pkg-perl-maintainers team mailing list archive
-
pkg-perl-maintainers team
-
Mailing list archive
-
Message #04965
Re: [Bug 2073269] Re: [MIR] libconvert-base32-perl and libcrypt-urandom-perl
TBH the simplest thing to do is just to drop the rad secret program.
It not used for anything, and is just a helper script.
> On Jul 16, 2024, at 1:35 PM, Andreas Hasenack <2073269@xxxxxxxxxxxxxxxxxx> wrote:
>
> The freeradius update to 3.2.5 enabled a new binary and two new modules,
> as part of the BlastRADIUS vulnerability (CVE-2024-3596) mitigations:
>
> + * New upstream version 3.2.5+dfsg
> + This release adds a few hardening mitigations for the BlastRADIUS protocol
> + vulnerability (CVE-2024-3596).
> + - add new radsecret binary
> + - add new rlm_dpsk and rlm_eap_teap modules
>
> The new libconvert-base32-perl and libcrypt-urandom-perl dependencies
> come from radsecret, which is this 3-liner:
>
> #!/usr/bin/env perl
> #
> # A tool which generates strong shared secrets.
> #
> use Convert::Base32;
> use Crypt::URandom();
> print join('-', unpack("(A4)*", lc encode_base32(Crypt::URandom::urandom(12)))), "\n";
>
> There has to be a different way to do this that does not involve moving
> these perl modules to main...
>
>
> $ src/main/radsecret
> voaq-pxzx-a5bc-5pvf-woua
>
> $ src/main/radsecret
> e7y3-vqwl-dd2j-bxz2-tmuq
>
>
> ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-3596
>
> --
> You received this bug notification because you are subscribed to
> freeradius in Ubuntu.
> https://bugs.launchpad.net/bugs/2073269
>
> Title:
> [MIR] libconvert-base32-perl and libcrypt-urandom-perl
>
> Status in freeradius package in Ubuntu:
> Confirmed
> Status in libconvert-base32-perl package in Ubuntu:
> Incomplete
> Status in libcrypt-urandom-perl package in Ubuntu:
> Incomplete
>
> Bug description:
> https://ubuntu-archive-team.ubuntu.com/component-mismatches-proposed.svg
> shows freeradius depending on libconvert-base32-perl and libcrypt-urandom-perl now
>
>
> Evaluate the new freeradius please if we want to file MIRs for them OR if we want to modify the dependencies.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/2073269/+subscriptions
>
--
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libconvert-base32-perl in Ubuntu.
https://bugs.launchpad.net/bugs/2073269
Title:
[MIR] libconvert-base32-perl and libcrypt-urandom-perl
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/2073269/+subscriptions
References