Description of problem: After update can no longer start radiusd Version-Release number of selected component (if applicable): 2.2.5-1.fc19 How reproducible: Every time Steps to Reproduce: 1. systemctl start radiusd 2. 3. Actual results: Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 (Heartbleed) Expected results: It starts Additional info:
As the upstream ChangeLog (installed with freeradius-doc) notes, running with vulnerable versions of OpenSSL is forbidden, unless enabled with "allow_vulnerable_openssl" in radiusd.conf. The comments above the option in radiusd.conf have more details on this matter.
I admit this could have been handled more gracefully. A new package explicitly requiring the fixed version of OpenSSL and disabling vulnerability check is being pushed to Fedora 19.
freeradius-2.2.5-2.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/freeradius-2.2.5-2.fc19
Package freeradius-2.2.5-2.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeradius-2.2.5-2.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-7015/freeradius-2.2.5-2.fc19 then log in and leave karma (feedback).
Just downloaded and installed the new version of freeradius and here's what I get when I start it up: Jun 10 12:30:24 jackstraw radiusd[9510]: Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 (Heartbleed) Jun 10 12:30:24 jackstraw radiusd[9510]: For more information see http://heartbleed.com Jun 10 12:30:24 jackstraw systemd[1]: Starting FreeRADIUS high performance RADIUS server.... Jun 10 12:30:24 jackstraw systemd[1]: radiusd.service: control process exited, code=exited status=1 Jun 10 12:30:24 jackstraw systemd[1]: Failed to start FreeRADIUS high performance RADIUS server.. Jun 10 12:30:24 jackstraw systemd[1]: Unit radiusd.service entered failed state. Jun 10 12:30:34 jackstraw fprintd[9405]: ** Message: No devices in use, exit I'm running version 2.2.5-2.fc19 It appears the problem is not fixed.
Ah, yes, in a hurry to fix this I forgot that radiusd.conf won't be updated on upgrade, so you'll still need to add "allow_vulnerable_openssl = yes" to the "security" section manually. See also /etc/raddb/radiusd.conf.rpmnew after the upgrade.
re comment *6 Hi Nick: You're right that the config file won't be overwritten because it's marked as config(noreplace) and most users fail to pay attention to .rpmnew files after upgrading. However one thing you can do to mitigate the problem for those who have already installed the bad RPM is to do a simple sed string replacement in %post. Normally something like that is not looked upon favorably but this is one case where I think it's justified. I can't recall if the NVR of the package being upgraded is available to the %post scriptlet, but if it is you might want to restrict the sed edit to only the specific NVR where the issue was introduced.
Thank you, John, I'll think about this.
freeradius-2.2.5-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.