diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-07-07 14:48:41 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-07-07 19:45:05 +0000 |
commit | 1794998b957c4311b20aa504cb0c1576e702d3d9 (patch) | |
tree | 9420179b2b69ad52632a27b245a5e11e786fbc20 | |
parent | 7a26617a5bf6fd3ba752b735501c4080b2d514ec (diff) | |
download | alpine_aports-1794998b957c4311b20aa504cb0c1576e702d3d9.tar.bz2 alpine_aports-1794998b957c4311b20aa504cb0c1576e702d3d9.tar.xz alpine_aports-1794998b957c4311b20aa504cb0c1576e702d3d9.zip |
main/freeradius: security fix for CVE-2015-4680
ref #4377
fixes #4381
(cherry picked from commit 1314c0d82fee33213ea17cc7805bdf3a60efac78)
-rw-r--r-- | main/freeradius/APKBUILD | 12 | ||||
-rw-r--r-- | main/freeradius/CVE-2015-4680.patch | 79 |
2 files changed, 87 insertions, 4 deletions
diff --git a/main/freeradius/APKBUILD b/main/freeradius/APKBUILD index 58952a7163..633d4c600d 100644 --- a/main/freeradius/APKBUILD +++ b/main/freeradius/APKBUILD | |||
@@ -5,7 +5,7 @@ | |||
5 | pkgname=freeradius | 5 | pkgname=freeradius |
6 | _realname=freeradius | 6 | _realname=freeradius |
7 | pkgver=3.0.8 | 7 | pkgver=3.0.8 |
8 | pkgrel=6 | 8 | pkgrel=7 |
9 | pkgdesc="RADIUS (Remote Authentication Dial-In User Service) server" | 9 | pkgdesc="RADIUS (Remote Authentication Dial-In User Service) server" |
10 | url="http://freeradius.org/" | 10 | url="http://freeradius.org/" |
11 | arch="all" | 11 | arch="all" |
@@ -30,6 +30,7 @@ source="ftp://ftp.freeradius.org/pub/freeradius/$_realname-server-$pkgver.tar.gz | |||
30 | musl-fix-headers.patch | 30 | musl-fix-headers.patch |
31 | disable-cert-generation.patch | 31 | disable-cert-generation.patch |
32 | freeradius-305-default-config.patch | 32 | freeradius-305-default-config.patch |
33 | CVE-2015-4680.patch | ||
33 | " | 34 | " |
34 | 35 | ||
35 | _builddir="$srcdir"/$_realname-server-$pkgver | 36 | _builddir="$srcdir"/$_realname-server-$pkgver |
@@ -272,16 +273,19 @@ fc6693f3df5a0694610110287a28568a freeradius.confd | |||
272 | e27f11a11fa167b5185d3e11de79d3bc freeradius.initd | 273 | e27f11a11fa167b5185d3e11de79d3bc freeradius.initd |
273 | d86558365a1deea4914ed139797805b0 musl-fix-headers.patch | 274 | d86558365a1deea4914ed139797805b0 musl-fix-headers.patch |
274 | ecd9ecfba4cf86a203de6faf8398c44a disable-cert-generation.patch | 275 | ecd9ecfba4cf86a203de6faf8398c44a disable-cert-generation.patch |
275 | f8a7b00835f2108acc06af212cede16e freeradius-305-default-config.patch" | 276 | f8a7b00835f2108acc06af212cede16e freeradius-305-default-config.patch |
277 | 3bc4cd4994c9a197daf36585487438a0 CVE-2015-4680.patch" | ||
276 | sha256sums="c27252d7a86ba252904612d9b1f90e846f3ef1f4afee6a748f5287b730e87e3a freeradius-server-3.0.8.tar.gz | 278 | sha256sums="c27252d7a86ba252904612d9b1f90e846f3ef1f4afee6a748f5287b730e87e3a freeradius-server-3.0.8.tar.gz |
277 | 2d5b3e1af1299373182f2c8021bdf45c29db5d82b0a077b965a16ded32cb6292 freeradius.confd | 279 | 2d5b3e1af1299373182f2c8021bdf45c29db5d82b0a077b965a16ded32cb6292 freeradius.confd |
278 | a5208f13420c28446b85dfc48cb9193a4651c994d15cc2c9b0bc43734c66e8f0 freeradius.initd | 280 | a5208f13420c28446b85dfc48cb9193a4651c994d15cc2c9b0bc43734c66e8f0 freeradius.initd |
