Accepting request 679792 from network

- reformat changelog mostly by wrapping lines - add missing bug numbers for security fixes - update to 3.0.18 * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. * Do-Not-Respond policies can now be set in the "post-auth" section. * Encode / Decode ADSL Forum DHCP options. * Fix module ordering issues. e.g. when "sqlippool" needs "sql". See the "instantiate" section of radiusd.conf. * Add Big Switch dictionary. Fixes #2252. * Add sql_session_start policy (raddb/policy.d/accounting) This minimizes race conditions when using Simultaneous-Use (#2257). * For rlm_perl, all variables are now tainted by default. See raddb/mods-available/perl, and the "perl_flags" configuration item. This change should only affect people who are using variables in insecure ways. * Allow "sqlcounter" module to be listed in "post-auth". * Add support for IPv6 attributes in SQL. Fixes #2280 * The server is better at handling fail-over for outbound RadSec and TCP connections. Fixes #2284. * The server is now more aggressive about retrying failed outbound RadSec and TCP connections. Fixes #2284. * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. * Add expansion for Radsec connections. "%{listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. * Add notes on running "ldapsearch" using the parameters from the LDAP module. * "ipaddr" attributes can now be cast to "integer" type attributes in an "update" section. * Move main thread queue to using atomic queues. This should help with contention in high load scenarios. OBS-URL: https://build.opensuse.org/request/show/679792 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/freeradius-server?expand=0&rev=75
2019-02-28 20:43:53 +00:00 · 2019-02-28 20:43:53 +00:00 · 12914b2ccb
commit 12914b2ccb
parent 8e4bb705b1 ff04302a52
6 changed files with 155 additions and 18 deletions
--- a/freeradius-server-3.0.17.tar.bz2
+++ b/freeradius-server-3.0.17.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3f03404b6e4a4f410e1f15ea2ababfec7f8a7ae8a49836d8a0c137436d913b96
-size 3075724
--- a/freeradius-server-3.0.17.tar.bz2.sig
+++ b/freeradius-server-3.0.17.tar.bz2.sig
--- a/freeradius-server-3.0.18.tar.bz2
+++ b/freeradius-server-3.0.18.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:695149c9f4dabe7131028b0c4e43d9ae149d0d06da5dfc97f10eed2fbee6c011
+size 3126164
--- a/freeradius-server-3.0.18.tar.bz2.sig
+++ b/freeradius-server-3.0.18.tar.bz2.sig
--- a/freeradius-server.changes
+++ b/freeradius-server.changes
@ -1,3 +1,130 @@
+-------------------------------------------------------------------
+Wed Feb 27 11:37:53 UTC 2019 - adam.majer@suse.de
+
+- reformat changelog mostly by wrapping lines
+- add missing bug numbers for security fixes
+
+-------------------------------------------------------------------
+Tue Feb 26 21:17:00 UTC 2019 - Michael Ströder <michael@stroeder.com>
+
+- update to 3.0.18
+
+* cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss.
+* Do-Not-Respond policies can now be set in the "post-auth" section.
+* Encode / Decode ADSL Forum DHCP options.
+* Fix module ordering issues. e.g. when "sqlippool" needs "sql".
+  See the "instantiate" section of radiusd.conf.
+* Add Big Switch dictionary. Fixes #2252.
+* Add sql_session_start policy (raddb/policy.d/accounting)
+  This minimizes race conditions when using Simultaneous-Use (#2257).
+* For rlm_perl, all variables are now tainted by default.
+  See raddb/mods-available/perl, and the "perl_flags" configuration item.
+  This change should only affect people who are using variables in
+  insecure ways.
+* Allow "sqlcounter" module to be listed in "post-auth".
+* Add support for IPv6 attributes in SQL. Fixes #2280
+* The server is better at handling fail-over for outbound RadSec and
+  TCP connections. Fixes #2284.
+* The server is now more aggressive about retrying failed outbound
+  RadSec and TCP connections. Fixes #2284.
+* Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list.
+* Add expansion for Radsec connections. "%{listen:TLS-...}" for
+  TLS-Client-Cert-* and TLS-Cert-* attributes.
+* Add notes on running "ldapsearch" using the parameters from the LDAP module.
+* "ipaddr" attributes can now be cast to "integer" type attributes
+  in an "update" section.
+* Move main thread queue to using atomic queues. This should help
+  with contention in high load scenarios.
+* Add "recv_buff" setting to listeners. For more details,
+  see sites-available/default.
+* The sqlippool module can now use attributes other than "Pool-Name"
+  to assign IP pools. The "Pool-Name" attribute is still the default.
+* The "unpack" expansion can now unpack substrings.
