Heikki Linnakangas <hlinnaka@iki.fi> writes:
> On 05/08/2024 15:43, Thomas Munro wrote:
>> The response requirement can be enabled by radiusrequirema=1 in
>> pg_hba.conf. For example, Debian stable is currently shipping
>> FreeRADIUS 3.2.1 which doesn't yet send the MA in its responses, but
>> FreeBSD and Debian "testing" have started shipping FreeRADIUS 3.2.5
>> which is how I noticed all this. So it doesn't seem quite right to
>> require it by default, yet?
> Agreed.
We should think about that not in terms of the situation today,
but the situation when we ship this fix, possibly as much as
three months from now. (There was some mention in the security-list
discussion of maybe making an off-cycle release to get this out
sooner; but nothing was decided, and I doubt we'll do that unless
we start getting user complaints.) It seems likely to me that
most up-to-date systems will have BlastRADIUS mitigation in place
by then, so maybe we should lean towards secure-by-default.
We don't necessarily have to make that decision today, either.
We could start with not-secure-by-default but reconsider
whenever the release is imminent.
regards, tom lane
