Commit 59d9b5924515879f82f607d1fe0e672d70ad2c98 - freeradius

refresh patches Michael Stapelberg 6 years ago

4 changed file(s) with 52 addition(s) and 52 deletion(s). Raw diff Collapse all Expand all

-4

debian/patches/disable-session-cache-CVE-2017-9148.patch less more

10	10	===================================================================
11	11	--- freeradius.orig/src/main/tls.c
12	12	+++ freeradius/src/main/tls.c
13		@@ -579,7 +579,7 @@ tls_session_t *tls_new_session(TALLOC_CT
	13	@@ -594,7 +594,7 @@ tls_session_t *tls_new_session(TALLOC_CT
14	14	*
15	15	* FIXME: Also do it every N sessions?
16	16	*/

19	19	((conf->session_last_flushed + ((int)conf->session_timeout * 1800)) <= request->timestamp)){
20	20	RDEBUG2("Flushing SSL sessions (of #%ld)", SSL_CTX_sess_number(conf->ctx));
21	21
22		@@ -674,7 +674,7 @@ tls_session_t *tls_new_session(TALLOC_CT
	22	@@ -689,7 +689,7 @@ tls_session_t *tls_new_session(TALLOC_CT
23	23	state->mtu = vp->vp_integer;
24	24	}
25	25

28	28
29	29	return state;
30	30	}
31		@@ -2848,7 +2848,7 @@ post_ca:
	31	@@ -2991,7 +2991,7 @@ post_ca:
32	32	/*
33	33	* Callbacks, etc. for session resumption.
34	34	*/

37	37	/*
38	38	* Cache sessions on disk if requested.
39	39	*/
40		@@ -2916,7 +2916,7 @@ post_ca:
	40	@@ -3059,7 +3059,7 @@ post_ca:
41	41	/*
42	42	* Setup session caching
43	43	*/

-3

debian/patches/mkdirp.diff less more

4	4
5	5	---
6	6
7		Index: freeradius-new/install-sh
	7	Index: freeradius/install-sh
8	8	===================================================================
9		--- freeradius-new.orig/install-sh
10		+++ freeradius-new/install-sh
	9	--- freeradius.orig/install-sh
	10	+++ freeradius/install-sh
11	11	@@ -1,251 +1,501 @@
12	12	#!/bin/sh
13	13	-#

+15

-15

debian/patches/snakeoil-certs.diff less more

4	4
5	5	---
6	6
7		Index: freeradius-new/raddb/mods-available/eap
	7	Index: freeradius/raddb/mods-available/eap
8	8	===================================================================
9		--- freeradius-new.orig/raddb/mods-available/eap
10		+++ freeradius-new/raddb/mods-available/eap
	9	--- freeradius.orig/raddb/mods-available/eap
	10	+++ freeradius/raddb/mods-available/eap
11	11	@@ -171,7 +171,7 @@ eap {
12	12	# authenticate via EAP-TLS! This is likely not what you want.
13	13	tls-config tls-common {

35	35
36	36	# OpenSSL will automatically create certificate chains,
37	37	# unless we tell it to not do that. The problem is that
38		Index: freeradius-new/raddb/mods-available/inner-eap
	38	Index: freeradius/raddb/mods-available/inner-eap
39	39	===================================================================
40		--- freeradius-new.orig/raddb/mods-available/inner-eap
41		+++ freeradius-new/raddb/mods-available/inner-eap
	40	--- freeradius.orig/raddb/mods-available/inner-eap
	41	+++ freeradius/raddb/mods-available/inner-eap
42	42	@@ -50,7 +50,7 @@ eap inner-eap {
43	43	#
44	44	tls {

62	62
63	63	cipher_list = "DEFAULT"
64	64
65		Index: freeradius-new/raddb/sites-available/abfab-tls
	65	Index: freeradius/raddb/sites-available/abfab-tls
66	66	===================================================================
67		--- freeradius-new.orig/raddb/sites-available/abfab-tls
68		+++ freeradius-new/raddb/sites-available/abfab-tls
	67	--- freeradius.orig/raddb/sites-available/abfab-tls
	68	+++ freeradius/raddb/sites-available/abfab-tls
69	69	@@ -13,9 +13,9 @@ listen {
70	70	private_key_password = whatever
71	71