+  See mods-available/unpack for documentation and examples.
+* The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair
+  Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE.
+* Allow for <instance>-LDAP-UserDN. See mods-available/ldap for more information.
+* Add sanitizing of control list for moonshot. Fixes #2318.
+* Update rlm_sql_mysql to be compatible with MySQL 8
+  Fixes https://bugs.launchpad.net/bugs/1795310.
+* Allow logging of only Access-Accept or Access-Reject messages
+  See radiusd.conf, "auth_accept" and "auth_reject".
+* Removed Connect-Rate comparison. It was unused and broken.
+* Add dictionary.infinera.
+* Use OpenSSL HMAC functions instead of local ones.
+* Some SQL modules can now use "auto_escape" to escape unsafe strings
+  See mods-config/sql/main/mysql/queries.conf.
+* Add wispr2date conversion in mods-available/date.
+* Implement dictionary-based handling in rlm_python.
+  Fixes #2334 See mods-available/python for details.
+* Add support for SKIP LOCKED in sqlippool. This can improve performance
+  by an order of magnitude or more.
+  See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383
+* Allow PSK and certificates at the same time Except for TLS 1.3
+  which does not support that.
+* Update docker scripts. Fixes #2306 Patch from Matthew Newton.
+* Add crypt xlat.
+* MySQL connections can now skip verifying the server certificate.
+  Fixes #2481. See mods-available/sql.
+* Add better mechanism to detect MariaDB (Old MySQL).
+* Add RFC 7532 "bang path" support for realms Fixes #2492.
+* Update dictionary.ukerna documentation. Fixes #2493.
+* Add support for systemd service and watchdogs Fixes #2499.
+* Check for openss/rand.h, and allow building without OpenSSL engine.
+  Patch from Eneas U de Queiroz Fixes #2517.
+* The default PosgtreSQL queries now use "ON CONFLICT" to better
+  deal with issues. This requires PostgreSQL 9.5 or later.
+  Please use a recent version of PostgreSQL, or edit the default
+  queries to remove "ON CONFLICT".
+
+BUG FIXES
+* The session-state list is no longer cleaned in the inner-tunnel.
+  This lets the outer Access-Reject section access session-state.
+* Fix typo in lock initialization for TLS sockets Found by Sergio NNX.
+* Add check for crash when home server down Fixes #2233.
+* Add username key for postauth table.
+* Better libpcap checks, when the header files or libraries are missing. Fixes #2245.
+* Allow building with old versions of OpenSSL Fixes #2247.
+* Allow non-FreeRADIUS State attributes to be used with the
+  "session-state" list. i.e. State length != 16.
+* Be more aggressive about cleaning up zombie children when running in debug mode.
+* Use LTDL_DEEPBIND, which fixes issues with Oracle libraries
+  exporting LDAP API functions.
+* unlock files when asked to unlock them.
+* return error instead of asserting in map code.
+* Don't write 0 bytes to SSL. Fixes #2270.
+* Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262.
+* Various dictionary cleanups and consistency checks Fixes #2281.
+* rlm_python has stronger thread locking to prevent reported issues.
+  Performance may be affected.
+* Don't allow Message-Authenticator to overflow past the end of a large packet.
+* Fix crash in sqlippool when SQL server goes away Fixes #2300.
+* Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303.
+* Fix crash with CoA packets/ Fixes #2304.
+* Fix crash in rlm_exec with CoA. Fixes #2328.
+* Print errors while parsing the log config, and don't quit when
+  deprecated log settings are found.
+* Fix DHCP encoder xlat so that it can be used with a list of attributes.
+  It previously only encoded the first member of the list,
+  and now encodes all members.
+* The "expr" module now skips more whitespace.
+* Remove internal FreeRADIUS-Response-Delay attributes from
+  attr_filter Access-Reject.
+* Don't send junk to redis when maximum args reached.
+* Small updates to IPv6 for accounting schema Fixes #2364.
+* Fix OpenDirectory integration in rlm_mschap.
+* Fix slow memory leak with dynamic clients.
+* Don't artificially truncate debug output for long strings.
+* Fix memory leak in EAP-PWD.
+* Fix crash in "hints" file with Fall-Through = yes.
+* Fix crash / timer issues with many CoA packets.
+* Fix attr_filter so that it does not treat vendor attributes of
+  number 26 as Vendor-Specific.
+* Fix reconnect correctly in rlm_sql_mysql.
+* Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485.
+* Fix rare occurance of bad xlat expansion.
+* Check for rare race condition when a proxy reply arrives too late.
+
 -------------------------------------------------------------------
 Tue Jun 26 18:24:21 UTC 2018 - michael@stroeder.com

