4

I work with Ubuntu 14.04 and I can't start the freeradius deamon (freeradius-server-3.0.9). I have this error that I cannot solve: 

Refusing to start with libssl version OpenSSL 1.0.1f 6 Jan 2014    
0x1000106f (1.0.1f release) (in range 1.0.1 dev - 1.0.1f release)
Security advisory CVE-2014-0160 (Heartbleed)
For more information see http://heartbleed.com
Once you have verified libssl has been correctly patched, set    
security.allow_vulnerable_openssl = 'CVE-2014-0160'

dpkg -l | grep openssl

ii  libgnutls-openssl27:i386                              2.12.23-12ubuntu2.2                                 i386         GNU TLS library - OpenSSL wrapper
ii  openssl                                               1.0.1f-1ubuntu2.15                                  i386         Secure Sockets Layer toolkit - cryptographic utility
ii  python-openssl                                        0.13-2ubuntu6                                       i386         Python 2 wrapper around the OpenSSL library

apt-cache policy freeradius

freeradius:
  Installed: (none)
  Candidate: 2.1.12+dfsg-1.2ubuntu8.1
  Version table:
     2.1.12+dfsg-1.2ubuntu8.1 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main i386 Packages
     2.1.12+dfsg-1.2ubuntu8 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/main i386 Packages

apt-cache policy libssl1.0.0:i386

  Installed: (none)
  Candidate: 2.1.12+dfsg-1.2ubuntu8.1
  Version table: 
     2.1.12+dfsg-1.2ubuntu8.1 0 
        500 http://us.archive.ubuntu.com/ubuntu trusty-updates/main i386 Packages
     2.1.12+dfsg-1.2ubuntu8 0
        500 http://us.archive.ubuntu.com/ubuntu trusty/main i386 Packages
Laasri Reda
  • 43

2 Answers2

5

What freeradius is doing, apparently is detecting purely on the version string returned by OpenSSL on the OS. Unfortunately, that version string does NOT take into account Ubuntu or Debian revision numbers.

Ubuntu security updates are typically put in via a -#ubuntu# style changelog entry in the package, and the packages to install that have the security updates originate from the RELEASE-security repository, where RELEASE is the codename for the Ubuntu version you're on.

Because of this, we have to examine the specific CVE, and check the Ubuntu Security Team's CVE tracker. The page detailing the Heartbleed CVE (CVE-2014-0160) in the Ubuntu Security Team's tracker indicates that the following versions had patches applied to fix the OpenSSL Heartbleed issue:

  • Precise: Fixed in package openssl package version 1.0.1-4ubuntu5.12
  • Trusty: Fixed in package openssl package version 1.0.1f-1ubuntu2

If you have pulled in all OpenSSL updates from the Security repositories, and have at least 1.0.1f-1ubuntu2 of OpenSSL installed (and your information provided says that 1.0.1f-1ubuntu2.15 is installed), you will be fine.

Provided the above matches your case, then you can follow the instructions that the error message provides you, and put into place this line, probably as part of the configuration files: security.allow_vulnerable_openssl = 'CVE-2014-0160'

Thomas Ward
  • 78,878
0

These is a minor follow-up on @"Thomas Ward"'s answer.

The config file to edit is:

radiusd.conf

and the edit is:

security {
    [...]
    #allow_vulnerable_openssl = no
    allow_vulnerable_openssl = 'CVE-2016-6304'
    }
473183469
  • 101