279 | 872aaebf86a663f819460d98924a9dc1f3e428facac6930dc98d1e442df1633f musl-fix-headers.patch | 281 | 872aaebf86a663f819460d98924a9dc1f3e428facac6930dc98d1e442df1633f musl-fix-headers.patch |
280 | 008fa3a4da7b3c01df238bf492a8ccda4077289c02c553a60ad8f4439ec136a2 disable-cert-generation.patch | 282 | 008fa3a4da7b3c01df238bf492a8ccda4077289c02c553a60ad8f4439ec136a2 disable-cert-generation.patch |
281 | 02cad546ffaf3f9be531cb45b96c7fb31f83c717e40ece4ff28a73c86f921f33 freeradius-305-default-config.patch" | 283 | 02cad546ffaf3f9be531cb45b96c7fb31f83c717e40ece4ff28a73c86f921f33 freeradius-305-default-config.patch |
284 | e7cbb3af9f90d741f91907898f9c0b156a2ae448cc812cbd6fd8322eb8bcea54 CVE-2015-4680.patch" | ||
282 | sha512sums="89aabc474e95226eeb5003feef40fbe240f28aa65c40e0566a9bec08991d95fab83826f3b14f416cf4d7d832a814912521cb3c83097c1a2ce5d3e3537ee3a732 freeradius-server-3.0.8.tar.gz | 285 | sha512sums="89aabc474e95226eeb5003feef40fbe240f28aa65c40e0566a9bec08991d95fab83826f3b14f416cf4d7d832a814912521cb3c83097c1a2ce5d3e3537ee3a732 freeradius-server-3.0.8.tar.gz |
283 | e248159c0a44f722e405c51c8015d9ad672e42ad0d38ca28f8a051ff911aa4d3e630b9bd4543e9d610940bc4ae50c022594e219ce341b36abe85c572acad418b freeradius.confd | 286 | e248159c0a44f722e405c51c8015d9ad672e42ad0d38ca28f8a051ff911aa4d3e630b9bd4543e9d610940bc4ae50c022594e219ce341b36abe85c572acad418b freeradius.confd |
284 | ba3c424d4eabb147c7aa3e31575a87ddb26b6a792d2a8714e73d8763e07854326a03a83991a7420246ca06bf0b93d0a6f23ec198f5e48647f9d25b40067e852a freeradius.initd | 287 | ba3c424d4eabb147c7aa3e31575a87ddb26b6a792d2a8714e73d8763e07854326a03a83991a7420246ca06bf0b93d0a6f23ec198f5e48647f9d25b40067e852a freeradius.initd |
285 | c49e5eec7497fccde5fd09dba1ea9b846e57bc88015bd81640aa531fb5c9b449f37136f42c85fe1d7940c5963aed664b85da28442b388c9fb8cc27873df03b2d musl-fix-headers.patch | 288 | c49e5eec7497fccde5fd09dba1ea9b846e57bc88015bd81640aa531fb5c9b449f37136f42c85fe1d7940c5963aed664b85da28442b388c9fb8cc27873df03b2d musl-fix-headers.patch |
286 | 09b78c6baa992f82ab81c43aad6792536a4708d460170f0a373e242a5fafe8db10662dc7fcef99a966b828ed91fa7fe38567c961c938de9a447f1ee03aebb142 disable-cert-generation.patch | 289 | 09b78c6baa992f82ab81c43aad6792536a4708d460170f0a373e242a5fafe8db10662dc7fcef99a966b828ed91fa7fe38567c961c938de9a447f1ee03aebb142 disable-cert-generation.patch |
287 | b69b899da6f80dbdb7422847536e37461315ba587a07fedc1eee28b96be7d16993b758ccd34e3a271ce2937d72c6ddff878aec61a3a4c0750deaaa959d10ed5e freeradius-305-default-config.patch" | 290 | b69b899da6f80dbdb7422847536e37461315ba587a07fedc1eee28b96be7d16993b758ccd34e3a271ce2937d72c6ddff878aec61a3a4c0750deaaa959d10ed5e freeradius-305-default-config.patch |
291 | 68f00ea6353a2951c95d58fd674701c250e4de713c1bbfba80eb7247df1dc477fa2e277c9f0866ee5591e66eef4f52da70ee1794588df1f411f5e40773317fe7 CVE-2015-4680.patch" | ||
diff --git a/main/freeradius/CVE-2015-4680.patch b/main/freeradius/CVE-2015-4680.patch new file mode 100644 index 0000000000..ade38c9ee7 --- /dev/null +++ b/main/freeradius/CVE-2015-4680.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From 874b39451702338389260edbfc52b381b20352ec Mon Sep 17 00:00:00 2001 | ||
2 | From: "Alan T. DeKok" <aland@freeradius.org> | ||