@ -10,25 +137,32 @@ Tue Apr 17 22:00:15 UTC 2018 - michael@stroeder.com

 Feature Improvements
 * Add CURLOPT_CAINFO. Patch from Nicolas C #2167.
-* "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169.
+* "stats home server" now supports "src IPADDR", to specify home
+  server also by source IP. Fixes #2169.
 * Add Dockerfiles for a selection of common systems.
-* Increase number of permitted file descriptors, for systems with many home servers.
-* Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205.
+* Increase number of permitted file descriptors, for systems with many
+  home servers.
+* Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs
+  Patch from Isaac Boukris. Fixes #2205.
 * Update main READMEs. Patches from Matthew Newton.
 * Added dictionary.mimosa.

 Bug Fixes
-* Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161.
-* Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168.
+* Don't call post-proxy twice when proxying to a virtual server.
+  Matthew Newton, #2161.
+* Use "raw" string value for shared secrets and dynamic clients
+  It now parses strings with backslashes and "special characters"
+  correctly. Fixes #2168.
 * Fix RuntimeDirectory for RedHat, from Alan Buxey.
 * Relax checks in 'if' parser from Isaac Bourkis.
 * Minor cleanups for %{debug_attr:&request} from Isaac Boukris.
-* Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich.
+* Be more aggressive about cleaning up cached certificate attributes,
+  due to deficiencies in OpenSSL. Reported by Nicolas Reich.
 * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall.
 * Fix double free in rlm_sql. Fixes #2180.
 * rlm_detail now writes empty Access-Accept packets.
 * rlm_python can now create tagged attributes.
-* Don't crash on duplicate realm + authhost / accthost Bug found by Richard Palmer.
+* Don't crash on duplicate realm + authhost / accthost
 * Allow partial certificate chain to trusted CA. Fixes #2162.
 * Treat SSL_read() returning zero as error. Fixes #2164.
 * detail writer now checks if the file was renamed or deleted.
@ -36,12 +170,14 @@ Bug Fixes
 * RedHat Systemd updates. Fixes #2184.
 * Use correct API for State variable in rlm_securid.
 * Remove broken radclient option "-i".
-* Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs.
+* Fix "users" file (and hints, etc). So that it does not get confused
+  about entry ordering with multiple $INCLUDEs.
 * Fix rlm_sql to expand the un-escaped string, not the raw string.
 * Link default and inner-tunnel only if they exist. Fixes #2206.
 * Don't use both IP_PKTINFO and IP_SENDSRCADDR.
 * Always install signal handler for SIGINT (needed by Docker).
-* Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked.
+* Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs
+  which are not self-signed will now be checked.
 * sqlippool now returns "fail" if it fails IP allocation.
 * Fix rlm_yubikey to look for correct attribute in replay attack check.

@ -115,7 +251,7 @@ Bug fixes
 * Fix memory allocation in rlm_rest.  Fixes #2051.
 * Update trustrouter for new API. Fixes #2059.
 * Fix SQLite issues on FreeBSD.  Fixes #2060
-* Don't do debug logging of bad passwords.  Fixes #2064.
+* Don't do debug logging of bad passwords.  Fixes #2064. (bsc#1099802)
 * More graceful handling of "die" in rlm_perl.  Fixes #2073.
 * Fix occasional crash when using
  cisco_accounting_username_bug = yes
@ -149,7 +285,7 @@ Fri Aug 25 11:32:56 UTC 2017 - varkoly@suse.com
 Mon Jul 17 13:46:41 UTC 2017 - michael@stroeder.com

 - update to 3.0.15 with security fixes for
-  issues found via fuzzing by Guido Vranken
+  issues found via fuzzing by Guido Vranken (bsc#1049086)
  https://freeradius.org/security/fuzzer-2017.html
  * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret()
  * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63
--- a/freeradius-server.spec
+++ b/freeradius-server.spec
@ -1,7 +1,7 @@
 #
 # spec file for package freeradius-server
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #


@ -20,7 +20,7 @@
 %define apxs2 apxs2-prefork
 %define apache2_sysconfdir %(%{_sbindir}/%{apxs2} -q SYSCONFDIR)
 Name:           freeradius-server
-Version:        3.0.17
+Version:        3.0.18
 Release:        0

 %if 0%{?suse_version} > 1140
@ -47,7 +47,7 @@ Release:        0
 %endif

 Summary:        RADIUS Server
-License:        GPL-2.0 and LGPL-2.1
+License:        GPL-2.0-only AND LGPL-2.1-only
 Group:          Productivity/Networking/Radius/Servers
 Url:            http://www.freeradius.org/
 Source:         ftp://ftp.freeradius.org/pub/freeradius/%{name}-%{version}.tar.bz2
@ -602,6 +602,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/operator-name
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/abfab-tr
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/debug
+%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/rfc7542

 %config(noreplace) %{_sysconfdir}/raddb/users
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/templates.conf