From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Mon, 26 Sep 2016 15:47:51 +0000 (+0100)
Subject: Don't ignore the fact we've hit vulnerable versions in previous checks
X-Git-Tag: release_3_0_12~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ca367b0fb687f1fcaf6737b40bc9dacbd14a9ffb;p=thirdparty%2Ffreeradius-server.git

Don't ignore the fact we've hit vulnerable versions in previous checks
---

diff --git a/src/main/tls.c b/src/main/tls.c
index 06709869005..7cc5f032b4f 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -2483,17 +2483,22 @@ int tls_global_version_check(char const *acknowledged)
 			/*
 			 *	If the CVE is acknowledged, allow it.
 			 */
-			if (strcmp(acknowledged, defect->id) == 0) return 0;
+			if (!bad && (strcmp(acknowledged, defect->id) == 0)) return 0;
 
 			ERROR("Refusing to start with libssl version %s (in range %s)",
 			      ssl_version(), ssl_version_range(defect->low, defect->high));
 			ERROR("Security advisory %s (%s)", defect->id, defect->name);
 			ERROR("%s", defect->comment);
 
-			INFO("Once you have verified libssl has been correctly patched, "
-			     "set security.allow_vulnerable_openssl = '%s'", defect->id);
+			/*
+			 *	Only warn about the first one...
+			 */
+			if (!bad) {
+				INFO("Once you have verified libssl has been correctly patched, "
+				     "set security.allow_vulnerable_openssl = '%s'", defect->id);
 
-			bad = true;
+				bad = true;
+			}
 		}
 	}