pool/freeradius-server
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 453646 from home:adamm:branches:network

Browse Source 
- Merge changes from SLE to OpenSUSE (FATE#322416):
  * freeradius-server-radclient-init-error-buffer.patch - make sure
    we initialize error buffer. bsc#911886: radclient error free()
    invalid pointer
  * freeradius-server-opensslversion.patch: remove OpenSSL version
    check and assume we know what we are doing. (bnc#1013311)
  * merge .changes file, mostly.
- do not attempt to detect "vulnerable" OpenSSL versions. SUSE
  security fixes do not necessarily bump version numbers as
  does upstream OpenSSL (bnc#1021375)
- do not generate certificates in %post. End-user needs to do this
  manually.
- keep FreeTDS disabled on SLE12 - we never shipped it enabled
- require OpenSSL 1.0+
- use pkgconfig(systemd) instead of plain systemd as BuildRequires
- don't list manual pages as %doc

- Add upstream keyring
- 2 new modules: rlm_sql_freetds and rlm_eap_fast

OBS-URL: https://build.opensuse.org/request/show/453646
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=89
This commit is contained in:
Adam Majer 2017-02-06 10:58:11 +00:00 committed by Git OBS Bridge
parent 849b165adf
commit 5d3beec849
5 changed files with 575 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
freeradius-server-opensslversion.patch Normal file
View File

@ -0,0 +1,46 @@
Author: Adam Majer <adam.majer@suse.de>
Summary: SUSE OpenSSL version scheme does not follow upstream.
Relax, breathe, apply.
Index: freeradius-server-3.0.12/src/main/version.c
===================================================================
--- freeradius-server-3.0.12.orig/src/main/version.c
+++ freeradius-server-3.0.12/src/main/version.c
@@ -50,36 +50,7 @@ static long ssl_built = OPENSSL_VERSION_
*/
int ssl_check_consistency(void)
{
- long ssl_linked;
-
- ssl_linked = SSLeay();
-
- /*
- * Status mismatch always triggers error.
- */
- if ((ssl_linked & 0x0000000f) != (ssl_built & 0x0000000f)) {
- mismatch:
- ERROR("libssl version mismatch. built: %lx linked: %lx",
- (unsigned long) ssl_built,
- (unsigned long) ssl_linked);
-
- return -1;
- }
-
- /*
- * Use the OpenSSH approach and relax fix checks after version
- * 1.0.0 and only allow moving backwards within a patch
- * series.
- */
- if (ssl_built & 0xf0000000) {
- if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000) ||
- (ssl_built & 0x00000ff0) > (ssl_linked & 0x00000ff0)) goto mismatch;
- /*
- * Before 1.0.0 we require the same major minor and fix version
- * and ignore the patch number.
- */
- } else if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000)) goto mismatch;
-
+ // noop, since ABI is compatible for SUSE OpenSSL
return 0;
}

12
freeradius-server-radclient-init-error-buffer.patch Normal file
View File

@ -0,0 +1,12 @@
Index: freeradius-server-3.0.3/src/main/radclient.c
===================================================================
--- freeradius-server-3.0.3.orig/src/main/radclient.c
+++ freeradius-server-3.0.3/src/main/radclient.c
@@ -1180,6 +1180,7 @@ int main(int argc, char **argv)
fr_perror("radclient");
return 1;
}
+ fr_strerror_printf(""); /* Initialize the error buffer */
fr_strerror(); /* Clear the error buffer */
/*

506
freeradius-server.changes
View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Mon Jan 30 15:46:54 UTC 2017 - adam.majer@suse.de
- Merge changes from SLE to OpenSUSE (FATE#322416):
* freeradius-server-radclient-init-error-buffer.patch - make sure
we initialize error buffer. bsc#911886: radclient error free()
invalid pointer
* freeradius-server-opensslversion.patch: remove OpenSSL version
check and assume we know what we are doing. (bnc#1013311)
* merge .changes file, mostly.
