diff --git a/CVE-2019-10143.patch b/CVE-2019-10143.patch deleted file mode 100644 index 0a547ef..0000000 --- a/CVE-2019-10143.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 1f233773962bf1a9c2d228a180eacddb9db2d574 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Tue, 7 May 2019 16:04:29 -0400 -Subject: [PATCH] su to radiusd user/group when rotating logs - -The su directive to logrotate ensures that log rotation happens under the -owner of the logs. Otherwise, logrotate runs as root:root, potentially -enabling privilege escalation if a RCE is discovered against the -FreeRADIUS daemon. - -Signed-off-by: Alexander Scheel ---- - debian/freeradius.logrotate | 3 +++ - redhat/freeradius-logrotate | 1 + - scripts/logrotate/freeradius | 3 +++ - suse/radiusd-logrotate | 1 + - 4 files changed, 8 insertions(+) - -diff --git a/debian/freeradius.logrotate b/debian/freeradius.logrotate -index 7d837d53bd..a8d29b7adf 100644 ---- a/debian/freeradius.logrotate -+++ b/debian/freeradius.logrotate -@@ -9,6 +9,7 @@ - notifempty - - copytruncate -+ su freerad freerad - } - - # (in order) -@@ -26,6 +27,7 @@ - notifempty - - nocreate -+ su freerad freerad - } - - # There are different detail-rotating strategies you can use. One is -@@ -45,4 +47,5 @@ - notifempty - - nocreate -+ su freerad freerad - } -diff --git a/redhat/freeradius-logrotate b/redhat/freeradius-logrotate -index 360765ddc4..bb97ca5547 100644 ---- a/redhat/freeradius-logrotate -+++ b/redhat/freeradius-logrotate -@@ -9,6 +9,7 @@ rotate 4 - missingok - compress - delaycompress -+su radiusd radiusd - - # - # The main server log -diff --git a/scripts/logrotate/freeradius b/scripts/logrotate/freeradius -index 3de435e76e..eecf63175a 100644 ---- a/scripts/logrotate/freeradius -+++ b/scripts/logrotate/freeradius -@@ -17,6 +17,7 @@ - notifempty - - copytruncate -+ su radiusd radiusd - } - - # (in order) -@@ -34,6 +35,7 @@ - notifempty - - nocreate -+ su radiusd radiusd - } - - # There are different detail-rotating strategies you can use. One is -@@ -53,4 +55,5 @@ - notifempty - - nocreate -+ su radiusd radiusd - } -diff --git a/suse/radiusd-logrotate b/suse/radiusd-logrotate -index 24d56be1a9..be5a797684 100644 ---- a/suse/radiusd-logrotate -+++ b/suse/radiusd-logrotate -@@ -11,6 +11,7 @@ missingok - compress - delaycompress - notifempty -+su radiusd radiusd - - # - # The main server log diff --git a/freeradius-server.changes b/freeradius-server.changes index dab0b53..799c80e 100644 --- a/freeradius-server.changes +++ b/freeradius-server.changes @@ -1,9 +1,3 @@ -------------------------------------------------------------------- -Mon May 27 11:12:27 UTC 2019 - Adam Majer - -- CVE-2019-10143.patch: fix potential privilege escalation due to - insecure logrotation permissions (bsc#1136195, CVE-2019-10143) - ------------------------------------------------------------------- Wed Apr 10 17:01:55 UTC 2019 - Michael Ströder diff --git a/freeradius-server.spec b/freeradius-server.spec index 2e610eb..c61801a 100644 --- a/freeradius-server.spec +++ b/freeradius-server.spec @@ -62,7 +62,6 @@ Patch3: freeradius-server-rcradiusd.patch Patch5: freeradius-server-rlm_sql_unixodbc-configure.patch Patch6: freeradius-server-radclient-init-error-buffer.patch Patch7: freeradius-server-opensslversion.patch -Patch8: CVE-2019-10143.patch BuildRequires: apache2-devel BuildRequires: cyrus-sasl-devel BuildRequires: db-devel @@ -240,7 +239,6 @@ FreeRADIUS plugin providing SQLite support. %patch5 -p1 %patch6 -p1 %patch7 -p1 -%patch8 -p1 %build modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")"