forked from FreeRADIUS/www.freeradius.org
-
Notifications
You must be signed in to change notification settings - Fork 0
/
security.html
161 lines (145 loc) · 8.74 KB
/
security.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
---
layout: page
title: Releases
subtitle: Version downloads and complete release notes
subpage: true
permalink: /security/
hero: releases
subnav:
data: releases_subnav
---
<div class="wrapper base_padding_v">
<h3 class="section-title">Security Contact</h3>
<div class="row">
<div class="columns medium-8">
<p>The FreeRADIUS security contact is <a href="mailto:security@freeradius.org">security@freeradius.org</a>. All security related information or notifications should be sent to that address. Security notifications may be signed with the pgp key <a href="/pgp/aland@freeradius.org">aland@freeradius.org</a></p>
</div>
<div class="quick-links columns medium-4 text_accent-blue">
<a href="https://github.com/FreeRADIUS/freeradius-server/issues/new">
<div class="link block">
<img src="../img/debug.svg" alt="" class="icon">
<span class="h5 text-mid">Report a bug</span><img class="arrow" src="../img/arrow-right.svg">
</div>
</a>
<a href="http://stackoverflow.com/questions/tagged/freeradius">
<div class="link block">
<img src="../img/faq.svg" alt="" class="icon">
<span class="h5 text-mid">F.A.Q. on Stack Overflow</span><img class="arrow" src="../img/arrow-right.svg">
</div>
</a>
</div>
</div>
<h3 class="section-title">Security announcements</h3>
<div content-group ng-init="active = '#notifications'">
<div class="link accent-red" ng-class="{inactive: active != '#notifications'}" ng-click="toggle('#notifications')">
<span class="icon_small">{% include_relative /img/alert-red.svg %}</span>
<span class="h5">Vulnerability Notifications</span>
</div>
<div class="link accent-red" ng-class="{inactive: active != '#dependencies'}" ng-click="toggle('#dependencies')">
<span class="icon_small">{% include_relative /img/alert-red.svg %}</span>
<span class="h5">Vulnerability in Dependencies</span>
</div>
<div id="notifications" ng-show="active == '#notifications'">
{%- assign yearlist = "" -%}
{%- for post in site.categories.vul_notifications -%}
{%- if forloop.first != true -%}
{%- assign yearlist = yearlist | append: "," -%}
{%- endif -%}
{%- assign year = post.date | date: "%Y" -%}
{%- assign yearlist = yearlist | append: year -%}
{%- endfor -%}
{%- assign years = yearlist | split: "," | uniq -%}
<section class="articles" content-group ng-init="active = '#{{years[0]}}'">
<nav class="inline_nav base_padding_v">
<ul>
{% for year in years %}
{%- if forloop.first -%}
{%- assign olderDate = year | minus: 5 -%}
{%- endif -%}
{%- assign postDate = year | plus: 1 | minus : 1 -%}
{%- comment -%}<!-- plus and minus changes post.date from a string into an integer to compare to olderDate -->{%- endcomment -%}
{%- if postDate > olderDate -%}
<li ng-class="{active: active == '#{{year}}'}"><a class="subnav_link" ng-click="toggle('#{{year}}')">{{year}}</a></li>
{% else %}
{%- assign olderDates = olderDates | append: '-' | append: postDate -%}
{%- endif -%}
{%- endfor -%}
{%- if olderDates -%}
<li ng-class="{active: active == '#{{olderDates}}'}"><a class="subnav_link" ng-click="toggle('#{{olderDates}}')">Older...</a></li>
{% endif %}
</ul>
</nav>
<div class="article_list">
{% for post in site.categories.vul_notifications %}
<article class="security_post base_padding_v" ng-show="active.indexOf({{post.date | date: "%Y"}}) != -1">
<h4><span class="security_post_date">{{post.date | date: "%Y.%m.%d"}}</span>{{post.title}}</h4>
{{post.content}}
</article>
{% endfor %}
</div>
</section>
</div>
<div id="dependencies" ng-show="active == '#dependencies'">
{%- assign yearlist = "" -%}
{%- for post in site.categories.vul_in_deps -%}
{%- if forloop.first != true -%}
{%- assign yearlist = yearlist | append: "," -%}
{%- endif -%}
{%- assign year = post.date | date: "%Y" -%}
{%- assign yearlist = yearlist | append: year -%}
{%- endfor -%}
{%- assign years = yearlist | split: "," | uniq -%}
<section class="articles" content-group ng-init="active = '#{{years[0]}}'">
<nav class="inline_nav base_padding_v">
<ul>
{% for year in years %}
{%- if forloop.first -%}
{%- assign olderDate = year | minus: 5 -%}
{%- endif -%}
{%- assign postDate = year | plus: 1 | minus : 1 -%}
{%- comment -%}<!-- plus and minus changes post.date from a string into an integer to compare to olderDate -->{%- endcomment -%}
{%- if postDate > olderDate -%}
<li ng-class="{active: active == '#{{year}}'}"><a class="subnav_link" ng-click="toggle('#{{year}}')">{{year}}</a></li>
{% else %}
{%- assign olderDates = olderDates | append: '-' | append: postDate -%}
{%- endif -%}
{%- endfor -%}
{%- if olderDates -%}
<li ng-class="{active: active == '#{{olderDates}}'}"><a class="subnav_link" ng-click="toggle('#{{olderDates}}')">Older...</a></li>
{% endif %}
</ul>
</nav>
<div class="article_list">
{% for post in site.categories.vul_in_deps %}
<article class="security_post base_padding_v" ng-show="active.indexOf({{post.date | date: "%Y"}}) != -1">
<h4><span class="security_post_date">{{post.date | date: "%Y.%m.%d"}}</span>{{post.title}}</h4>
{{post.content}}
</article>
{% endfor %}
</div>
</section>
</div>
</div>
</div>
<section class="bg_block-light lg_padding_v">
<div class="wrapper">
<h4>FreeRADIUS Security</h4>
<h5>Defensive Programming</h5>
<p>All input is sanity-checked before use.</p>
<h5>Clean code</h5>
<p>There are no C compiler warnings in the build. Builds performed by developers have -Werror set, so that new errors are not introduced.</p>
<h5>Builds with multiple compilers</h5>
<p>We use GCC and CLANG for all builds. Each compiler produces a slightly different set of warnings. As seen above, no warnings from any compiler are allowed in the build.</p>
<h5>Builds on multiple operating systems</h5>
<p>We always build on Mac OSX and Ubuntu. We are in the process of adding FreeBSD and CentOS.</p>
<h5>Builds are done with every single module, and multiple feature permutations</h5>
<p>There is no portion of the server which has "code rot" because it has not been built for years.</p>
<h5>Continuous testing</h5>
<p>The src/tests/ directory has a growing set of tests for server functionality. These tests help ensure that new commits do not accidentally break existing functionality</p>
<h5>Continuous integration</h5>
<p>Commits are built and tested via travis</p>
<h5>Static analysis (3X!)</h5>
<p>Builds are performed weekly with Coverity. Builds are performed daily with Clang static analyzer and cppcheck. The server must build with no errors before it can be released.</p>
<p>These practices are not perfect. The test suite is growing, but it does not cover all of the servers functionality. As a result, the latest releases may still have bugs. The version 2 "stable" release undergoes less code churn and is the "long term support" stable and bug-free release. The version 3 "feature" release has significantly more code churn, and therefore, may have more issues than version 2</p>
</div>
</section>