← Back to team overview

pkg-perl-maintainers team mailing list archive

  1. pkg-perl-maintainers team
  2. Mailing list archive
  3. Message #04965

Re: [Bug 2073269] Re: [MIR] libconvert-base32-perl and libcrypt-urandom-perl

  Thread PreviousDate PreviousThread Next 
TBH the simplest thing to do is just to drop the rad secret program.
It not used for anything, and is just a helper script.

> On Jul 16, 2024, at 1:35 PM, Andreas Hasenack <2073269@xxxxxxxxxxxxxxxxxx> wrote:
> 
> The freeradius update to 3.2.5 enabled a new binary and two new modules,
> as part of the BlastRADIUS vulnerability (CVE-2024-3596) mitigations:
> 
> +  * New upstream version 3.2.5+dfsg
> +    This release adds a few hardening mitigations for the BlastRADIUS protocol
> +    vulnerability (CVE-2024-3596).
> +    - add new radsecret binary
> +    - add new rlm_dpsk and rlm_eap_teap modules
> 
> The new libconvert-base32-perl and libcrypt-urandom-perl dependencies
> come from radsecret, which is this 3-liner:
> 
> #!/usr/bin/env perl
> #
> #  A tool which generates strong shared secrets.
> #
> use Convert::Base32;
> use Crypt::URandom();
> print join('-', unpack("(A4)*", lc encode_base32(Crypt::URandom::urandom(12)))), "\n";
> 
> There has to be a different way to do this that does not involve moving
> these perl modules to main...
> 
> 
> $ src/main/radsecret
> voaq-pxzx-a5bc-5pvf-woua
> 
> $ src/main/radsecret
> e7y3-vqwl-dd2j-bxz2-tmuq
> 
> 
> ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-3596
> 
> --
> You received this bug notification because you are subscribed to
> freeradius in Ubuntu.
> https://bugs.launchpad.net/bugs/2073269
> 
> Title:
>  [MIR] libconvert-base32-perl and libcrypt-urandom-perl
> 
> Status in freeradius package in Ubuntu:
>  Confirmed
> Status in libconvert-base32-perl package in Ubuntu:
>  Incomplete
> Status in libcrypt-urandom-perl package in Ubuntu:
>  Incomplete
> 
> Bug description:
>  https://ubuntu-archive-team.ubuntu.com/component-mismatches-proposed.svg
>  shows freeradius depending on libconvert-base32-perl and libcrypt-urandom-perl now
> 
> 
>  Evaluate the new freeradius please if we want to file MIRs for them OR if we want to modify the dependencies.
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/2073269/+subscriptions
>

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libconvert-base32-perl in Ubuntu.
https://bugs.launchpad.net/bugs/2073269

Title:
  [MIR] libconvert-base32-perl and libcrypt-urandom-perl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/2073269/+subscriptions

References

  Thread PreviousDate PreviousThread Next