Overview

File CVE-2017-9148.patch of Package freeradius-server.27524

commit 8f53382c64114936a0433d68101a24570783e13a
Author: Alan T. DeKok <aland@freeradius.org>
Date:   Mon May 8 16:00:01 2017 -0400

    set S_IWUSER when creating the file, not later

commit af030bd4e19c9149e2ffd898ad0c4dfde78c29be
Author: Alan T. DeKok <aland@freeradius.org>
Date:   Mon May 8 16:38:56 2017 -0400

    disable internal OpenSSL cache

Index: freeradius-server-3.0.3/src/main/tls.c
===================================================================
--- freeradius-server-3.0.3.orig/src/main/tls.c
+++ freeradius-server-3.0.3/src/main/tls.c
@@ -1089,7 +1089,7 @@ static int cbtls_new_session(SSL *ssl, S
 		/* open output file */
 		snprintf(filename, sizeof(filename), "%s%c%s.asn1",
 			 conf->session_cache_path, FR_DIR_SEP, buffer);
-		fd = open(filename, O_RDWR|O_CREAT|O_EXCL, 0600);
+		fd = open(filename, O_RDWR|O_CREAT|O_EXCL, S_IWUSR);
 		if (fd < 0) {
 			DEBUG2("  SSL: could not open session file %s: %s", filename, fr_syserror(errno));
 			goto error;
@@ -2378,9 +2378,9 @@ post_ca:
 		}
 
 		/*
-		 *	Cache it, and DON'T auto-clear it.
+		 *	Cache it, DON'T auto-clear it, and disable the internal OpenSSL session cache.
 		 */
-		SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR);
+		SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR | SSL_SESS_CACHE_NO_INTERNAL);
 
 		SSL_CTX_set_session_id_context(ctx,
 					       (unsigned char *) conf->session_context_id,
openSUSE Build Service is sponsored by
Places