diff --git a/freeradius-server-opensslversion.patch b/freeradius-server-opensslversion.patch new file mode 100644 index 0000000..392ffd3 --- /dev/null +++ b/freeradius-server-opensslversion.patch @@ -0,0 +1,46 @@ +Author: Adam Majer +Summary: SUSE OpenSSL version scheme does not follow upstream. + Relax, breathe, apply. + +Index: freeradius-server-3.0.12/src/main/version.c +=================================================================== +--- freeradius-server-3.0.12.orig/src/main/version.c ++++ freeradius-server-3.0.12/src/main/version.c +@@ -50,36 +50,7 @@ static long ssl_built = OPENSSL_VERSION_ + */ + int ssl_check_consistency(void) + { +- long ssl_linked; +- +- ssl_linked = SSLeay(); +- +- /* +- * Status mismatch always triggers error. +- */ +- if ((ssl_linked & 0x0000000f) != (ssl_built & 0x0000000f)) { +- mismatch: +- ERROR("libssl version mismatch. built: %lx linked: %lx", +- (unsigned long) ssl_built, +- (unsigned long) ssl_linked); +- +- return -1; +- } +- +- /* +- * Use the OpenSSH approach and relax fix checks after version +- * 1.0.0 and only allow moving backwards within a patch +- * series. +- */ +- if (ssl_built & 0xf0000000) { +- if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000) || +- (ssl_built & 0x00000ff0) > (ssl_linked & 0x00000ff0)) goto mismatch; +- /* +- * Before 1.0.0 we require the same major minor and fix version +- * and ignore the patch number. +- */ +- } else if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000)) goto mismatch; +- ++ // noop, since ABI is compatible for SUSE OpenSSL + return 0; + } + diff --git a/freeradius-server-radclient-init-error-buffer.patch b/freeradius-server-radclient-init-error-buffer.patch new file mode 100644 index 0000000..6d844cf --- /dev/null +++ b/freeradius-server-radclient-init-error-buffer.patch @@ -0,0 +1,12 @@ +Index: freeradius-server-3.0.3/src/main/radclient.c +=================================================================== +--- freeradius-server-3.0.3.orig/src/main/radclient.c ++++ freeradius-server-3.0.3/src/main/radclient.c +@@ -1180,6 +1180,7 @@ int main(int argc, char **argv) + fr_perror("radclient"); + return 1; + } ++ fr_strerror_printf(""); /* Initialize the error buffer */ + fr_strerror(); /* Clear the error buffer */ + + /* diff --git a/freeradius-server.changes b/freeradius-server.changes index d9f3926..c9874a3 100644 --- a/freeradius-server.changes +++ b/freeradius-server.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Mon Jan 30 15:46:54 UTC 2017 - adam.majer@suse.de + +- Merge changes from SLE to OpenSUSE (FATE#322416): + * freeradius-server-radclient-init-error-buffer.patch - make sure + we initialize error buffer. bsc#911886: radclient error free() + invalid pointer + * freeradius-server-opensslversion.patch: remove OpenSSL version + check and assume we know what we are doing. (bnc#1013311) + * merge .changes file, mostly. +- do not attempt to detect "vulnerable" OpenSSL versions. SUSE + security fixes do not necessarily bump version numbers as + does upstream OpenSSL (bnc#1021375) +- do not generate certificates in %post. End-user needs to do this + manually. +- keep FreeTDS disabled on SLE12 - we never shipped it enabled +- require OpenSSL 1.0+ +- use pkgconfig(systemd) instead of plain systemd as BuildRequires +- don't list manual pages as %doc + ------------------------------------------------------------------- Sun Jan 1 13:39:57 UTC 2017 - jengelh@inai.de @@ -5,12 +25,93 @@ Sun Jan 1 13:39:57 UTC 2017 - jengelh@inai.de - Use SUSE RPM group names. Trim filler words from description. - Do not hide errors from groupadd/useradd. +------------------------------------------------------------------- +Fri Nov 18 14:48:59 UTC 2016 - adam.majer@suse.de + +- Add upstream keyring +- 2 new modules: rlm_sql_freetds and rlm_eap_fast + ------------------------------------------------------------------- Thu Sep 29 20:14:34 UTC 2016 - michael@stroeder.com -- update to 3.0.12 - * for a detailed list of changes look at: - /usr/share/doc/packages/freeradius-server/ChangeLog +- update to 3.0.12 - still fate#320481 + The focus of this release is stability. + * Feature improvements + + Add support for =~ and !