diff --git a/freeradius-server-3.0.17.tar.bz2 b/freeradius-server-3.0.17.tar.bz2 deleted file mode 100644 index 62eba8a..0000000 --- a/freeradius-server-3.0.17.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3f03404b6e4a4f410e1f15ea2ababfec7f8a7ae8a49836d8a0c137436d913b96 -size 3075724 diff --git a/freeradius-server-3.0.17.tar.bz2.sig b/freeradius-server-3.0.17.tar.bz2.sig deleted file mode 100644 index 26cf246..0000000 Binary files a/freeradius-server-3.0.17.tar.bz2.sig and /dev/null differ diff --git a/freeradius-server-3.0.18.tar.bz2 b/freeradius-server-3.0.18.tar.bz2 new file mode 100644 index 0000000..88f8a81 --- /dev/null +++ b/freeradius-server-3.0.18.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:695149c9f4dabe7131028b0c4e43d9ae149d0d06da5dfc97f10eed2fbee6c011 +size 3126164 diff --git a/freeradius-server-3.0.18.tar.bz2.sig b/freeradius-server-3.0.18.tar.bz2.sig new file mode 100644 index 0000000..ea12d22 Binary files /dev/null and b/freeradius-server-3.0.18.tar.bz2.sig differ diff --git a/freeradius-server.changes b/freeradius-server.changes index d82ed7a..06160f7 100644 --- a/freeradius-server.changes +++ b/freeradius-server.changes @@ -1,3 +1,130 @@ +------------------------------------------------------------------- +Wed Feb 27 11:37:53 UTC 2019 - adam.majer@suse.de + +- reformat changelog mostly by wrapping lines +- add missing bug numbers for security fixes + +------------------------------------------------------------------- +Tue Feb 26 21:17:00 UTC 2019 - Michael Ströder + +- update to 3.0.18 + +* cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. +* Do-Not-Respond policies can now be set in the "post-auth" section. +* Encode / Decode ADSL Forum DHCP options. +* Fix module ordering issues. e.g. when "sqlippool" needs "sql". + See the "instantiate" section of radiusd.conf. +* Add Big Switch dictionary. Fixes #2252. +* Add sql_session_start policy (raddb/policy.d/accounting) + This minimizes race conditions when using Simultaneous-Use (#2257). +* For rlm_perl, all variables are now tainted by default. + See raddb/mods-available/perl, and the "perl_flags" configuration item. + This change should only affect people who are using variables in + insecure ways. +* Allow "sqlcounter" module to be listed in "post-auth". +* Add support for IPv6 attributes in SQL. Fixes #2280 +* The server is better at handling fail-over for outbound RadSec and + TCP connections. Fixes #2284. +* The server is now more aggressive about retrying failed outbound + RadSec and TCP connections. Fixes #2284. +* Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. +* Add expansion for Radsec connections. "%{listen:TLS-...}" for + TLS-Client-Cert-* and TLS-Cert-* attributes. +* Add notes on running "ldapsearch" using the parameters from the LDAP module. +* "ipaddr" attributes can now be cast to "integer" type attributes + in an "update" section. +* Move main thread queue to using atomic queues. This should help + with contention in high load scenarios. +* Add "recv_buff" setting to listeners. For more details, + see sites-available/default. +* The sqlippool module can now use attributes other than "Pool-Name" + to assign IP pools. The "Pool-Name" attribute is still the default. +* The "unpack" expansion can now unpack substrings. + See mods-available/unpack for documentation and examples. +* The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair + Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. +* Allow for -LDAP-UserDN. See mods-available/ldap for more information. +* Add sanitizing of control list for moonshot. Fixes #2318. +* Update rlm_sql_mysql to be compatible with MySQL 8 + Fixes https://bugs.launchpad.net/bugs/1795310. +* Allow logging of only Access-Accept or Access-Reject messages + See radiusd.conf, "auth_accept" and "auth_reject". +* Removed Connect-Rate comparison. It was unused and broken. +* Add dictionary.infinera. +* Use OpenSSL HMAC functions instead of local ones. +* Some SQL modules can now use "auto_escape" to escape unsafe strings + See mods-config/sql/main/mysql/queries.conf. +* Add wispr2date conversion in mods-available/date. +* Implement dictionary-based handling in rlm_python. + Fixes #2334 See mods-available/python