From e529cbbf6ea68f7beb8e7ce6688fcc05cd630ebb Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov Date: Tue, 3 Jun 2014 14:37:59 +0300 Subject: [PATCH] Require OpenSSL with patched heartbleed --- freeradius-heartbleed-confirm.patch | 13 +++++++++++++ freeradius.spec | 12 ++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 freeradius-heartbleed-confirm.patch diff --git a/freeradius-heartbleed-confirm.patch b/freeradius-heartbleed-confirm.patch new file mode 100644 index 0000000..a52be54 --- /dev/null +++ b/freeradius-heartbleed-confirm.patch @@ -0,0 +1,13 @@ +diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in +index 307ae10..c533f56 100644 +--- a/raddb/radiusd.conf.in ++++ b/raddb/radiusd.conf.in +@@ -483,7 +483,7 @@ security { + # and may not reflect patches applied to libssl by + # distribution maintainers. + # +- allow_vulnerable_openssl = no ++ allow_vulnerable_openssl = CVE-2014-0160 + } + + # PROXY CONFIGURATION diff --git a/freeradius.spec b/freeradius.spec index d97b95b..aa3112d 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.3 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -27,6 +27,7 @@ Patch3: freeradius-case-insensitive-matching.patch Patch4: freeradius-perl-string-escaping.patch Patch5: freeradius-segfault-on-config-parse.patch Patch6: freeradius-foreach.patch +Patch7: freeradius-heartbleed-confirm.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -50,7 +51,7 @@ BuildRequires: libyubikey-devel BuildRequires: ykclient-devel %endif -Requires: openssl +Requires: openssl >= 1.0.1e-37.fc20.1 Requires(pre): shadow-utils glibc-common Requires(post): systemd-sysv Requires(post): systemd-units @@ -189,6 +190,7 @@ This plugin provides the unixODBC support for the FreeRADIUS server project. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %build # Force compile/link options, extra security for network facing daemon @@ -759,6 +761,12 @@ exit 0 %files unixODBC %{_libdir}/freeradius/rlm_sql_unixodbc.so +%changelog +* Mon Jun 2 2014 Nikolai Kondrashov - 3.0.3-2 +- Add explicit dependency on OpenSSL package with fixed CVE-2014-0160 + (Heartbleed bug). +- Add confirmation of CVE-2014-0160 being fixed in OpenSSL to radiusd.conf. + %changelog * Wed May 14 2014 Nikolai Kondrashov - 3.0.3-1 - Upgrade to upstream 3.0.3 release.