~ in update sections. See "man unlang" + + Add dictionary.checkpoint. + + Simultaneous-Use prints out more information. + + Print WARNING in debug mode when packets may be truncated. + + Added expansions %{home_server:state} and + %{home_server_pool:state}, which show the state of the + server / pool. + + Mark rlm_sql_freetds as stable. + + Make rlm_perl less fragile. Patch from Herwin Weststrate. + + Allow extended attributes to have "encrypt=2" + + Update dictionary.aruba. + + Add support for EAP-FAST. This is an isolated feature which + does not affect anything else. + + Update OpenSSL vulnerability list. Use a version of OpenSSL + released after September 20, 2016. + + EAP certificate verification is now done when "verify" is + enabled and "ocsp" is disabled. + + New dhcpclient and rlm_rad_counter man pages. + + Minor abfab and moonshot additions. + + Pass CFLAGS through from environment in RPM builds. Allows + more custom builds. + + Build with Heimdal in addtion to libkrb5. + * Bug Fixes + + Use correct typedef for older versions of sqlite. + + Update mssql schema to add priority + + don't complain on /dev/urandom in ldap + + fix == operator in update sections + + Don't create DHCP strings with many trailing zeros. + + Allow MS-CHAP change passwords instead of complaining on + large buffer. + + Allow assignment or equality operator on SQL. + + Update aclocal tests for FreeBSD 10. + + Remove occasional hang in rlm_linelog. + + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 + + A few minor bugfixes caught in v3.1.x cleanup, and + back-ported to v3.0.x. + + do_not_respond again works in post-proxy + + Allow realm "~^.*$" {} and User-Name with no realm. + + Fix leak when creating unknown attributes + + Fix Debian / logrotate. + + Make OpenSSL error functions thread-safe. + + Fix crash with rlm_sql and updating SQL-User-Name. + + Debian build updates. + + Allow regular expression comparisons in radclient. + + Fix memory leak on unknown attributes in detail file reader. + + Update example paths in "man" pages when installing them + + Build fixes for rlm_mschap. Fixes #1489. + + BSD build fixes. Patch from issue #1583. + + Be more careful about /lib/ when building. Fixes #1585. + + Correct ifdef placement error. Fixes #1572. + + Allow for more files in internal "exfile" API So it will be + possible to open more than 64 "detail" files at the same + time. + + Remove support for statically built EAP modules. Fixes #1591. + + Many fixes to rlm_python from Guillaume Pannatier. + + Use correct week adjustment in SQLcounter. Fixes #1608 + + Minor fixes to allow compilation without DHCP, VMPS, or TCP. + + Fix checks for module / config file change on HUP. + + Compile regex comparisons when sent via "debug condition". + + Update filenames in documentation and examples. + + Don't crash if SQL connection becomes unavailable. + + Disallow originate_coa when proxy_requests = no. + + Free rad_perlconf_hv in correct perl context. + + Multiple fixes for Debian builds. #1510, among others. + + Set OpenSSL FIPS compatibility flag when necessary. + + Pulled fixes for the build system over from other branches. + + Fix OCSP for RADIUS over TLS. + + Fix skip_if_ocsp_ok behavior. + + Better fixes for systems without closefrom() but which have + /proc. + + Minor build fixes back-ported from v4.0.x. + + build --whout-ascend-binary. Fixes #1761. + + Be more aggressive about not opening new connections in + debug mode after CTRL-C. Address #1604. + ------------------------------------------------------------------- Fri Sep 2 12:16:56 UTC 2016 - adam.majer@suse.de @@ -24,16 +125,202 @@ Fri Sep 2 12:16:56 UTC 2016 - adam.majer@suse.de Mon Jan 25 18:48:55 UTC 2016 - michael@stroeder.com - removed installation of experimental module rlm_sqlhpwippool.so -- update to 3.0.11 - * for a detailed list of changes look at: - /usr/share/doc/packages/freeradius-server/ChangeLog +- update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763, + bsc#935573, CVE-2015-4680) + * Changes of version 3.0.11 + + Feature improvements + - "unlang" comparisons of IP addresses to IP prefixes are now + detected, and types automatically cast. + - Allow shorthand form of ipv4prefix values e.g. 127/8. + - Add "auto_chain" to raddb/mods-available/eap, tls subsection. + This allows the disabling of OpenSSL auto-chaining of + certificates. Which might be wrong. + - Added printing of coa and disconnect stats (radmin). + - radclient defaults to expecting Access-Accept responses to + Status-Server. + - Updated dictionary.lancom, dictionary.starent. + - Portability fixes for Solaris. + - More errors from ntlm_auth gets passed to MS-CHAP. + - Update abfab-tr-idp virtual server. + - Added "filter_password" in policy.d/filter. This removes + embedded zero bytes in User-Password, for compatibility with + broken clients. + - The server now issues a WARNING message if duplicate + configuration items are found. + - TLS can skip the "verify" section if OCSP returns OK. See + raddb/mods-available/eap, "skip_if_ocsp_ok". + - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the + result from the OCSP check. + - Interoperate with AD and "LmCompatibiltyLevel = 5", by + always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind + in rlm_mschap. + - TTLS and PEAP now require "virtual_server" to be a real + server. + - Print WARNING when TTLS or PEAP identities are spoofed or + not properly anonymized. See RFC 7542 for requirements. + - Various rlm_python fixes from Herwin Weststrate. + - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", + which is useful when the home server does not respond. + - elasticsearch updates from Matthew Newton + + Bug Fixes + - Fix issue where field nas_type would not be accessible via + the %{client:} xlat, for clients loaded from SQL. + - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to + msg_callback with 'pseudo' content types. + - Data type "ipv4prefix" is parsed correctly. + - Use correct talloc context in rlm_exec. Fixes #1338. + - Complain in unlang if "else" is used with no previous "if" + or "elsif". + - Send accounting status packets to the accounting port. + Fixes #1364. + - Print out CFLAGS when doing "radiusd -Xxv" + - Fixed bug with coa/acct stats value #1339. Based on patch + from Jorge Pereira. + - Fixes for LEAP proxying. Don't use LEAP! + - Fix issue with "directory already exists" seen when doing + "make install". + - Fixed bug with radmin related to the option "stats detail + " + - Complain if the detail file reader does not have permission + to read the "detail.work" file. Fixes #1398 + - Fixed SoH. Attributes were not being copied to the virtual + server. + - Used a wrong list to global statistics in "stats". + - Create EAP-PWD identity correctly. Prevents segfaults. + - Dynamically validate authentication types for PEAP and + EAP-MSCHAPv2. + - Fix includes in installed headers. + - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys + correctly. See raddb/mods-available/eap, "disable_tlsv1_2" + - Allow password change to work for MS-CHAP. This requires + 'r=0', because password changes are not retries. + - Fix home server fail-over for home servers using TCP and/or + RadSec. + - Special characters in expanded regexes are now escaped e.g. + User-Name containing '.', and comparing /%{User-Name}/, the + '.' will now be escaped. See src/tests/keywords/regex-escape. + - Use correct authentication vector when sending Access-Reject + replies for RadSec. + - Set FreeRADIUS-Proxied-To in TTLS again. You should use the + "inner-tunnel" virtual server, instead of relying on this + attribute. + - Fix debugging constants in rlm_perl. Patch from