pkg-perl-maintainers team mailing list archive

[Andreas Hasenack <2073269@xxxxxxxxxxxxxxxxxx>]

The freeradius update to 3.2.5 enabled a new binary and two new modules,
as part of the BlastRADIUS vulnerability (CVE-2024-3596) mitigations:

+  * New upstream version 3.2.5+dfsg
+    This release adds a few hardening mitigations for the BlastRADIUS protocol
+    vulnerability (CVE-2024-3596).
+    - add new radsecret binary
+    - add new rlm_dpsk and rlm_eap_teap modules

The new libconvert-base32-perl and libcrypt-urandom-perl dependencies
come from radsecret, which is this 3-liner:

#!/usr/bin/env perl
#
#  A tool which generates strong shared secrets.
#
use Convert::Base32;
use Crypt::URandom();
print join('-', unpack("(A4)*", lc encode_base32(Crypt::URandom::urandom(12)))), "\n";

There has to be a different way to do this that does not involve moving
these perl modules to main...


$ src/main/radsecret 
voaq-pxzx-a5bc-5pvf-woua

$ src/main/radsecret 
e7y3-vqwl-dd2j-bxz2-tmuq


** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-3596

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libconvert-base32-perl in Ubuntu.
https://bugs.launchpad.net/bugs/2073269

Title:
  [MIR] libconvert-base32-perl and libcrypt-urandom-perl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/2073269/+subscriptions