for details. +* Add support for SKIP LOCKED in sqlippool. This can improve performance + by an order of magnitude or more. + See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383 +* Allow PSK and certificates at the same time Except for TLS 1.3 + which does not support that. +* Update docker scripts. Fixes #2306 Patch from Matthew Newton. +* Add crypt xlat. +* MySQL connections can now skip verifying the server certificate. + Fixes #2481. See mods-available/sql. +* Add better mechanism to detect MariaDB (Old MySQL). +* Add RFC 7532 "bang path" support for realms Fixes #2492. +* Update dictionary.ukerna documentation. Fixes #2493. +* Add support for systemd service and watchdogs Fixes #2499. +* Check for openss/rand.h, and allow building without OpenSSL engine. + Patch from Eneas U de Queiroz Fixes #2517. +* The default PosgtreSQL queries now use "ON CONFLICT" to better + deal with issues. This requires PostgreSQL 9.5 or later. + Please use a recent version of PostgreSQL, or edit the default + queries to remove "ON CONFLICT". + +BUG FIXES +* The session-state list is no longer cleaned in the inner-tunnel. + This lets the outer Access-Reject section access session-state. +* Fix typo in lock initialization for TLS sockets Found by Sergio NNX. +* Add check for crash when home server down Fixes #2233. +* Add username key for postauth table. +* Better libpcap checks, when the header files or libraries are missing. Fixes #2245. +* Allow building with old versions of OpenSSL Fixes #2247. +* Allow non-FreeRADIUS State attributes to be used with the + "session-state" list. i.e. State length != 16. +* Be more aggressive about cleaning up zombie children when running in debug mode. +* Use LTDL_DEEPBIND, which fixes issues with Oracle libraries + exporting LDAP API functions. +* unlock files when asked to unlock them. +* return error instead of asserting in map code. +* Don't write 0 bytes to SSL. Fixes #2270. +* Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. +* Various dictionary cleanups and consistency checks Fixes #2281. +* rlm_python has stronger thread locking to prevent reported issues. + Performance may be affected. +* Don't allow Message-Authenticator to overflow past the end of a large packet. +* Fix crash in sqlippool when SQL server goes away Fixes #2300. +* Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303. +* Fix crash with CoA packets/ Fixes #2304. +* Fix crash in rlm_exec with CoA. Fixes #2328. +* Print errors while parsing the log config, and don't quit when + deprecated log settings are found. +* Fix DHCP encoder xlat so that it can be used with a list of attributes. + It previously only encoded the first member of the list, + and now encodes all members. +* The "expr" module now skips more whitespace. +* Remove internal FreeRADIUS-Response-Delay attributes from + attr_filter Access-Reject. +* Don't send junk to redis when maximum args reached. +* Small updates to IPv6 for accounting schema Fixes #2364. +* Fix OpenDirectory integration in rlm_mschap. +* Fix slow memory leak with dynamic clients. +* Don't artificially truncate debug output for long strings. +* Fix memory leak in EAP-PWD. +* Fix crash in "hints" file with Fall-Through = yes. +* Fix crash / timer issues with many CoA packets. +* Fix attr_filter so that it does not treat vendor attributes of + number 26 as Vendor-Specific. +* Fix reconnect correctly in rlm_sql_mysql. +* Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485. +* Fix rare occurance of bad xlat expansion. +* Check for rare race condition when a proxy reply arrives too late. + ------------------------------------------------------------------- Tue Jun 26 18:24:21 UTC 2018 - michael@stroeder.com @@ -10,25 +137,32 @@ Tue Apr 17 22:00:15 UTC 2018 - michael@stroeder.com Feature Improvements * Add CURLOPT_CAINFO. Patch from Nicolas C #2167. -* "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169. +* "stats home server" now supports "src IPADDR", to specify home + server also by source IP. Fixes #2169. * Add Dockerfiles for a selection of common systems. -* Increase number of permitted file descriptors, for systems with many home servers. -* Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205. +* Increase