Bug 1078736 - Rebase FreeRADIUS to 2.2.4
Summary: Rebase FreeRADIUS to 2.2.4
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: freeradius   
(Show other bugs)
Version: 6.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Nikolai Kondrashov
QA Contact: Jaroslav Aster
URL:
Whiteboard:
Keywords: Rebase
Depends On:
Blocks: 1175494
TreeView+ depends on / blocked
 
Reported: 2014-03-20 09:22 UTC by Nikolai Kondrashov
Modified: 2015-07-30 11:40 UTC (History)
7 users (show)

Fixed In Version: freeradius-2.2.6-1.el6
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
The freeradius packages have been upgraded to upstream version 2.2.6, which provides a number of bug fixes and enhancements over the previous version, including: * The number of dictionaries have been updated. * This update implements several Extensible Authentication Protocol (EAP) improvements. * A number of new expansions have been added, including: %{randstr:...}, %{hex:...}, %{sha1:...}, %{base64:...}, %{tobase64:...}, and %{base64tohex:...}. * Hexadecimal numbers (0x...) are now supported in %{expr:...} expansions. * This update adds operator support to the rlm_python module. * The Dynamic Host Configuration Protocol (DHCP) and DHCP relay code have been finalized. * This update adds the rlm_cache module to cache arbitrary attributes.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-22 06:16:47 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1287 normal SHIPPED_LIVE Moderate: freeradius security, bug fix, and enhancement update 2015-07-20 17:48:53 UTC

Description Nikolai Kondrashov 2014-03-20 09:22:14 UTC
FreeRADIUS 2.2.4 was released containing a couple of bugfixes and two minor feature improvements. Configuration compatibility is not affected.
We should rebase to save on fix backporting and to reduce customer confusion.

The original release announcement follows.
---:<---
Version 2.2.4 has been released

  The changes from 2.2.3 are minor.

Feature improvements

* A "panic_action" can be set to have the server dump a gdb log on SEGV
or other fatal error.
* allow radmin command "set module status <module> <code>" which can be
used to forcibly enable/disable modules.

Bug Fixes

* If the server fails to bind() after fork(), that is now reported to
the parent, which exits with an error.
* Session / delay times in MySQL are unsigned int.
& Use --tag=CC for libtool. Closes #497. Because libtool is too stupid
to notice that compiling means compilation.
* Fix bug when copying attributes for vendors > 32767
* Fix behaviour on FreeBSD where sending packets from an interface bound
to an IP address would fail when the server was built with udpfromto.
* Don't fail config check if were listening on an IP which is also a
home server. Some deployments have valid reasons to loop packets back to
another virtual server.
* Use correct port when DHCP relaying.
* Set source IP address for DHCP packets from DHCP-Server-IP-Address, or
DHCP-DHCP-Server-Identifier, if we're unable to otherwise determine the
source IP.
--->:---

Comment 2 Stefan Paetow 2014-08-28 13:53:36 UTC
This should be updated to 2.2.5 (which is the latest stable for 2.x).

Also, this should be assigned to Nikolay Kondrashov, since he's the new maintainer for the package :-)

Comment 10 errata-xmlrpc 2015-07-22 06:16:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1287.html

Comment 11 Nick Lowe 2015-07-26 09:46:40 UTC
There is a high impact bug that will increasingly impact TLS-based EAP users in FreeRADIUS 2.2.6 and 3.0.7, such as 802.1X deployments, when FreeRADIUS is used with a TLS 1.2 capable version of OpenSSL.

This occurs because FreeRADIUS miscalculates the MPPE key meaning that client auth cannot complete when a client negotiates with TLS 1.2.

See: https://github.com/FreeRADIUS/freeradius-server/commit/bdff82cdc5bbd6e9079be4b11f0adc27fa994416

iOS 9, currently in beta, is an example of a client that uses TLS 1.2 by default for EAP purposes. Users find that they cannot associate to networks that use WPA2-Enterprise.

This bug was resolved with FreeRADIUS 2.2.7 and 3.0.8

I suggest that you consider upgrading this package to 2.2.8. There is a small set of changes between 2.2.6 and 2.2.8. (The 2.2.x branch is now EOL for all but security fixes.)

Comment 12 Nick Lowe 2015-07-26 18:58:57 UTC
*MPPE keys.

Comment 13 Nikolai Kondrashov 2015-07-27 09:07:50 UTC
Thank you for a heads-up, Nick! I'll see what we can do.

Comment 14 Nick Lowe 2015-07-27 09:50:32 UTC
No problem! :) This also affects OS X EL Capitan and the latest version of wpa_supplicant where TLS 1.2 is enabled by default for TLS-based EAP.

The supplicant in Windows 7 and newer support TLS 1.2 for the
TLS-based EAP types offered such as EAP-PEAP if the machine is fully
patched via Windows Update.

TLS 1.1 and 1.2 are however, for the moment. disabled by default.

See the second More Information section of:

https://support.microsoft.com/en-us/kb/2977292

Comment 15 Nick Lowe 2015-07-30 11:40:52 UTC
I've opened: https://bugzilla.redhat.com/show_bug.cgi?id=1248484


Note You need to log in before you can comment on or make changes to this bug.