1078736 – Rebase FreeRADIUS to 2.2.4

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1078736 - Rebase FreeRADIUS to 2.2.4

Summary: Rebase FreeRADIUS to 2.2.4

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	freeradius
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Nikolai Kondrashov
QA Contact:	Jaroslav Aster
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1175494
TreeView+	depends on / blocked

Reported:	2014-03-20 09:22 UTC by Nikolai Kondrashov
Modified:	2015-07-30 11:40 UTC (History)
CC List:	7 users (show)
Fixed In Version:	freeradius-2.2.6-1.el6
Doc Type:	Rebase: Bug Fixes and Enhancements
Doc Text:	The freeradius packages have been upgraded to upstream version 2.2.6, which provides a number of bug fixes and enhancements over the previous version, including: * The number of dictionaries have been updated. * This update implements several Extensible Authentication Protocol (EAP) improvements. * A number of new expansions have been added, including: %{randstr:...}, %{hex:...}, %{sha1:...}, %{base64:...}, %{tobase64:...}, and %{base64tohex:...}. * Hexadecimal numbers (0x...) are now supported in %{expr:...} expansions. * This update adds operator support to the rlm_python module. * The Dynamic Host Configuration Protocol (DHCP) and DHCP relay code have been finalized. * This update adds the rlm_cache module to cache arbitrary attributes.
Clone Of:
Environment:
Last Closed:	2015-07-22 06:16:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1287	0	normal	SHIPPED_LIVE	Moderate: freeradius security, bug fix, and enhancement update	2015-07-20 17:48:53 UTC

Description Nikolai Kondrashov 2014-03-20 09:22:14 UTC

FreeRADIUS 2.2.4 was released containing a couple of bugfixes and two minor feature improvements. Configuration compatibility is not affected.
We should rebase to save on fix backporting and to reduce customer confusion.

The original release announcement follows.
---:<---
Version 2.2.4 has been released

  The changes from 2.2.3 are minor.

Feature improvements

* A "panic_action" can be set to have the server dump a gdb log on SEGV
or other fatal error.
* allow radmin command "set module status <module> <code>" which can be
used to forcibly enable/disable modules.

Bug Fixes

* If the server fails to bind() after fork(), that is now reported to
the parent, which exits with an error.
* Session / delay times in MySQL are unsigned int.
& Use --tag=CC for libtool. Closes #497. Because libtool is too stupid
to notice that compiling means compilation.
* Fix bug when copying attributes for vendors > 32767
* Fix behaviour on FreeBSD where sending packets from an interface bound
to an IP address would fail when the server was built with udpfromto.
* Don't fail config check if were listening on an IP which is also a
home server. Some deployments have valid reasons to loop packets back to
another virtual server.
* Use correct port when DHCP relaying.
* Set source IP address for DHCP packets from DHCP-Server-IP-Address, or
DHCP-DHCP-Server-Identifier, if we're unable to otherwise determine the
source IP.
--->:---

Comment 2 Stefan Paetow 2014-08-28 13:53:36 UTC

This should be updated to 2.2.5 (which is the latest stable for 2.x).

Also, this should be assigned to Nikolay Kondrashov, since he's the new maintainer for the package :-)

Comment 10 errata-xmlrpc 2015-07-22 06:16:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1287.html

Comment 11 Nick Lowe 2015-07-26 09:46:40 UTC

There is a high impact bug that will increasingly impact TLS-based EAP users in FreeRADIUS 2.2.6 and 3.0.7, such as 802.1X deployments, when FreeRADIUS is used with a TLS 1.2 capable version of OpenSSL.

This occurs because FreeRADIUS miscalculates the MPPE key meaning that client auth cannot complete when a client negotiates with TLS 1.2.

See: https://github.com/FreeRADIUS/freeradius-server/commit/bdff82cdc5bbd6e9079be4b11f0adc27fa994416

iOS 9, currently in beta, is an example of a client that uses TLS 1.2 by default for EAP purposes. Users find that they cannot associate to networks that use WPA2-Enterprise.

This bug was resolved with FreeRADIUS 2.2.7 and 3.0.8

I suggest that you consider upgrading this package to 2.2.8. There is a small set of changes between 2.2.6 and 2.2.8. (The 2.2.x branch is now EOL for all but security fixes.)

Comment 12 Nick Lowe 2015-07-26 18:58:57 UTC

*MPPE keys.

Comment 13 Nikolai Kondrashov 2015-07-27 09:07:50 UTC

Thank you for a heads-up, Nick! I'll see what we can do.

Comment 14 Nick Lowe 2015-07-27 09:50:32 UTC

No problem! :) This also affects OS X EL Capitan and the latest version of wpa_supplicant where TLS 1.2 is enabled by default for TLS-based EAP.

The supplicant in Windows 7 and newer support TLS 1.2 for the
TLS-based EAP types offered such as EAP-PEAP if the machine is fully
patched via Windows Update.

TLS 1.1 and 1.2 are however, for the moment. disabled by default.

See the second More Information section of:

https://support.microsoft.com/en-us/kb/2977292

Comment 15 Nick Lowe 2015-07-30 11:40:52 UTC

I've opened: https://bugzilla.redhat.com/show_bug.cgi?id=1248484

Note You need to log in before you can comment on or make changes to this bug.