number of permitted file descriptors, for systems with many + home servers. +* Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs + Patch from Isaac Boukris. Fixes #2205. * Update main READMEs. Patches from Matthew Newton. * Added dictionary.mimosa. Bug Fixes -* Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. -* Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168. +* Don't call post-proxy twice when proxying to a virtual server. + Matthew Newton, #2161. +* Use "raw" string value for shared secrets and dynamic clients + It now parses strings with backslashes and "special characters" + correctly. Fixes #2168. * Fix RuntimeDirectory for RedHat, from Alan Buxey. * Relax checks in 'if' parser from Isaac Bourkis. * Minor cleanups for %{debug_attr:&request} from Isaac Boukris. -* Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich. +* Be more aggressive about cleaning up cached certificate attributes, + due to deficiencies in OpenSSL. Reported by Nicolas Reich. * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. * Fix double free in rlm_sql. Fixes #2180. * rlm_detail now writes empty Access-Accept packets. * rlm_python can now create tagged attributes. -* Don't crash on duplicate realm + authhost / accthost Bug found by Richard Palmer. +* Don't crash on duplicate realm + authhost / accthost * Allow partial certificate chain to trusted CA. Fixes #2162. * Treat SSL_read() returning zero as error. Fixes #2164. * detail writer now checks if the file was renamed or deleted. @@ -36,12 +170,14 @@ Bug Fixes * RedHat Systemd updates. Fixes #2184. * Use correct API for State variable in rlm_securid. * Remove broken radclient option "-i". -* Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs. +* Fix "users" file (and hints, etc). So that it does not get confused + about entry ordering with multiple $INCLUDEs. * Fix rlm_sql to expand the un-escaped string, not the raw string. * Link default and inner-tunnel only if they exist. Fixes #2206. * Don't use both IP_PKTINFO and IP_SENDSRCADDR. * Always install signal handler for SIGINT (needed by Docker). -* Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked. +* Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs + which are not self-signed will now be checked. * sqlippool now returns "fail" if it fails IP allocation. * Fix rlm_yubikey to look for correct attribute in replay attack check. @@ -115,7 +251,7 @@ Bug fixes * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 -* Don't do debug logging of bad passwords. Fixes #2064. +* Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802) * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes @@ -149,7 +285,7 @@ Fri Aug 25 11:32:56 UTC 2017 - varkoly@suse.com Mon Jul 17 13:46:41 UTC 2017 - michael@stroeder.com - update to 3.0.15 with security fixes for - issues found via fuzzing by Guido Vranken + issues found via fuzzing by Guido Vranken (bsc#1049086) https://freeradius.org/security/fuzzer-2017.html * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret() * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 diff --git a/freeradius-server.spec b/freeradius-server.spec index 5e45d64..b4920d5 100644 --- a/freeradius-server.spec +++ b/freeradius-server.spec @@ -1,7 +1,7 @@ # # spec file for package freeradius-server # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -20,7 +20,7 @@ %define apxs2 apxs2-prefork %define apache2_sysconfdir %(%{_sbindir}/%{apxs2} -q SYSCONFDIR) Name: freeradius-server -Version: 3.0.17 +Version: 3.0.18 Release: 0 %if 0%{?suse_version} > 1140 @@ -47,7 +47,7 @@ Release: 0 %endif Summary: RADIUS Server -License: GPL-2.0 and LGPL-2.1 +License: GPL-2.0-only AND LGPL-2.1-only Group: Productivity/Networking/Radius/Servers Url: http://www.freeradius.org/ Source: ftp://ftp.freeradius.org/pub/freeradius/%{name}-%{version}.tar.bz2 @@ -602,6 +602,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/operator-name %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/abfab-tr %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/debug +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/rfc7542 %config(noreplace) %{_sysconfdir}/raddb/users %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/templates.conf