- do not attempt to detect "vulnerable" OpenSSL versions. SUSE
security fixes do not necessarily bump version numbers as
does upstream OpenSSL (bnc#1021375)
- do not generate certificates in %post. End-user needs to do this
manually.
- keep FreeTDS disabled on SLE12 - we never shipped it enabled
- require OpenSSL 1.0+
- use pkgconfig(systemd) instead of plain systemd as BuildRequires
- don't list manual pages as %doc
-------------------------------------------------------------------
Sun Jan 1 13:39:57 UTC 2017 - jengelh@inai.de
@ -5,12 +25,93 @@ Sun Jan 1 13:39:57 UTC 2017 - jengelh@inai.de
- Use SUSE RPM group names. Trim filler words from description.
- Do not hide errors from groupadd/useradd.
-------------------------------------------------------------------
Fri Nov 18 14:48:59 UTC 2016 - adam.majer@suse.de
- Add upstream keyring
- 2 new modules: rlm_sql_freetds and rlm_eap_fast
-------------------------------------------------------------------
Thu Sep 29 20:14:34 UTC 2016 - michael@stroeder.com
- update to 3.0.12
* for a detailed list of changes look at:
/usr/share/doc/packages/freeradius-server/ChangeLog
- update to 3.0.12 - still fate#320481
The focus of this release is stability.
* Feature improvements
+ Add support for =~ and !~ in update sections. See "man unlang"
+ Add dictionary.checkpoint.
+ Simultaneous-Use prints out more information.
+ Print WARNING in debug mode when packets may be truncated.
+ Added expansions %{home_server:state} and
%{home_server_pool:state}, which show the state of the
server / pool.
+ Mark rlm_sql_freetds as stable.
+ Make rlm_perl less fragile. Patch from Herwin Weststrate.
+ Allow extended attributes to have "encrypt=2"
+ Update dictionary.aruba.
+ Add support for EAP-FAST. This is an isolated feature which
does not affect anything else.
+ Update OpenSSL vulnerability list. Use a version of OpenSSL
released after September 20, 2016.
+ EAP certificate verification is now done when "verify" is
enabled and "ocsp" is disabled.
+ New dhcpclient and rlm_rad_counter man pages.
+ Minor abfab and moonshot additions.
+ Pass CFLAGS through from environment in RPM builds. Allows
more custom builds.
+ Build with Heimdal in addtion to libkrb5.
* Bug Fixes
+ Use correct typedef for older versions of sqlite.
+ Update mssql schema to add priority
+ don't complain on /dev/urandom in ldap
+ fix == operator in update sections
+ Don't create DHCP strings with many trailing zeros.
+ Allow MS-CHAP change passwords instead of complaining on
large buffer.
+ Allow assignment or equality operator on SQL.
+ Update aclocal tests for FreeBSD 10.
+ Remove occasional hang in rlm_linelog.
+ Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544
+ A few minor bugfixes caught in v3.1.x cleanup, and
back-ported to v3.0.x.
+ do_not_respond again works in post-proxy
+ Allow realm "~^.*$" {} and User-Name with no realm.
+ Fix leak when creating unknown attributes
+ Fix Debian / logrotate.
+ Make OpenSSL error functions thread-safe.
+ Fix crash with rlm_sql and updating SQL-User-Name.
+ Debian build updates.
+ Allow regular expression comparisons in radclient.
+ Fix memory leak on unknown attributes in detail file reader.
+ Update example paths in "man" pages when installing them
+ Build fixes for rlm_mschap. Fixes #1489.
+ BSD build fixes. Patch from issue #1583.
+ Be more careful about /lib/ when building. Fixes #1585.
+ Correct ifdef placement error. Fixes #1572.
+ Allow for more files in internal "exfile" API So it will be
possible to open more than 64 "detail" files at the same
time.
+ Remove support for statically built EAP modules. Fixes #1591.
+ Many fixes to rlm_python from Guillaume Pannatier.
+ Use correct week adjustment in SQLcounter. Fixes #1608
+ Minor fixes to allow compilation without DHCP, VMPS, or TCP.
+ Fix checks for module / config file change on HUP.