Herwin + Weststrate. + - Add samba-dev / samba4-dev to debian builds so that + rlm_mschap can automatically use the new winbind API. + - Automatically skip zero-length attributes when sending + packets, instead of erroring out. + +------------------------------------------------------------------- +Mon Oct 26 12:45:59 UTC 2015 - jkeil@suse.de + +- fix bsc#951404 + * Rebuild of freeradius-server package fails + * fix source url + - ftp://ftp.freeradius.org/pub/freeradius/ + + ftp://ftp.freeradius.org/pub/freeradius/old/ ------------------------------------------------------------------- Mon Oct 5 19:50:27 UTC 2015 - michael@stroeder.com - update to 3.0.10 - * for a detailed list of changes look at: - /usr/share/doc/packages/freeradius-server/ChangeLog + * Changes of version 3.0.10 + + Feature improvements + - Do more optimization of unlang policies. This makes run-time + a bit faster. + - Re-name most of the functions in src/lib. Third-party module + authors will have to do the same. + - More documentation on contributing and how to write modules. + - Update radiusd.service for systemd. + - Open IPv6 proxy socket if the server is listening on IPV6 + auth / acct / coa packets. + - Create debian packages for DHCP. Fixes #1125. + - Add more tests for "update" section parsing. + - Update "man" pages. + - Update attributes for Alcatel 7750 + - Add dictionary for Boingo Wi-Fi + - Add support for DHCP lease queries. + See raddb/sites-available/dhcp + - On HUP, check all modules for config files which have + changed. And only re-load those modules. + - Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS + packets. Patch from Herwin Weststrate. + - Documentation fixes from Alan Buxey and Matthew Newton. + - Update "logrotate" script. + - Added more RFCs to doc/rfc for new standards implemented by + FreeRADIUS. + - Don't crash when doing "radmin -e "help hup". Patch from + Matthew Newton. + - The dictionary parser now does more sanity checks, which + prevents run-time problems with invalid attributes. + - Update debian packages. Patches from Christopher Hoskin. + - Many other debian packaging fixes from Matthew Netwon and + Herwin Weststrate. + - Add "session-state" to Perl. Patch from Herwin Weststrate. + + Bug Fixes + - Fix rlm_files so that there are no collisions when loading + 10's of 1000's of users. + - Fix radclient to use our internal v4/v6 parsing functions. + v6 addresses with ports now work correctly. + - Fix sending/receiving packet messages to wrap v6 addresses + in square brackets '[]'. + - Check for sasl/sasl.h when building rlm_ldap, and disable + SASL functionality if unavailable. + - Fix issue which caused a non \0 terminated buffer to be + assigned to attributes if the value being assigned contained + an invalid escape sequence. + - Fix deadlock when reconnecting connections in the connection + pool. + - Fix potential overrun in functions that used fr_utf8_char + with a non nul terminated buffer. + - Fix decoding issue for Tunnel-Password type attributes which + were very long. Found by Denis Andzakovic. + - Fix radclient issue with TCP sockets on FreeBSD. + - The server now creates ${run_dir} and ${logdir} directories + in daemon mode, when running as "root". + - Handle tags when using maps. Fixes #1191. + - Fix crash when CoA packets time out. + - Fix parse error in rediswho + - Fix regex support in SQL radcheck the "users" file and + radsniff. + - Register listen xlat earlier, so that it's available when + the virtual servers are being parsed. + - Parse Ascend-Data-Filter when given as "0x..." + - Print Ascend-Data-Filter correctly. Add test cases for both. + - Allow old-style clients again. They will be disallowed for + 3.1.0 and following. + - Complain instead of crash when "else" and "elsif" are in the + wrong place. + - Clean up memory more aggressively. This lowers the maximum + memory used, most typically for TLS based EAP methods. + - Prevent the server from