bad RPM is to do a simple sed string replacement in %post.

Normally something like that is not looked upon favorably but this is one case where I think it's justified.

I can't recall if the NVR of the package being upgraded is available to the %post scriptlet, but if it is you might want to restrict the sed edit to only the specific NVR where the issue was introduced.

Comment 8 Nikolai Kondrashov 2014-06-11 13:57:08 UTC

Thank you, John, I'll think about this.

Comment 9 Fedora Update System 2014-06-12 06:25:56 UTC

freeradius-2.2.5-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.