+ Compile regex comparisons when sent via "debug condition".
+ Update filenames in documentation and examples.
+ Don't crash if SQL connection becomes unavailable.
+ Disallow originate_coa when proxy_requests = no.
+ Free rad_perlconf_hv in correct perl context.
+ Multiple fixes for Debian builds. #1510, among others.
+ Set OpenSSL FIPS compatibility flag when necessary.
+ Pulled fixes for the build system over from other branches.
+ Fix OCSP for RADIUS over TLS.
+ Fix skip_if_ocsp_ok behavior.
+ Better fixes for systems without closefrom() but which have
/proc.
+ Minor build fixes back-ported from v4.0.x.
+ build --whout-ascend-binary. Fixes #1761.
+ Be more aggressive about not opening new connections in
debug mode after CTRL-C. Address #1604.
-------------------------------------------------------------------
Fri Sep 2 12:16:56 UTC 2016 - adam.majer@suse.de
@ -24,16 +125,202 @@ Fri Sep 2 12:16:56 UTC 2016 - adam.majer@suse.de
Mon Jan 25 18:48:55 UTC 2016 - michael@stroeder.com
- removed installation of experimental module rlm_sqlhpwippool.so
- update to 3.0.11
* for a detailed list of changes look at:
/usr/share/doc/packages/freeradius-server/ChangeLog
- update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763,
bsc#935573, CVE-2015-4680)
* Changes of version 3.0.11
+ Feature improvements
- "unlang" comparisons of IP addresses to IP prefixes are now
detected, and types automatically cast.
- Allow shorthand form of ipv4prefix values e.g. 127/8.
- Add "auto_chain" to raddb/mods-available/eap, tls subsection.
This allows the disabling of OpenSSL auto-chaining of
certificates. Which might be wrong.
- Added printing of coa and disconnect stats (radmin).
- radclient defaults to expecting Access-Accept responses to
Status-Server.
- Updated dictionary.lancom, dictionary.starent.
- Portability fixes for Solaris.
- More errors from ntlm_auth gets passed to MS-CHAP.
- Update abfab-tr-idp virtual server.
- Added "filter_password" in policy.d/filter. This removes
embedded zero bytes in User-Password, for compatibility with
broken clients.
- The server now issues a WARNING message if duplicate
configuration items are found.
- TLS can skip the "verify" section if OCSP returns OK. See
raddb/mods-available/eap, "skip_if_ocsp_ok".
- Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the
result from the OCSP check.
- Interoperate with AD and "LmCompatibiltyLevel = 5", by
always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind
in rlm_mschap.
- TTLS and PEAP now require "virtual_server" to be a real
server.
- Print WARNING when TTLS or PEAP identities are spoofed or
not properly anonymized. See RFC 7542 for requirements.
- Various rlm_python fixes from Herwin Weststrate.
- Allow setting Response-Packet-Type in "Post-Proxy-Type Fail",
which is useful when the home server does not respond.
- elasticsearch updates from Matthew Newton
+ Bug Fixes
- Fix issue where field nas_type would not be accessible via
the %{client:} xlat, for clients loaded from SQL.
- Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to
msg_callback with 'pseudo' content types.
- Data type "ipv4prefix" is parsed correctly.
- Use correct talloc context in rlm_exec. Fixes #1338.
- Complain in unlang if "else" is used with no previous "if"
or "elsif".
- Send accounting status packets to the accounting port.
Fixes #1364.
- Print out CFLAGS when doing "radiusd -Xxv"
- Fixed bug with coa/acct stats value #1339. Based on patch
from Jorge Pereira.
- Fixes for LEAP proxying. Don't use LEAP!
- Fix issue with "directory already exists" seen when doing
"make install".
- Fixed bug with radmin related to the option "stats detail
<filename>"
- Complain if the detail file reader does not have permission
to read the "detail.work" file. Fixes #1398
- Fixed SoH. Attributes were not being copied to the virtual
server.
- Used a wrong list to global statistics in "stats".
- Create EAP-PWD identity correctly. Prevents segfaults.