79	79	dh_file = ${certdir}/dh
80	80	fragment_size = 8192
81	81	ca_path = ${cadir}
82		Index: freeradius-new/raddb/sites-available/tls
	82	Index: freeradius/raddb/sites-available/tls
83	83	===================================================================
84		--- freeradius-new.orig/raddb/sites-available/tls
85		+++ freeradius-new/raddb/sites-available/tls
	84	--- freeradius.orig/raddb/sites-available/tls
	85	+++ freeradius/raddb/sites-available/tls
86	86	@@ -82,7 +82,7 @@ listen {
87	87	#
88	88	tls {

110	110
111	111	#
112	112	# For DH cipher suites to work, you have to
113		@@ -377,7 +377,7 @@ home_server tls {
	113	@@ -383,7 +383,7 @@ home_server tls {
114	114
115	115	tls {
116	116	private_key_password = whatever

119	119
120	120	# If Private key & Certificate are located in
121	121	# the same file, then private_key_file &
122		@@ -389,7 +389,7 @@ home_server tls {
	122	@@ -395,7 +395,7 @@ home_server tls {
123	123	# only the server certificate, but ALSO all
124	124	# of the CA certificates used to sign the
125	125	# server certificate.

128	128
129	129	# Trusted Root CA list
130	130	#
131		@@ -406,7 +406,7 @@ home_server tls {
	131	@@ -412,7 +412,7 @@ home_server tls {
132	132	# not use client certificates, and you do not want
133	133	# to permit EAP-TLS authentication, then delete
134	134	# this configuration item.

+30

-30

debian/patches/spelling-fixes.diff less more

3	3
4	4	---
5	5
6		Index: freeradius-new/src/lib/debug.c
	6	Index: freeradius/src/lib/debug.c
7	7	===================================================================
8		--- freeradius-new.orig/src/lib/debug.c
9		+++ freeradius-new/src/lib/debug.c
	8	--- freeradius.orig/src/lib/debug.c
	9	+++ freeradius/src/lib/debug.c
10	10	@@ -732,7 +732,7 @@ NEVER_RETURNS void fr_fault(int sig)
11	11	if (disable) {
12	12	FR_FAULT_LOG("Resetting PR_DUMPABLE to 0");

16	16	FR_FAULT_LOG("Exiting due to insecure process state");
17	17	fr_exit_now(1);
18	18	}
19		Index: freeradius-new/src/modules/proto_dhcp/dhcpd.c
	19	Index: freeradius/src/modules/proto_dhcp/dhcpd.c
20	20	===================================================================
21		--- freeradius-new.orig/src/modules/proto_dhcp/dhcpd.c
22		+++ freeradius-new/src/modules/proto_dhcp/dhcpd.c
	21	--- freeradius.orig/src/modules/proto_dhcp/dhcpd.c
	22	+++ freeradius/src/modules/proto_dhcp/dhcpd.c
23	23	@@ -661,7 +661,7 @@ static int dhcp_socket_parse(CONF_SECTIO
24	24	}
25	25

29	29	fr_syserror(errno));
30	30	return -1;
31	31	}
32		Index: freeradius-new/man/man5/dictionary.5
	32	Index: freeradius/man/man5/dictionary.5
33	33	===================================================================
34		--- freeradius-new.orig/man/man5/dictionary.5
35		+++ freeradius-new/man/man5/dictionary.5
	34	--- freeradius.orig/man/man5/dictionary.5
	35	+++ freeradius/man/man5/dictionary.5
36	36	@@ -35,7 +35,7 @@ break your RADIUS deployment.
37	37	.PP
38	38	If you need to add new attributes, please edit the

42	42
43	43	.SH FORMAT
44	44	Every line starting with a hash sign
45		Index: freeradius-new/man/man5/radrelay.conf.5
	45	Index: freeradius/man/man5/radrelay.conf.5
46	46	===================================================================
47		--- freeradius-new.orig/man/man5/radrelay.conf.5
48		+++ freeradius-new/man/man5/radrelay.conf.5
	47	--- freeradius.orig/man/man5/radrelay.conf.5
	48	+++ freeradius/man/man5/radrelay.conf.5
49	49	@@ -134,7 +134,7 @@ running as radrelay. Please edit \fBrad
50	50	The original "radrelay" program was written by Miquel van Smoorenburg
51	51	for the Cistron radius project, and ported to FreeRADIUS by Simon