unlinking the control socket of an + already running instance. + - Fallback to using the configured OCSP URL if one exists, and + no URL is provided in the certificate. + - Return CoA-NAK if proxying CoA fails. Based on patch from + Jorge Pereira. + - Lower peak memory usage by decreasing size of internal + memory pools. + - The control socket is now left in place if a second copy of + the server is accidentally started. + - Allow virtual attributes in "switch", "case", etc. Fixes + #1240 and #1265. + - Many spell check / typo fixes in comments and example + configuration files. + - Better handle multiple DHCP listeners. + - Don't print secrets for old-style realms. Fixes #1267. + - Don't fall through in empty "case" statements. Fixes #1274. + - Update EAP-TTLS so that MPPE keys are correctly calculated + with TLSv1.2. + - Always delete MS-MPPE-* from the TTLS inner tunnel. This + allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. + - Fix off by one error that caused some MSCHAP-Error messages + to be sent without the password change version (V=3) and the + textual message component (M=). + - Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 + does not say that any of these fields are optional, and not + including V= caused errors with wpa_supplicant. + - Do not include M= in MSCHAPv1 errors. It's not supported. ------------------------------------------------------------------- Fri Aug 7 10:56:29 UTC 2015 - jkeil@suse.de @@ -42,12 +329,126 @@ Fri Aug 7 10:56:29 UTC 2015 - jkeil@suse.de * Create winbind group * Add radiusd to winbind group +------------------------------------------------------------------- +Tue Aug 4 15:19:06 UTC 2015 - jkeil@suse.de + +- Remove gpg signature file + * The gpg signature checking is broken and doesn't work + +------------------------------------------------------------------- +Tue Aug 4 14:28:24 UTC 2015 - jkeil@suse.de + +- Fix bsc#935573: Insufficent CRL application for intermediate certificates + * CVE-2015-4680 + * freeradius-server-CVE-2015-4680.patch based on + https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3 + ------------------------------------------------------------------- Wed Jul 8 20:05:24 UTC 2015 - michael@stroeder.com - update to 3.0.9 - * for a detailed list of changes look at: - /usr/share/doc/packages/freeradius-server/ChangeLog + * Changes of version 3.0.9 + + Feature improvements + - Make "pool" configurations more consistent, and update + documentation for them. + - Move connection pool logic to "most recently started", + instead of MRU. This should help with pool stability. + - More VSAs for 3GPP2 + - Added examples of multi-value attributes to rlm_perl. + - LDAP-Group and SQL-Group attributes are now dynamically + allocated. + - Only the "sql" module registers SQL-Group. Other instances + register "instance-name-SQL-Group", similarly to "ldap". + - Unknown attributes are now complained about more often when + used in unlang statements. e.g. if (Foo-Bar == 3) used to be + a string to string comparison. It is now a parse error. + - Rename RLM_COMPONENT_* to MOD_* in the code. This makes many + things easier. + - Move to C99 initializers for modules. + - Load modules in raddb/mods-enabled. This allows attributes + like "LDAP-Group" to be used in the "files" module, without + explicit ordering or listing in "instantiate". + - Added 'bootstrap' section to modules. Third-party modules + will need to be updated. + - When adding clients from a DB, add them to a virtual server + if that virtual server has a "listen" section. Otherwise, + add the clients to the global list. + - When reading dynamic clients from a file, don't expire them + if the underlying file is unchanged. + - Allow the server to originate CoA requests from the + post-auth stage. + - The server creates ${run_dir} and ${logdir} in daemon mode, + if they do not already exist. + - Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server + now supports