- Dynamically validate authentication types for PEAP and
EAP-MSCHAPv2.
- Fix includes in installed headers.
- OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys
correctly. See raddb/mods-available/eap, "disable_tlsv1_2"
- Allow password change to work for MS-CHAP. This requires
'r=0', because password changes are not retries.
- Fix home server fail-over for home servers using TCP and/or
RadSec.
- Special characters in expanded regexes are now escaped e.g.
User-Name containing '.', and comparing /%{User-Name}/, the
'.' will now be escaped. See src/tests/keywords/regex-escape.
- Use correct authentication vector when sending Access-Reject
replies for RadSec.
- Set FreeRADIUS-Proxied-To in TTLS again. You should use the
"inner-tunnel" virtual server, instead of relying on this
attribute.
- Fix debugging constants in rlm_perl. Patch from Herwin
Weststrate.
- Add samba-dev / samba4-dev to debian builds so that
rlm_mschap can automatically use the new winbind API.
- Automatically skip zero-length attributes when sending
packets, instead of erroring out.
-------------------------------------------------------------------
Mon Oct 26 12:45:59 UTC 2015 - jkeil@suse.de
- fix bsc#951404
* Rebuild of freeradius-server package fails
* fix source url
- ftp://ftp.freeradius.org/pub/freeradius/
+ ftp://ftp.freeradius.org/pub/freeradius/old/
-------------------------------------------------------------------
Mon Oct 5 19:50:27 UTC 2015 - michael@stroeder.com
- update to 3.0.10
* for a detailed list of changes look at:
/usr/share/doc/packages/freeradius-server/ChangeLog
* Changes of version 3.0.10
+ Feature improvements
- Do more optimization of unlang policies. This makes run-time
a bit faster.
- Re-name most of the functions in src/lib. Third-party module
authors will have to do the same.
- More documentation on contributing and how to write modules.
- Update radiusd.service for systemd.
- Open IPv6 proxy socket if the server is listening on IPV6
auth / acct / coa packets.
- Create debian packages for DHCP. Fixes #1125.
- Add more tests for "update" section parsing.
- Update "man" pages.
- Update attributes for Alcatel 7750
- Add dictionary for Boingo Wi-Fi
- Add support for DHCP lease queries.
See raddb/sites-available/dhcp
- On HUP, check all modules for config files which have
changed. And only re-load those modules.
- Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS
packets. Patch from Herwin Weststrate.
- Documentation fixes from Alan Buxey and Matthew Newton.
- Update "logrotate" script.
- Added more RFCs to doc/rfc for new standards implemented by
FreeRADIUS.
- Don't crash when doing "radmin -e "help hup". Patch from
Matthew Newton.
- The dictionary parser now does more sanity checks, which
prevents run-time problems with invalid attributes.
- Update debian packages. Patches from Christopher Hoskin.
- Many other debian packaging fixes from Matthew Netwon and
Herwin Weststrate.
- Add "session-state" to Perl. Patch from Herwin Weststrate.
+ Bug Fixes
- Fix rlm_files so that there are no collisions when loading
10's of 1000's of users.
- Fix radclient to use our internal v4/v6 parsing functions.
v6 addresses with ports now work correctly.
- Fix sending/receiving packet messages to wrap v6 addresses
in square brackets '[]'.
- Check for sasl/sasl.h when building rlm_ldap, and disable
SASL functionality if unavailable.
- Fix issue which caused a non \0 terminated buffer to be
assigned to attributes if the value being assigned contained
an invalid escape sequence.
- Fix deadlock when reconnecting connections in the connection
pool.
- Fix potential overrun in functions that used fr_utf8_char
with a non nul terminated buffer.
- Fix decoding issue for Tunnel-Password type attributes which
were very long. Found by Denis Andzakovic.
- Fix radclient issue with TCP sockets on FreeBSD.
- The server now creates ${run_dir} and ${logdir} directories
in daemon mode, when running as "root".
- Handle tags when using maps. Fixes #1191.
- Fix crash when CoA packets time out.
- Fix parse error in rediswho
- Fix regex support in SQL radcheck the "users" file and
radsniff.