55	55	a basis for the design of this implementation.
56	56	.PP
57	57	.SH FILES
58		Index: freeradius-new/man/man5/unlang.5
	58	Index: freeradius/man/man5/unlang.5
59	59	===================================================================
60		--- freeradius-new.orig/man/man5/unlang.5
61		+++ freeradius-new/man/man5/unlang.5
	60	--- freeradius.orig/man/man5/unlang.5
	61	+++ freeradius/man/man5/unlang.5
62	62	@@ -146,7 +146,7 @@ No statement other than "case" can appea
63	63	.IP case
64	64	.br

68	68
69	69	A "case" statement cannot appear outside of a "switch" block.
70	70
71		@@ -397,7 +397,7 @@ conditions
	71	@@ -398,7 +398,7 @@ conditions
72	72	(foo)
73	73	.DE
74	74

77	77	quotes, or back-quoted). Also evaluates to true if 'foo' is a
78	78	non-zero number. Note that the language is poorly typed, so the
79	79	string "0000" can be interpreted as a numerical zero. This issue can
80		@@ -419,7 +419,7 @@ codes are given in MODULE RETURN CODES,
	80	@@ -420,7 +420,7 @@ codes are given in MODULE RETURN CODES,
81	81	(!foo)
82	82	.DE
83	83

86	86	.PP
87	87	Short-circuit operators
88	88	.RS
89		@@ -480,7 +480,7 @@ We recommend using attribute references
	89	@@ -481,7 +481,7 @@ We recommend using attribute references
90	90	attributes to a string, e.g. (User-Name == "%{Filter-Id}").
91	91	Attribute references will be faster and more efficient.
92	92

95	95	If there is more than one instance of an attribute, the following
96	96	syntax should be used:
97	97
98		@@ -599,7 +599,7 @@ The trailing 'm' is also optional, and i
	98	@@ -600,7 +600,7 @@ The trailing 'm' is also optional, and i
99	99	and dollar '$' anchors should match on new lines as well as at the
100	100	start and end of the subject string.
101	101

104	104	expression will define variables containing the matching text, as
105	105	described below in the VARIABLES section.
106	106	.SH EXPANSIONS
107		@@ -677,19 +677,19 @@ The integer value of the Attribute-Name,
	107	@@ -678,19 +678,19 @@ The integer value of the Attribute-Name,
108	108	name.
109	109
110	110	e.g. If a request contains "Service-Type = Login-User", the expansion

127	127
128	128	.IP %{Attribute-Name[*]}
129	129	All values of Attribute-Name, concatenated together with ',' as the
130		@@ -775,7 +775,7 @@ no attribute exists, it is added with th
131
132		This operator is valid only for attributes of integer type.
	130	@@ -785,7 +785,7 @@ given here. Any smaller value is replac
	131	no attribute exists, it is added with the value given here, as with
	132	"+=".
133	133	.IP !*
134	134	-Delete all occurances of the named attribute, no matter what the
135	135	+Delete all occurrences of the named attribute, no matter what the
136	136	value.
137	137	.IP =~
138	138	Keep all attributes having values which match the given regular
139		Index: freeradius-new/src/modules/rlm_krb5/rlm_krb5.c
	139	Index: freeradius/src/modules/rlm_krb5/rlm_krb5.c
140	140	===================================================================
141		--- freeradius-new.orig/src/modules/rlm_krb5/rlm_krb5.c
142		+++ freeradius-new/src/modules/rlm_krb5/rlm_krb5.c
	141	--- freeradius.orig/src/modules/rlm_krb5/rlm_krb5.c
	142	+++ freeradius/src/modules/rlm_krb5/rlm_krb5.c
143	143	@@ -171,7 +171,7 @@ static int mod_instantiate(CONF_SECTION
144	144	ret = krb5_get_init_creds_opt_alloc(inst->context, &(inst->gic_options)); /* For some reason the 'init' version
145	145	of this function is deprecated */

149	149	rlm_krb5_error(inst->context, ret));
150	150
151	151	return -1;
152		Index: freeradius-new/src/modules/rlm_mschap/rlm_mschap.c
	152	Index: freeradius/src/modules/rlm_mschap/rlm_mschap.c
153	153	===================================================================
154		--- freeradius-new.orig/src/modules/rlm_mschap/rlm_mschap.c
155		+++ freeradius-new/src/modules/rlm_mschap/rlm_mschap.c
156		@@ -1920,7 +1920,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_
	154	--- freeradius.orig/src/modules/rlm_mschap/rlm_mschap.c
	155	+++ freeradius/src/modules/rlm_mschap/rlm_mschap.c
	156	@@ -1922,7 +1922,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_
157	157	if (inst->with_ntdomain_hack) {
158	158	username_string++;
159	159	} else {