main/freeradius: upgrade to 3.0.20

3 files changed, 4 insertions, 179 deletions

diff --git a/main/freeradius/APKBUILD b/main/freeradius/APKBUILD
index 174b16f69e..afb8167d8d 100644
--- a/main/freeradius/APKBUILD
+++ b/main/freeradius/APKBUILD
@@ -4,8 +4,8 @@
 # Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
 pkgname=freeradius
 _realname=freeradius
-pkgver=3.0.19
-pkgrel=3
+pkgver=3.0.20
+pkgrel=0
 pkgdesc="RADIUS (Remote Authentication Dial-In User Service) server"
 url="https://freeradius.org/"
 arch="all"
@@ -30,7 +30,6 @@ source="ftp://ftp.freeradius.org/pub/freeradius/$_realname-server-$pkgver.tar.gz
 	musl-fix-headers.patch
 	fix-scopeid.patch
 	freeradius-313-default-config.patch
-	CVE-2019-10143.patch
 	"
 builddir="$srcdir"/$_realname-server-$pkgver
 
@@ -284,10 +283,9 @@ redis() {
 	mv "${pkgdir}"${_radlibdir}/rlm_redis* "${subpkgdir}"${_radlibdir}
 }
 
-sha512sums="8a914e2ad1fbeb4cf8c00aaf7eaa154ea17f70e4d58734716bfaf71b3ddef9f8f63a4d3217bdc07dfa776273e5bf090bc98f7bb16f5b565339ddc3b9c13e091f  freeradius-server-3.0.19.tar.gz
+sha512sums="513ed0a5d9e6b9a8d89a9b02c86ff528a9ff14d928f4c1040ca44702465abd711588fe6afa35554cb2c8e8bd7f19dd5be3dbc78445c62c7b00bf5cbc4c621312  freeradius-server-3.0.20.tar.gz
 e248159c0a44f722e405c51c8015d9ad672e42ad0d38ca28f8a051ff911aa4d3e630b9bd4543e9d610940bc4ae50c022594e219ce341b36abe85c572acad418b  freeradius.confd
 ba3c424d4eabb147c7aa3e31575a87ddb26b6a792d2a8714e73d8763e07854326a03a83991a7420246ca06bf0b93d0a6f23ec198f5e48647f9d25b40067e852a  freeradius.initd
 c49e5eec7497fccde5fd09dba1ea9b846e57bc88015bd81640aa531fb5c9b449f37136f42c85fe1d7940c5963aed664b85da28442b388c9fb8cc27873df03b2d  musl-fix-headers.patch
 41d478c0e40ff82fc36232964037c1ab8ffca9fdbb7dca02ed49319906e751c133b5d7bc7773c645cec6d9d39d1de69cba25e8d59afa8d6662563dd17f35f234  fix-scopeid.patch
-666e15a3c3e5b98ff8c3168de85b341606af5e2790af379ddec46464e9d7de14a715876a34ba1eb7fa47ddead23f7134128d591db32309db0e4acbdb6f21ef5e  freeradius-313-default-config.patch
-5506cc095553c2024319f0818fd317c02c0aa52f306b506e44f661f2f600874426118decdc2313a2da8313bff3578d364262f947faa9198595a830764a336b57  CVE-2019-10143.patch"
+666e15a3c3e5b98ff8c3168de85b341606af5e2790af379ddec46464e9d7de14a715876a34ba1eb7fa47ddead23f7134128d591db32309db0e4acbdb6f21ef5e  freeradius-313-default-config.patch"
diff --git a/main/freeradius/CVE-2015-4680.patch b/main/freeradius/CVE-2015-4680.patch
deleted file mode 100644
index ade38c9ee7..0000000000
--- a/main/freeradius/CVE-2015-4680.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 874b39451702338389260edbfc52b381b20352ec Mon Sep 17 00:00:00 2001
-From: "Alan T. DeKok" <aland@freeradius.org>
-Date: Mon, 22 Jun 2015 15:27:10 -0400
-Subject: [PATCH] Set X509_V_FLAG_CRL_CHECK_ALL
-
----
- raddb/mods-available/eap |  6 +++++-
- src/include/tls-h        |  1 +
- src/main/tls.c           | 12 ++++++++++++
- 3 files changed, 18 insertions(+), 1 deletion(-)
-
-diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
-index 165971a..10026ec 100644
---- a/raddb/mods-available/eap
-+++ b/raddb/mods-available/eap
-@@ -269,9 +269,13 @@ eap {
- 		#  1) Copy CA certificates and CRLs to same directory.
- 		#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
- 		#    'c_rehash' is OpenSSL's command.
--		#  3) uncomment the line below.
-+		#  3) uncomment the lines below.
- 		#  5) Restart radiusd
- 	#	check_crl = yes
-+
-+		# Check if intermediate CAs have been revoked.
-+	#	check_all_crl = yes
-+
- 		ca_path = ${cadir}
- 
- 		#
-diff --git a/src/include/tls-h b/src/include/tls-h
-index 9fdc775..a41c6f5 100644
---- a/src/include/tls-h
-+++ b/src/include/tls-h
-@@ -347,6 +347,7 @@ struct fr_tls_server_conf_t {
- 	 */
- 	uint32_t	fragment_size;
- 	bool		check_crl;
-+	bool		check_all_crl;
- 	bool		allow_expired_crl;
- 	char const	*check_cert_cn;
- 	char const	*cipher_list;
-diff --git a/src/main/tls.c b/src/main/tls.c
