import freeradius-3.0.17-6.module+el8.1.0+3392+9bd8939b

SOURCES/freeradius-listen-ipv6-fix.patch

@@ -0,0 +1,42 @@
+From 98510efd0e2930d8924b47009945a0fb1bd75a29 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Mon, 22 Apr 2019 14:38:19 -0400
+Subject: [PATCH] Allow listen.ipaddr to reference an IPv6-only host
+
+In 5452b13cefa3b30f1da467ff5d68b3c1aa471188, these lines were added
+which effectively result in a listen.ipaddr only allowing hostnames to
+resolve to IPv4 addresses. With a hostname with only a IPv6 address,
+it'll bail with the error message:
+
+radiusd: #### Opening IP addresses and Ports ####
+listen {
+        type = "auth"
+Failed resolving "ipv6.cipherboy.com" to IPv4 address:
+    Name or service not known
+
+This directly contradicts the language in the default configuration
+file, so support resolving both IPv4-only and IPv6-only hostnames.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ src/lib/misc.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/src/lib/misc.c b/src/lib/misc.c
+index dff21e33f7..5520d8a0a4 100644
+--- a/src/lib/misc.c
++++ b/src/lib/misc.c
+@@ -607,13 +607,6 @@ int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool res
+ 			fr_strerror_printf("Invalid address");
+ 			return -1;
+ 		}
+-
+-		/*
+-		 *	Fall through to resolving the address, using
+-		 *	whatever address family they prefer.  If they
+-		 *	don't specify an address family, force IPv4.
+-		 */
+-		if (af == AF_UNSPEC) af = AF_INET;
+ 	}
+ 
+ 	/*

SOURCES/freeradius-logrotate

@@ -14,6 +14,7 @@
 	nocreate
 	missingok
 	compress
+	su radiusd radiusd
 }
 
 /var/log/radius/checkrad.log {
@@ -22,14 +23,17 @@
 	create
 	missingok
 	compress
+	su radiusd radiusd
 }
 
+
 /var/log/radius/radius.log {
 	monthly
 	rotate 4
 	create
 	missingok
 	compress
+	su radiusd radiusd
 	postrotate
 		/usr/bin/systemctl reload-or-try-restart radiusd
 	endscript
@@ -41,6 +45,7 @@
 	create
 	compress
 	missingok
+	su radiusd radiusd
 }
 /var/log/radius/sqltrace.sql {
         monthly
@@ -48,4 +53,5 @@
         create
         compress
         missingok
+	su radiusd radiusd
 }

SPECS/freeradius.spec

@@ -9,7 +9,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.17
-Release: 4%{?dist}
+Release: 6%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@@ -37,6 +37,7 @@ Patch5: freeradius-OpenSSL-HMAC-MD5.patch
 Patch6: freeradius-OpenSSL-HMAC-SHA1.patch
 Patch7: freeradius-python2-shebangs.patch
 Patch8: freeradius-EAP-PWD-curve-handling.patch
+Patch9: freeradius-listen-ipv6-fix.patch
 
 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
 
@@ -223,6 +224,7 @@ This plugin provides the REST support for the FreeRADIUS server project.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 %build
 # Force compile/link options, extra security for network facing daemon
@@ -850,9 +852,18 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
 
 %changelog
+* Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-6
+- Fix handling of IPv6-only hostnames with listen.ipaddr
+  Resolves: bz#1685546
+
+* Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-5
+- Fix possible privilege escalation due to insecure logrotate configuration
+  Resolves: bz#1719369
+
 * Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-4
 - Fixes two EAP-PWD security issues
-  Resolves: bz#1699416 authentication bypass with an invalid curve attack
+  Resolves: bz#1699417 authentication bypass with an invalid curve attack
+  Resolves: bz#1699421 fake authentication using reflection
 
 * Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-2
 - Updates radiusd.service to start after network-online.target