all mandatory and optional attributes for this + specification. + - HUP now re-loads the configuration only if the files have + changed. If all files are unchanged, HUP re-opens the log + file, and does nothing else. + - Much better debug messages for EAP-TLS, including which + attributes are cached, and when they are retrieved. + - Increase default max_requests to 16384. Memory is cheap now. + - Added "stats memory" commands to radmin. Debug build only. + - Aptilo controller dictionary updates. + - SQL modules now use Acct-Unique-Session-Id everywhere. + - The redis modules are now stable. + - The LDAP module now supports SASL "interactive bind" method. + This allows Kerberos based administrator and user binds. + - DHCP code is now in libfreeradius-dhcp. + - More DHCP encoding / decoding unit tests. + - rlm_replicate can now be listed in the "accounting" section. + - Better sqlite debugging output. + - Remove "required" option from many sql_ippool directives. + - Set default CA "basic constraints" to "critical". Fixes #1073 + - Updates to help / man pages from Jorge Pereira. + - Added more tests. + + Bug Fixes + - Be more careful about unused config item warnings when + using -Xx. + - Move more defines to be auto-generated. + - Allow virtual servers in proxy fallback. + - Allow %{module:} to work. + - Don't crash in RadSec. Closes #980. + - Return better errors when a unix group / user is not found. + - Re-enable detail module "locking" parameter. + - Don't crash when logging replies from Status-Server packets. + - The couchbase module now uses "update" instead of "map", for + consistent with the rest of the server. + See raddb/mods-available/couchbase + - Don't require NT-Password for MS-CHAP password changes. + - Be a bit more careful about decrypting MS-CHAP-MPPE-Key + attributes. Closes #1013. There is no perfect fix, tho. + - Fix security issues with EAP-PWD. + See http://freeradius.org/security.html#eap-pwd-2015 + - Fix dynamic clients read from SQL in non-debug mode + - MS-CHAP now allows retries (i.e. password change) when + passwords are expired. + - Allow "user=radiusd" when the server is already user + "radiusd" + - suid up/down works on non-Linux systems. This means that the + control socket should have the correct ownership. + - Fix issue which caused the server to sometimes have problems + when a home server was marked zombie. + - Fix format.pl because Perl is now more picky. + - Fix proxy to Packet-Dst-IP-Address, so that it uses the + correct destination port. + - Fix corner case with cursor functions and removal. + - OpenDirectory fixes and documentation. + - Fix leaks in rlm_redis. + - RFC 6929 "evs" attributes are now encoded / decoded properly. + - Fix talloc pool leaks when receiving malformed or + retransmitted Accounting/CoA requests. + - Printed attributes again use double quotes instead of single + quotes. + - Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to + eap.conf. Fixes oCert CVE-2015-4680. + - rlm_expr now errors out correctly on malformed attribute + references instead of triggering an assert. + - Make "break" work in "foreach" loops + - Allow dynamic expansions to work again in the "hints" file. + - Correct minor typos in comments and examples from Alan Buxy. + - Re-urlencode the path portion of ldapi:// urls before + passing it to ldap_initialise. - freeradius-server-rlm_sql_unixodbc-configure.patch removes hard-coded directory in configure script of rlm_sql_unixodbc - install new module rlm_sqlhpwippool.so @@ -61,8 +462,89 @@ Thu Apr 23 14:22:17 UTC 2015 - vcizek@suse.com Wed Apr 22 20:31:44 UTC 2015 - michael@stroeder.com - update to 3.0.8 - * for a detailed list of changes look at: - /usr/share/doc/packages/freeradius-server/ChangeLog + * Changes of version 3.0.8 + + Feature improvements + - Allow syslog_severity to be set in rlm_linelog. + - Allow defaults to be set for bulk clients in LDAP and + couchbase. + - Updates to