-index 692651f..9df48b4 100644
---- a/src/main/tls.c
-+++ b/src/main/tls.c
-@@ -999,6 +999,9 @@ static CONF_PARSER tls_server_config[] = {
- 	{ "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" },
- 	{ "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" },
- 	{ "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" },
-+#ifdef X509_V_FLAG_CRL_CHECK_ALL
-+	{ "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), "no" },
-+#endif
- 	{ "allow_expired_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, allow_expired_crl), NULL },
- 	{ "check_cert_cn", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_cn), NULL },
- 	{ "cipher_list", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, cipher_list), NULL },
-@@ -2104,6 +2107,10 @@ static X509_STORE *init_revocation_store(fr_tls_server_conf_t *conf)
- 	if (conf->check_crl)
- 		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
- #endif
-+#ifdef X509_V_FLAG_CRL_CHECK_ALL
-+	if (conf->check_all_crl)
-+		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
-+#endif
- 	return store;
- }
- #endif	/* HAVE_OPENSSL_OCSP_H */
-@@ -2591,6 +2598,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client)
- 	    		return NULL;
- 		}
- 		X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
-+
-+#ifdef X509_V_FLAG_CRL_CHECK_ALL
-+		if (conf->check_all_crl)
-+			X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
-+#endif
- 	}
- #endif
- 
diff --git a/main/freeradius/CVE-2019-10143.patch b/main/freeradius/CVE-2019-10143.patch
deleted file mode 100644
index 528550aa82..0000000000
--- a/main/freeradius/CVE-2019-10143.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 1f233773962bf1a9c2d228a180eacddb9db2d574 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Tue, 7 May 2019 16:04:29 -0400
-Subject: [PATCH] su to radiusd user/group when rotating logs
-
-The su directive to logrotate ensures that log rotation happens under the
-owner of the logs. Otherwise, logrotate runs as root:root, potentially
-enabling privilege escalation if a RCE is discovered against the
-FreeRADIUS daemon.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- debian/freeradius.logrotate  | 3 +++
- redhat/freeradius-logrotate  | 1 +
- scripts/logrotate/freeradius | 3 +++
- suse/radiusd-logrotate       | 1 +
- 4 files changed, 8 insertions(+)
-
-diff --git a/debian/freeradius.logrotate b/debian/freeradius.logrotate
-index 7d837d53bd..a8d29b7adf 100644
---- a/debian/freeradius.logrotate
-+++ b/debian/freeradius.logrotate
-@@ -9,6 +9,7 @@
- 	notifempty
- 
- 	copytruncate
-+	su freerad freerad
- }
- 
- # (in order)
-@@ -26,6 +27,7 @@
- 	notifempty
- 
- 	nocreate
-+	su freerad freerad
- }
- 
- # There are different detail-rotating strategies you can use.  One is
-@@ -45,4 +47,5 @@
- 	notifempty
- 
- 	nocreate
-+	su freerad freerad
- }
-diff --git a/redhat/freeradius-logrotate b/redhat/freeradius-logrotate
-index 360765ddc4..bb97ca5547 100644
---- a/redhat/freeradius-logrotate
-+++ b/redhat/freeradius-logrotate
-@@ -9,6 +9,7 @@ rotate 4
- missingok
- compress
- delaycompress
-+su radiusd radiusd
- 
- #
- #  The main server log
-diff --git a/scripts/logrotate/freeradius b/scripts/logrotate/freeradius
-index 3de435e76e..eecf63175a 100644
---- a/scripts/logrotate/freeradius
-+++ b/scripts/logrotate/freeradius
-@@ -17,6 +17,7 @@
- 	notifempty
- 
- 	copytruncate
-+	su radiusd radiusd
- }
- 
- # (in order)
-@@ -34,6 +35,7 @@
- 	notifempty
- 
- 	nocreate
-+	su radiusd radiusd
- }
- 
- # There are different detail-rotating strategies you can use.  One is
-@@ -53,4 +55,5 @@
- 	notifempty
- 
- 	nocreate
-+	su radiusd radiusd
- }
-diff --git a/suse/radiusd-logrotate b/suse/radiusd-logrotate
-index 24d56be1a9..be5a797684 100644
---- a/suse/radiusd-logrotate
-+++ b/suse/radiusd-logrotate
-@@ -11,6 +11,7 @@ missingok
- compress
- delaycompress
- notifempty
-+su radiusd radiusd
- 
- #
- #  The main server log