Accepting request 499628 from home:adamm:branches:network

- update to 3.0.14 (still FATE#322416)
  
  Feature improvements
  * Enforce TLS client certificate expiration on session resumption,
    and Session-Timeout. See CVE-2017-9148 (bnc#1041445)
  * Updated dictionary.cisco.vpn3000, dictionary.patton
  * Added dictionary.dellemc
  * Lowered the log output for failed PEAP sessions.
  * ALlow utc in rlm_date.
  * The internal OpenSSL session cache has been disabled.
    Please see mods-available/eap
  * Update detail reader documentation.
  * Make outgoing RadSec connections non-blocking.
  * Add SQL backing to Moonshot-*-TargetedId generation.
  Bug Fixes
  * radtest uses Cleartext-Password for EAP, not User-Password.
  * Update documentation for mods-enabled/ linking.
  * Enhanced checks for moonshot salt.
  * Allow session resumption for RadSec connections.
  * Update "huntgroups" file to note that port ranges are not supported
  * Fix OpenSSL permissions issues on default key files.
  * Certificates are not required when PSK is used.
  * Allow SubjectAltName as first extension in cert.
  * Fixed talloc issue with TLS session resumption.
  * "&Attr-26 := 0x01" now produces useful error messages.
  * Handle connection error in rlm_ldap_cacheable_groupobj.
  * Fix endian issues in DHCP.
  * Multiple minor fixes for Coverity complaints.
  * Handle unexpected regex.
  * Fix minor issues in dictionaries.
  * Fix typos and grammar. Patches from Alan Buxey.
  * Fix erroneous VP creation in rlm_preproces.
  * Fix MIB. Patch from Jeff Gehlbach.
  * Trust router updates from Alejandro Perez.
  * Allow build with LibreSSL.
  * Use correct packet for channel bindings.
  * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us
    a test license. Please see the git commit history for more info.
  * Fix incorrect length check in EAP-PWD. This may be exploitable.
  * Stop rotating session database files (radutmp, radwtmp) since
    these are not logfiles.
- freeradius-server-radiusd-logrotate.patch: updated

OBS-URL: https://build.opensuse.org/request/show/499628
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=98

freeradius-server-3.0.13.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b3be0d8849878c31af0a5375d20b7b20c9d1c1572e89dc3f22992824cefffb84
-size 3031744

freeradius-server-3.0.14.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2771f6ecd6c816ac4d52b66bb8ae6781ca20e1e4984c5804fc4e67de3a807c59
+size 3037721

freeradius-server-radiusd-logrotate.patch

@@ -1,6 +1,8 @@
---- freeradius-server-3.0.8.orig/suse/radiusd-logrotate	2015-04-22 19:21:34.000000000 +0200
-+++ freeradius-server-3.0.8.suse/suse/radiusd-logrotate	2015-04-23 10:15:52.847179845 +0200
-@@ -16,13 +16,18 @@
+Index: freeradius-server-3.0.14/suse/radiusd-logrotate
+===================================================================
+--- freeradius-server-3.0.14.orig/suse/radiusd-logrotate
++++ freeradius-server-3.0.14/suse/radiusd-logrotate
+@@ -16,13 +16,18 @@ notifempty
  #  The main server log
  #
  /var/log/radius/radius.log {
@@ -19,15 +21,7 @@
  	nocreate
  	size=+1024k
  }
-@@ -31,6 +36,7 @@
- #  Session database modules
- #
- /var/log/radius/radutmp /var/log/radius/radwtmp {
-+	su radiusd radiusd
- 	nocreate
- 	size=+2048k
- }
-@@ -39,6 +45,7 @@
+@@ -31,6 +36,7 @@ notifempty
  #  SQL log files
  #
  /var/log/radius/sqllog.sql {
@@ -35,7 +29,7 @@
  	nocreate
  	size=+2048k
  }
-@@ -51,6 +58,7 @@
+@@ -43,6 +49,7 @@ notifempty
  # second technique, you will need another cron job that removes old
  # detail files.  You do not need to comment out the below for method #2.
  /var/log/radius/radacct/*/detail {

freeradius-server.changes

@@ -1,3 +1,51 @@
+-------------------------------------------------------------------
+Mon May 29 12:40:52 UTC 2017 - adam.majer@suse.de
+
+- update to 3.0.14 (still FATE#322416)
+  
+  Feature improvements
+  * Enforce TLS client certificate expiration on session resumption,
+    and Session-Timeout. See CVE-2017-9148 (bnc#1041445)
+  * Updated dictionary.cisco.vpn3000, dictionary.patton
+  * Added dictionary.dellemc
+  * Lowered the log output for failed PEAP sessions.
+  * ALlow utc in rlm_date.
+  * The internal OpenSSL session cache has been disabled.
+    Please see mods-available/eap
+  * Update detail reader documentation.
+  * Make outgoing RadSec connections non-blocking.
+  * Add SQL backing to Moonshot-*-TargetedId generation.
+
+  Bug Fixes
+  * radtest uses Cleartext-Password for EAP, not User-Password.
+  * Update documentation for mods-enabled/ linking.
+  * Enhanced checks for moonshot salt.
+  * Allow session resumption for RadSec connections.
+  * Update "huntgroups" file to note that port ranges are not supported
+  * Fix OpenSSL permissions issues on default key files.
+  * Certificates are not required when PSK is used.
+  * Allow SubjectAltName as first extension in cert.
+  * Fixed talloc issue with TLS session resumption.
+  * "&Attr-26 := 0x01" now produces useful error messages.
+  * Handle connection error in rlm_ldap_cacheable_groupobj.
+  * Fix endian issues in DHCP.
+  * Multiple minor fixes for Coverity complaints.
+  * Handle unexpected regex.
+  * Fix minor issues in dictionaries.
+  * Fix typos and grammar. Patches from Alan Buxey.
+  * Fix erroneous VP creation in rlm_preproces.
+  * Fix MIB. Patch from Jeff Gehlbach.
+  * Trust router updates from Alejandro Perez.
+  * Allow build with LibreSSL.
+  * Use correct packet for channel bindings.
+  * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us
+    a test license. Please see the git commit history for more info.
+  * Fix incorrect length check in EAP-PWD. This may be exploitable.
+  * Stop rotating session database files (radutmp, radwtmp) since
+    these are not logfiles.
+
+- freeradius-server-radiusd-logrotate.patch: updated
+
 -------------------------------------------------------------------
 Mon Mar  6 23:07:21 UTC 2017 - michael@stroeder.com
 

freeradius-server.spec

@@ -20,7 +20,7 @@
 %define apxs2 apxs2-prefork
 %define apache2_sysconfdir %(%{_sbindir}/%{apxs2} -q SYSCONFDIR)
 Name:           freeradius-server
-Version:        3.0.13
+Version:        3.0.14
 Release:        0
 
 %if 0%{?suse_version} > 1140
@@ -431,6 +431,8 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf
 %dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/files
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/files/*
 %dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/preprocess
+%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/moonshot-targeted-ids/*
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/moonshot-targeted-ids
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/preprocess/*
 %dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/python
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/python/radiusd.py
@@ -515,6 +517,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/logintime
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/mac2ip
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/mac2vlan
+%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/moonshot-targeted-ids
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/mschap
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/ntlm_auth
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/opendirectory