dhcpclient. Patches from Nicolas C. + - rlm_mschap now supports direct connections to winbind, + which is faster than ntlm_auth. + See raddb/mods-available/mschap. Patch from Matthew Newton. + - Recommend /dev/urandom for TLS randomness, instead of + ${certdir}/random + - Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. + - Allow Expanded EAP types where vendor is 0 (IETF) and type + is normal EAP type. Supplicants sending Expanded EAP types + like this are broken. + - Add support for server side sort controls when searching + for user objects in rlm_ldap. + + Bug Fixes + - Don't complain about "authorize" in "server {}" blocks, but + only if there's no "server" block. + - Fix cosmetic issue where debug from the first packet read by + a detail reader thread would be emited during config parsing. + - Fix ASSERT on truncated detail packets. + - Don't use main server log functions from within panic_action, + as in the case of syslog this would cause deadlocks if the + fault was triggered from within a malloc. + - Fix issue in "switch" when "correct_escapes = false". + Fixes #911. + - Fix sqlcounter configuration to use "%%b" instead of "%b", + otherwise the new syntax validation will fail. + - Allow forward references in configuration items. Modules + aren't always loaded in a sane order. + - Fix more escaping issues. Closes #912. + - Decode MAC addresses correctly for VMPS. + - Fix memory leak with TLS connections. + - Fix state machine threading issues for conflicting packets. + - Fix copy_request_to_tunnel issues for tagged attributes. + - Allow "ok" to over-ride "updated" inside of Auth-Type + sections. + - Update state machine so that post-proxy is run though child + threads for performance, instead of blocking the main thread. + - Allow "netmask" to work again in client definitions. + - Relax restrictions on SQL group queries. + - track outgoing proxy sockets and clean them up more + aggressively. + - track proxy statistics, including CoA and Disconnect. + - If radmin has a connection failure when running a command, + it re-connects and runs the command again. + - mark home servers "unknown" less aggressively. + - Fix potential SEGV in PostgreSQL driver on error. + - Fix issue where fields like nas_type would not be + accessible via the %{client:} xlat, for dynamic clients. + - Set default busy_timeout (of 200ms) in the sqlite driver, so + writes don't cause selects to fail in multithreaded mode. + This is user configurable, and may be increased if required. + - Convert Password-With-Header attributes to binary (from hex + or base64), in the authorize method of rlm_pap. + - Fix invalid assert in state.c, that could cause abort in + post-auth. + - Fix double free when -m flag is used, and connection pools + are referenced by multiple modules. + - RADIUS over TLS accounting uses the same port as + authentication. + - Regularized return codes from radmin commands. + - Fix RHEL spec file so it works correctly for Centos7 which + uses systemd, and didn't like the SystemV init script. + - radwho and radlast now have a -D option to load dictionaries + - DHCP packets are no longer checked for duplicates. + - Don't crash in sql module group comparisons in corner case. + - Calculate MPPE keys correctly when using TLS 1.2. + - Fix load-balance sections. Closes #945 + - TLS certificates are available again in the post-auth + section. They are not available for session resumption. + - radclient encodes CHAP-Password properly when using -c + Closes #955. + - Fix issue in rlm_cache_memcached driver that caused variable + length values to be truncated. + - Fix track functionality in detail reader, so it no longer + fails with a "Failed marking detail request as done: Bad + file descriptor" error. + - Actually add the peer identity (as User-Name) to the inner + tunnel in EAP-PWD requests, so it's available for lookups. + - Fixes to PostgreSQL queries. Patches from Santiago Gimeno. - new set of