[RADIATOR] OpenSSL Heartbleed vulnerability

Heikki Vatiainen hvn at open.com.au
Wed Apr 9 07:44:35 CDT 2014 

Hello everyone,

we have now done further testing and have verified that the OpenSSL
vulnerability described in CVE-2014-0160 [1] affects Radiator too.
Please see the CVE for more information about the vulnerability. The URL
is below.


We strongly recommend that the administrators update the OpenSSL
installation Radiator uses to a version that is not vulnerable.


To help with the OpenSSL update, we have identified a number of
possibilities. Note: this list is not meant to be exhaustive.

With Linux and other Unix type of systems, the required OpenSSL update
typically means applying the patches from the operating system provider.
These patches are already available for many operating systems.

Windows ActivePerl and Strawberry Perl users should see what updates are
available from these Perl providers.

An additional possibility on any system for updating OpenSSL to a non
vulnerable version is to locally compile a new version of OpenSSL. This
may also require compiling Perl Net-SSLeay that links to the OpenSSL
libraries.

As an interim option, Windows ActivePerl and Strawberry Perl users may
also consider the precompiled Net-SSLeay PPM modules OSC has previously
made available. These modules come with OpenSSL 0.9.8 which is not
vulnerable according to CVE-2014-0160. Net-SSLeay is often used by
Radiator when SSL/TLS is needed, so this module will help to mitigate
the vulnerability while all the vulnerable OpenSSL versions are being
updated.

We have tested the precompiled Net-SSLeay PPM modules with 32 and 64 bit
ActivePerl and Strawberry Perl versions 5.16.3 and 5.14.4 and found them
non-vulnerable. We have not tested with other Perl versions, but we
believe the precompiled Net-SSLeay PPM modules for the other Perl
versions are not vulnerable either.

The precompiled Net-SSLeay PPM modules are available from OSC's web site:

https://www.open.com.au/radiator/free-downloads/

The future Radiator versions will try to detect OpenSSL with this
vulnerability with an option to turn off the detection if required.


References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list