3 | Date: Mon, 22 Jun 2015 15:27:10 -0400 | ||
4 | Subject: [PATCH] Set X509_V_FLAG_CRL_CHECK_ALL | ||
5 | |||
6 | --- | ||
7 | raddb/mods-available/eap | 6 +++++- | ||
8 | src/include/tls-h | 1 + | ||
9 | src/main/tls.c | 12 ++++++++++++ | ||
10 | 3 files changed, 18 insertions(+), 1 deletion(-) | ||
11 | |||
12 | diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap | ||
13 | index 165971a..10026ec 100644 | ||
14 | --- a/raddb/mods-available/eap | ||
15 | +++ b/raddb/mods-available/eap | ||
16 | @@ -269,9 +269,13 @@ eap { | ||
17 | # 1) Copy CA certificates and CRLs to same directory. | ||
18 | # 2) Execute 'c_rehash <CA certs&CRLs Directory>'. | ||
19 | # 'c_rehash' is OpenSSL's command. | ||
20 | - # 3) uncomment the line below. | ||
21 | + # 3) uncomment the lines below. | ||
22 | # 5) Restart radiusd | ||
23 | # check_crl = yes | ||
24 | + | ||
25 | + # Check if intermediate CAs have been revoked. | ||
26 | + # check_all_crl = yes | ||
27 | + | ||
28 | ca_path = ${cadir} | ||
29 | |||
30 | # | ||
31 | diff --git a/src/include/tls-h b/src/include/tls-h | ||
32 | index 9fdc775..a41c6f5 100644 | ||
33 | --- a/src/include/tls-h | ||
34 | +++ b/src/include/tls-h | ||
35 | @@ -347,6 +347,7 @@ struct fr_tls_server_conf_t { | ||
36 | */ | ||
37 | uint32_t fragment_size; | ||
38 | bool check_crl; | ||
39 | + bool check_all_crl; | ||
40 | bool allow_expired_crl; | ||
41 | char const *check_cert_cn; | ||
42 | char const *cipher_list; | ||
43 | diff --git a/src/main/tls.c b/src/main/tls.c | ||
44 | index 692651f..9df48b4 100644 | ||
45 | --- a/src/main/tls.c | ||
46 | +++ b/src/main/tls.c | ||
47 | @@ -999,6 +999,9 @@ static CONF_PARSER tls_server_config[] = { | ||
48 | { "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" }, | ||
49 | { "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" }, | ||
50 | { "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" }, | ||
51 | +#ifdef X509_V_FLAG_CRL_CHECK_ALL | ||
52 | + { "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), "no" }, | ||
53 | +#endif | ||
54 | { "allow_expired_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, allow_expired_crl), NULL }, | ||
55 | { "check_cert_cn", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_cn), NULL }, | ||
56 | { "cipher_list", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, cipher_list), NULL }, | ||
57 | @@ -2104,6 +2107,10 @@ static X509_STORE *init_revocation_store(fr_tls_server_conf_t *conf) | ||
58 | if (conf->check_crl) | ||
59 | X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK); | ||
60 | #endif | ||
61 | +#ifdef X509_V_FLAG_CRL_CHECK_ALL | ||
62 | + if (conf->check_all_crl) | ||
63 | + X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL); | ||
64 | +#endif | ||
65 | return store; | ||
66 | } | ||
67 | #endif /* HAVE_OPENSSL_OCSP_H */ | ||
68 | @@ -2591,6 +2598,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client) | ||
69 | return NULL; | ||
70 | } | ||
71 | X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); | ||
72 | + | ||
73 | +#ifdef X509_V_FLAG_CRL_CHECK_ALL | ||
74 | + if (conf->check_all_crl) | ||
75 | + X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL); | ||
76 | +#endif | ||
77 | } | ||
78 | #endif | ||
79 | |||