consolidated patch files: deleted: * freeradius-server-2.1.1-logrotate_su.patch diff --git a/freeradius-server.spec b/freeradius-server.spec index c7bf57e..51f424a 100644 --- a/freeradius-server.spec +++ b/freeradius-server.spec @@ -25,16 +25,21 @@ Release: 0 %if 0%{?suse_version} > 1140 %bcond_without systemd -%bcond_without freetds %bcond_without libjson %define runpath /run %else %bcond_with systemd -%bcond_with freetds %bcond_with libjson %define runpath /var/run %endif +# Disable FreeTDS on SLE12. We never shipped it enabled with FreeTDS. +%if 0%{?suse_version} > 1330 || ( 0%{?suse_version} > 1140 && 0%{?is_opensuse} ) +%bcond_without freetds +%else +%bcond_with freetds +%endif + %if 0%{?is_opensuse} %bcond_without memcached %else @@ -47,6 +52,8 @@ Group: Productivity/Networking/Radius/Servers Url: http://www.freeradius.org/ Source: ftp://ftp.freeradius.org/pub/freeradius/%{name}-%{version}.tar.bz2 Source99: ftp://ftp.freeradius.org/pub/freeradius/%{name}-%{version}.tar.bz2.sig +# keyring downloaded via link @ ftp://ftp.freeradius.org/pub/freeradius/README +Source100: freeradius.keyring Source1: radiusd.service Source2: freeradius-tmpfiles.conf Patch1: freeradius-server-tmpfiles.patch @@ -54,6 +61,8 @@ Patch2: freeradius-server-radiusd-logrotate.patch Patch3: freeradius-server-rcradiusd.patch Patch4: freeradius-server-fix-cert-bootstrap.patch Patch5: freeradius-server-rlm_sql_unixodbc-configure.patch +Patch6: freeradius-server-radclient-init-error-buffer.patch +Patch7: freeradius-server-opensslversion.patch BuildRequires: apache2-devel BuildRequires: cyrus-sasl-devel BuildRequires: db-devel @@ -84,7 +93,7 @@ BuildRequires: libtool BuildRequires: ncurses-devel BuildRequires: net-snmp-devel BuildRequires: openldap2-devel -BuildRequires: openssl-devel +BuildRequires: openssl-devel > 1.0 BuildRequires: pam-devel BuildRequires: perl BuildRequires: postgresql-devel @@ -112,7 +121,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build %{?libperl_requires} Conflicts: radiusd-livingston radiusd-cistron icradius %if %{with systemd} -BuildRequires: systemd +BuildRequires: pkgconfig(systemd) %{?systemd_requires} %endif @@ -226,6 +235,8 @@ FreeRADIUS plugin providing SQLite support. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")" @@ -259,12 +270,13 @@ export LDFLAGS="-pie" --without-rlm_cache_memcached \ %endif %if ! %{with freetds} - --without-rlm_freetds \ + --without-rlm_sql_freetds \ %endif %if ! %{with json} --without-rlm_rest \ %endif - --disable-silent-rules + --disable-silent-rules \ + --disable-openssl-version-check make %{?_smp_mflags} %install @@ -346,12 +358,6 @@ getent passwd radiusd >/dev/null || %{_sbindir}/useradd -r -g radiusd \ %endif %post -# Generate default certificates -if [ $1 -eq 1 ]; then - %{_sysconfdir}/raddb/certs/bootstrap -fi -chgrp radiusd %{_sysconfdir}/raddb/certs/* - %if %{with systemd} %service_add_post %{unitname}.service systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf @@ -604,8 +610,8 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf %{_sbindir}/radrelay %{_sbindir}/raddebug # man-pages -%doc %{_mandir}/man5/* -%doc %{_mandir}/man8/* +%{_mandir}/man5/* +%{_mandir}/man8/* # dictionaries %attr(755,root,root) %dir %{_datadir}/freeradius %{_datadir}/freeradius/* @@ -665,7 +671,9 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf %{_libdir}/freeradius/rlm_sql.so %{_libdir}/freeradius/rlm_sqlcounter.so %{_libdir}/freeradius/rlm_sqlippool.so +%if %{with freetds} %{_libdir}/freeradius/rlm_sql_freetds.so +%endif %{_libdir}/freeradius/rlm_sql_null.so %{_libdir}/freeradius/rlm_test.so %{_libdir}/freeradius/rlm_unix.so @@ -681,7 +689,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf %files utils %defattr(-,root,root) -%doc %{_mandir}/man1/* +%{_mandir}/man1/* %{_bindir}/* %files libs diff --git a/freeradius.keyring b/freeradius.keyring new file mode 100644 index 0000000..627ca9f Binary files /dev/null and b/freeradius.keyring differ