From: Philippe Wooding <philippe.wooding@networkradius.com>
Date: Fri, 5 Sep 2014 14:58:11 +0000 (+0200)
Subject: Add dependency on version of openssl with heartbleed fix based on distribution (debia... 
X-Git-Tag: 3.0.4+moonshot1~49
X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=a1254daacd24b4abb43d3347ced9f1f8ef04974f;p=freeradius.git

Add dependency on version of openssl with heartbleed fix based on distribution (debian or Ubuntu) and remove vulnerable openssl check at startup.
---

diff --git a/debian/control b/debian/control
index e5546fa..679a6a0 100644
--- a/debian/control
+++ b/debian/control
@@ -31,7 +31,7 @@ Homepage: http://www.freeradius.org/
 
 Package: freeradius
 Architecture: any
-Depends: lsb-base (>= 3.1-23.2), ${shlibs:Depends}, ${misc:Depends}, freeradius-common, freeradius-config, libfreeradius3 (= ${binary:Version}), ssl-cert, adduser
+Depends: lsb-base (>= 3.1-23.2), ${shlibs:Depends}, ${misc:Depends}, ${dist:Depends}, freeradius-common, freeradius-config, libfreeradius3 (= ${binary:Version}), ssl-cert, adduser
 Provides: radius-server
 Recommends: freeradius-utils
 Suggests: freeradius-ldap, freeradius-postgresql, freeradius-mysql, freeradius-krb5
@@ -65,7 +65,7 @@ Package: freeradius-utils
 Architecture: any
 Replaces: freeradius (<< 3)
 Conflicts: radiusd-livingston, yardradius
-Depends: ${shlibs:Depends}, ${misc:Depends}, freeradius-common, freeradius-config, libfreeradius3 (= ${binary:Version})
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${dist:Depends}, freeradius-common, freeradius-config, libfreeradius3 (= ${binary:Version})
 Recommends: libdbi-perl
 Description: FreeRADIUS client utilities
  This package contains various client programs and utilities from
@@ -83,7 +83,7 @@ Description: FreeRADIUS client utilities
 
 Package: libfreeradius3
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${dist:Depends}
 Description: FreeRADIUS shared library
  The FreeRADIUS projects' libfreeradius-radius and libfreeradius-eap, used by
  the FreeRADIUS server and some of the utilities.
@@ -91,7 +91,7 @@ Description: FreeRADIUS shared library
 Package: libfreeradius-dev
 Architecture: any
 Section: libdevel
-Depends: ${shlibs:Depends}, ${misc:Depends}, libfreeradius3 (= ${binary:Version})
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${dist:Depends}, libfreeradius3 (= ${binary:Version})
 Description: FreeRADIUS shared library development files
  The FreeRADIUS projects' libfreeradius-radius and libfreeradius-eap, used by
  the FreeRADIUS server and some of the utilities.
@@ -100,42 +100,42 @@ Description: FreeRADIUS shared library development files
 
 Package: freeradius-krb5
 Architecture: any
-Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
+Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}, ${dist:Depends}
 Description: kerberos module for FreeRADIUS server
  The FreeRADIUS server can use Kerberos to authenticate users, and this module
  is necessary for that.
 
 Package: freeradius-ldap
 Architecture: any
-Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
+Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}, ${dist:Depends}
 Description: LDAP module for FreeRADIUS server
  The FreeRADIUS server can use LDAP to authenticate users, and this module
  is necessary for that.
 
 Package: freeradius-rest
 Architecture: any
-Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
+Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}, ${dist:Depends}
 Description: REST module for FreeRADIUS server
  The FreeRADIUS server can make calls to remote web APIs, and this module
  is necessary for that.
 
 Package: freeradius-postgresql
 Architecture: any
-Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
+Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}, ${dist:Depends}
 Description: PostgreSQL module for FreeRADIUS server
  The FreeRADIUS server can use PostgreSQL to authenticate users and do
  accounting, and this module is necessary for that.
 
 Package: freeradius-mysql
 Architecture: any
-Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
+Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}, ${dist:Depends}
 Description: MySQL module for FreeRADIUS server
  The FreeRADIUS server can use MySQL to authenticate users and do accounting,
  and this module is necessary for that.
 
 Package: freeradius-iodbc
 Architecture: any
-Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
+Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}, ${dist:Depends}
 Description: iODBC module for FreeRADIUS server
  The FreeRADIUS server can use iODBC to access databases to authenticate users
  and do accounting, and this module is necessary for that.
@@ -144,7 +144,7 @@ Package: freeradius-dbg
 Architecture: any
 Section: debug
 Priority: extra
-Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
+Depends: freeradius (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}, ${dist:Depends}
 Description: debug symbols for the FreeRADIUS packages
  FreeRADIUS is a modular, high performance and feature-rich RADIUS server.
  This package contains the detached debugging symbols for the Debian FreeRADIUS
diff --git a/debian/patches/disable-openssl-check.diff b/debian/patches/disable-openssl-check.diff
new file mode 100644
index 0000000..13c6130
--- /dev/null
+++ b/debian/patches/disable-openssl-check.diff
@@ -0,0 +1,15 @@
+--- a/raddb/radiusd.conf.in
++++ b/raddb/radiusd.conf.in
+@@ -483,7 +483,11 @@
+ 	#  and may not reflect patches applied to libssl by
+ 	#  distribution maintainers.
+ 	#
+-	allow_vulnerable_openssl = no
++	#  This version of FreeRADIUS is built as a Debian (or Ubuntu) package that
++	#  depends on the right version of OpenSSL, so this is set by
++	#  default to allow the server to start.
++	#
++	allow_vulnerable_openssl = 'CVE-2014-0160'
+ }
+ 
+ # PROXY CONFIGURATION
diff --git a/debian/patches/series b/debian/patches/series
index 5ba2d18..cba5c66 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 radiusd-to-freeradius.diff
+disable-openssl-check.diff
diff --git a/debian/rules b/debian/rules
index 22335c6..dbb8bfb 100755
--- a/debian/rules
+++ b/debian/rules
@@ -49,6 +49,13 @@ else
 	confflags += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
 endif
 
+# Add dependency on distribution specific version of openssl that fixes Heartbleed (CVE-2014-0160).
+ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes)
+       SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1f-1ubuntu2)"
+else
+       SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1e-2+deb7u5)"
+endif
+
 include /usr/share/quilt/quilt.make
 
 config.status: configure
@@ -178,7 +185,7 @@ binary-common:
 	dh_compress -Xexamples
 	dh_fixperms
 	dh_installdeb
-	dh_gencontrol
+	dh_gencontrol -- $(SUBSTVARS)
 	dh_md5sums
 	dh_builddeb