freeradius refuses to start because it says OpenSSL is vulnerable

Question

I work with Ubuntu 14.04 and I can't start the freeradius deamon (freeradius-server-3.0.9). I have this error that I cannot solve:

Refusing to start with libssl version OpenSSL 1.0.1f 6 Jan 2014    
0x1000106f (1.0.1f release) (in range 1.0.1 dev - 1.0.1f release)
Security advisory CVE-2014-0160 (Heartbleed)
For more information see http://heartbleed.com
Once you have verified libssl has been correctly patched, set    
security.allow_vulnerable_openssl = 'CVE-2014-0160'

dpkg -l | grep openssl

ii  libgnutls-openssl27:i386                              2.12.23-12ubuntu2.2                                 i386         GNU TLS library - OpenSSL wrapper
ii  openssl                                               1.0.1f-1ubuntu2.15                                  i386         Secure Sockets Layer toolkit - cryptographic utility
ii  python-openssl                                        0.13-2ubuntu6                                       i386         Python 2 wrapper around the OpenSSL library

apt-cache policy freeradius

freeradius:
  Installed: (none)
  Candidate: 2.1.12+dfsg-1.2ubuntu8.1
  Version table:
     2.1.12+dfsg-1.2ubuntu8.1 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main i386 Packages
     2.1.12+dfsg-1.2ubuntu8 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/main i386 Packages

apt-cache policy libssl1.0.0:i386

  Installed: (none)
  Candidate: 2.1.12+dfsg-1.2ubuntu8.1
  Version table: 
     2.1.12+dfsg-1.2ubuntu8.1 0 
        500 http://us.archive.ubuntu.com/ubuntu trusty-updates/main i386 Packages
     2.1.12+dfsg-1.2ubuntu8 0
        500 http://us.archive.ubuntu.com/ubuntu trusty/main i386 Packages

[Edit] your question and add the output of `dpkg -l | grep libssl` — A.B., Sep 10 '15 at 16:46
root@ubuntu:~# dpkg -l|grep libssl ii libssl-dev:i386 1.0.1f-1ubuntu2.15 i386 Secure Sockets Layer toolkit - development files ii libssl-doc 1.0.1f-1ubuntu2.15 all Secure Sockets Layer toolkit - development documentation ii libssl1.0.0:i386 1.0.1f-1ubuntu2.15 i386 Secure Sockets Layer toolkit - shared libraries — Laasri Reda, Sep 10 '15 at 17:16
Don't use the comments for the output of the commands. [Edit] your question and add the output of `apt-cache policy freeradius` — A.B., Sep 10 '15 at 17:31
Or have you installed the server with this version: http://freeradius.org/download.html — A.B., Sep 10 '15 at 17:34
Installed: (none) Candidate: 2.1.12+dfsg-1.2ubuntu8.1 Version table: 2.1.12+dfsg-1.2ubuntu8.1 0 500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main i386 Packages 2.1.12+dfsg-1.2ubuntu8 0 500 http://us.archive.ubuntu.com/ubuntu/ trusty/main i386 Packages — Laasri Reda, Sep 10 '15 at 17:45
version of openssl: openssl1.0.1f is not fix ( that's the problem ) , I update and upgrade openssl ----> same erreur ' freeradius refuse to start with this version -----> I think I must remove the actual version and install the version openssl-1.0.1g ( is fix and not velnurable ) but how can I do it ?? — Laasri Reda, Sep 10 '15 at 17:48
Please start my commands and add the output into your question by [edit]ing your question. — A.B., Sep 10 '15 at 17:49
@LaasriReda how did you install freeradius? From `apt-get` or from source, or some other method? — Thomas Ward, Sep 12 '15 at 22:45
tar zxvf freeradius-server-3.0.9.tar.gz cd freeradius-server-3.0.9 ./configure –sysconfdir=/etc — Laasri Reda, Sep 13 '15 at 15:03

Thomas Ward · Accepted Answer · 2015-09-10T19:16:24.163

What freeradius is doing, apparently is detecting purely on the version string returned by OpenSSL on the OS. Unfortunately, that version string does NOT take into account Ubuntu or Debian revision numbers.

Ubuntu security updates are typically put in via a -#ubuntu# style changelog entry in the package, and the packages to install that have the security updates originate from the RELEASE-security repository, where RELEASE is the codename for the Ubuntu version you're on.

Because of this, we have to examine the specific CVE, and check the Ubuntu Security Team's CVE tracker. The page detailing the Heartbleed CVE (CVE-2014-0160) in the Ubuntu Security Team's tracker indicates that the following versions had patches applied to fix the OpenSSL Heartbleed issue:

Precise: Fixed in package openssl package version 1.0.1-4ubuntu5.12
Trusty: Fixed in package openssl package version 1.0.1f-1ubuntu2

If you have pulled in all OpenSSL updates from the Security repositories, and have at least 1.0.1f-1ubuntu2 of OpenSSL installed (and your information provided says that 1.0.1f-1ubuntu2.15 is installed), you will be fine.

Provided the above matches your case, then you can follow the instructions that the error message provides you, and put into place this line, probably as part of the configuration files: security.allow_vulnerable_openssl = 'CVE-2014-0160'

Mr Thomas , can you give me comands to install 1.0.1f-1ubuntu2.15 instead of openssl.1.0.1f ... beauce after updating and upgarding ubuntu , openssl1.0.1f keep staying , so please give me the instructions to follow ( I'm beginer on linux ) ...Thank you — Laasri Reda, Sep 11 '15 at 15:34
@LaasriReda Reread my answer. Especially this phrase in it: **"and your information provided says that 1.0.1f-1ubuntu2.15 is installed"**. You're already good to go. The corresponding `libssl-dev` and `libssl` packages and such are provided by the same source package, so you shouldn't need to do anything else. — Thomas Ward, Sep 11 '15 at 19:02

score 0 · Answer 2 · answered Feb 10 '17 at 09:46

0

These is a minor follow-up on @"Thomas Ward"'s answer.

The config file to edit is:

radiusd.conf

and the edit is:

security {
    [...]
    #allow_vulnerable_openssl = no
    allow_vulnerable_openssl = 'CVE-2016-6304'
    }

answered Feb 10 '17 at 09:46

473183469

101

freeradius refuses to start because it says OpenSSL is vulnerable

2 Answers2