- Register listen xlat earlier, so that it's available when
the virtual servers are being parsed.
- Parse Ascend-Data-Filter when given as "0x..."
- Print Ascend-Data-Filter correctly. Add test cases for both.
- Allow old-style clients again. They will be disallowed for
3.1.0 and following.
- Complain instead of crash when "else" and "elsif" are in the
wrong place.
- Clean up memory more aggressively. This lowers the maximum
memory used, most typically for TLS based EAP methods.
- Prevent the server from unlinking the control socket of an
already running instance.
- Fallback to using the configured OCSP URL if one exists, and
no URL is provided in the certificate.
- Return CoA-NAK if proxying CoA fails. Based on patch from
Jorge Pereira.
- Lower peak memory usage by decreasing size of internal
memory pools.
- The control socket is now left in place if a second copy of
the server is accidentally started.
- Allow virtual attributes in "switch", "case", etc. Fixes
#1240 and #1265.
- Many spell check / typo fixes in comments and example
configuration files.
- Better handle multiple DHCP listeners.
- Don't print secrets for old-style realms. Fixes #1267.
- Don't fall through in empty "case" statements. Fixes #1274.
- Update EAP-TTLS so that MPPE keys are correctly calculated
with TLSv1.2.
- Always delete MS-MPPE-* from the TTLS inner tunnel. This
allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206.
- Fix off by one error that caused some MSCHAP-Error messages
to be sent without the password change version (V=3) and the
textual message component (M=).
- Always include C= V= and M= in MSCHAPv2 errors. RFC 2759
does not say that any of these fields are optional, and not
including V= caused errors with wpa_supplicant.
- Do not include M= in MSCHAPv1 errors. It's not supported.
-------------------------------------------------------------------
Fri Aug 7 10:56:29 UTC 2015 - jkeil@suse.de
@ -42,12 +329,126 @@ Fri Aug 7 10:56:29 UTC 2015 - jkeil@suse.de
* Create winbind group
* Add radiusd to winbind group
-------------------------------------------------------------------
Tue Aug 4 15:19:06 UTC 2015 - jkeil@suse.de
- Remove gpg signature file
* The gpg signature checking is broken and doesn't work
-------------------------------------------------------------------
Tue Aug 4 14:28:24 UTC 2015 - jkeil@suse.de
- Fix bsc#935573: Insufficent CRL application for intermediate certificates
* CVE-2015-4680
* freeradius-server-CVE-2015-4680.patch based on
https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3
-------------------------------------------------------------------
Wed Jul 8 20:05:24 UTC 2015 - michael@stroeder.com
- update to 3.0.9
* for a detailed list of changes look at:
/usr/share/doc/packages/freeradius-server/ChangeLog
* Changes of version 3.0.9
+ Feature improvements
- Make "pool" configurations more consistent, and update
documentation for them.
- Move connection pool logic to "most recently started",
instead of MRU. This should help with pool stability.
- More VSAs for 3GPP2
- Added examples of multi-value attributes to rlm_perl.
- LDAP-Group and SQL-Group attributes are now dynamically
allocated.
- Only the "sql" module registers SQL-Group. Other instances
register "instance-name-SQL-Group", similarly to "ldap".
- Unknown attributes are now complained about more often when
used in unlang statements. e.g. if (Foo-Bar == 3) used to be
a string to string comparison. It is now a parse error.
- Rename RLM_COMPONENT_* to MOD_* in the code. This makes many
things easier.
- Move to C99 initializers for modules.
- Load modules in raddb/mods-enabled. This allows attributes
like "LDAP-Group" to be used in the "files" module, without
explicit ordering or listing in "instantiate".
- Added 'bootstrap' section to modules. Third-party modules
will need to be updated.
- When adding clients from a DB, add them to a virtual server
if that virtual server has a "listen" section. Otherwise,
add the clients to the global list.
- When reading dynamic clients from a file, don't expire them
if the underlying file is unchanged.
- Allow the server to originate CoA requests from the
post-auth stage.
- The server creates ${run_dir} and ${logdir} in daemon mode,
if they do not already exist.
- Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server
now supports all mandatory and optional attributes for this
specification.
- HUP now re-loads the configuration only if the files have
changed. If all files are unchanged, HUP re-opens the log
file, and does nothing else.
- Much better debug messages for EAP-TLS, including which
attributes are cached, and when they are retrieved.
- Increase default max_requests to 16384. Memory is cheap now.
- Added "stats memory" commands to radmin. Debug build only.
- Aptilo controller dictionary updates.
- SQL modules now use Acct-Unique-Session-Id everywhere.
- The redis modules are now stable.
- The LDAP module now supports SASL "interactive bind" method.
This allows Kerberos based administrator and user binds.
- DHCP code is now in libfreeradius-dhcp.
- More DHCP encoding / decoding unit tests.
- rlm_replicate can now be listed in the "accounting" section.
- Better sqlite debugging output.
- Remove "required" option from many sql_ippool directives.
- Set default CA "basic constraints" to "critical". Fixes #1073
- Updates to help / man pages from Jorge Pereira.
- Added more tests.
+ Bug Fixes
- Be more careful about unused config item warnings when
using -Xx.
- Move more defines to be auto-generated.
- Allow virtual servers in proxy fallback.
- Allow %{module:} to work.
- Don't crash in RadSec. Closes #980.
- Return better errors when a unix group / user is not found.
- Re-enable detail module "locking" parameter.
- Don't crash when logging replies from Status-Server packets.
- The couchbase module now uses "update" instead of "map", for
consistent with the rest of the server.
See raddb/mods-available/couchbase
- Don't require NT-Password for MS-CHAP password changes.
- Be a bit more careful about decrypting MS-CHAP-MPPE-Key
attributes. Closes #1013. There is no perfect fix, tho.
- Fix security issues with EAP-PWD.
See http://freeradius.org/security.html#eap-pwd-2015
- Fix dynamic clients read from SQL in non-debug mode
- MS-CHAP now allows retries (i.e. password change) when
passwords are expired.
- Allow "user=radiusd" when the server is already user
"radiusd"
- suid up/down works on non-Linux systems. This means that the
control socket should have the correct ownership.
- Fix issue which caused the server to sometimes have problems
when a home server was marked zombie.
- Fix format.pl because Perl is now more picky.
- Fix proxy to Packet-Dst-IP-Address, so that it uses the
correct destination port.
- Fix corner case with cursor functions and removal.
- OpenDirectory fixes and documentation.
- Fix leaks in rlm_redis.
- RFC 6929 "evs" attributes are now encoded / decoded properly.
- Fix talloc pool leaks when receiving malformed or
retransmitted Accounting/CoA requests.
- Printed attributes again use double quotes instead of single
quotes.
- Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to
eap.conf. Fixes oCert CVE-2015-4680.
- rlm_expr now errors out correctly on malformed attribute
references instead of triggering an assert.
- Make "break" work in "foreach" loops
- Allow dynamic expansions to work again in the "hints" file.
- Correct minor typos in comments and examples from Alan Buxy.
- Re-urlencode the path portion of ldapi:// urls before
passing it to ldap_initialise.
- freeradius-server-rlm_sql_unixodbc-configure.patch removes
hard-coded directory in configure script of rlm_sql_unixodbc
- install new module rlm_sqlhpwippool.so
@ -61,8 +462,89 @@ Thu Apr 23 14:22:17 UTC 2015 - vcizek@suse.com
Wed Apr 22 20:31:44 UTC 2015 - michael@stroeder.com
- update to 3.0.8
* for a detailed list of changes look at:
/usr/share/doc/packages/freeradius-server/ChangeLog
* Changes of version 3.0.8
+ Feature improvements
- Allow syslog_severity to be set in rlm_linelog.
- Allow defaults to be set for bulk clients in LDAP and
couchbase.
- Updates to dhcpclient. Patches from Nicolas C.
- rlm_mschap now supports direct connections to winbind,
which is faster than ntlm_auth.
See raddb/mods-available/mschap. Patch from Matthew Newton.
- Recommend /dev/urandom for TLS randomness, instead of
${certdir}/random
- Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}.
- Allow Expanded EAP types where vendor is 0 (IETF) and type
is normal EAP type. Supplicants sending Expanded EAP types
like this are broken.
- Add support for server side sort controls when searching
for user objects in rlm_ldap.
+ Bug Fixes
- Don't complain about "authorize" in "server {}" blocks, but
only if there's no "server" block.
- Fix cosmetic issue where debug from the first packet read by
a detail reader thread would be emited during config parsing.
- Fix ASSERT on truncated detail packets.
- Don't use main server log functions from within panic_action,
as in the case of syslog this would cause deadlocks if the
fault was triggered from within a malloc.
- Fix issue in "switch" when "correct_escapes = false".
Fixes #911.
- Fix sqlcounter configuration to use "%%b" instead of "%b",
otherwise the new syntax validation will fail.
- Allow forward references in configuration items. Modules
aren't always loaded in a sane order.
- Fix more escaping issues. Closes #912.
- Decode MAC addresses correctly for VMPS.
- Fix memory leak with TLS connections.
- Fix state machine threading issues for conflicting packets.
- Fix copy_request_to_tunnel issues for tagged attributes.
- Allow "ok" to over-ride "updated" inside of Auth-Type
sections.
- Update state machine so that post-proxy is run though child
threads for performance, instead of blocking the main thread.
- Allow "netmask" to work again in client definitions.
- Relax restrictions on SQL group queries.
- track outgoing proxy sockets and clean them up more
aggressively.
- track proxy statistics, including CoA and Disconnect.
- If radmin has a connection failure when running a command,
it re-connects and runs the command again.
- mark home servers "unknown" less aggressively.
- Fix potential SEGV in PostgreSQL driver on error.
- Fix issue where fields like nas_type would not be
accessible via the %{client:} xlat, for dynamic clients.
- Set default busy_timeout (of 200ms) in the sqlite driver, so
writes don't cause selects to fail in multithreaded mode.
This is user configurable, and may be increased if required.
- Convert Password-With-Header attributes to binary (from hex
or base64), in the authorize method of rlm_pap.
- Fix invalid assert in state.c, that could cause abort in
post-auth.
- Fix double free when -m flag is used, and connection pools
are referenced by multiple modules.
- RADIUS over TLS accounting uses the same port as
authentication.
- Regularized return codes from radmin commands.
- Fix RHEL spec file so it works correctly for Centos7 which
uses systemd, and didn't like the SystemV init script.
- radwho and radlast now have a -D option to load dictionaries
- DHCP packets are no longer checked for duplicates.
- Don't crash in sql module group comparisons in corner case.
- Calculate MPPE keys correctly when using TLS 1.2.
- Fix load-balance sections. Closes #945
- TLS certificates are available again in the post-auth
section. They are not available for session resumption.
- radclient encodes CHAP-Password properly when using -c
Closes #955.
- Fix issue in rlm_cache_memcached driver that caused variable
length values to be truncated.
- Fix track functionality in detail reader, so it no longer
fails with a "Failed marking detail request as done: Bad
file descriptor" error.
- Actually add the peer identity (as User-Name) to the inner
tunnel in EAP-PWD requests, so it's available for lookups.
- Fixes to PostgreSQL queries. Patches from Santiago Gimeno.
- new set of consolidated patch files:
deleted:
* freeradius-server-2.1.1-logrotate_su.patch

38
freeradius-server.spec
View File

@ -25,16 +25,21 @@ Release: 0
%if 0%{?suse_version} > 1140
%bcond_without systemd
%bcond_without freetds
%bcond_without libjson
%define runpath /run
%else
%bcond_with systemd
%bcond_with freetds
%bcond_with libjson
%define runpath /var/run
%endif
# Disable FreeTDS on SLE12. We never shipped it enabled with FreeTDS.
%if 0%{?suse_version} > 1330 || ( 0%{?suse_version} > 1140 && 0%{?is_opensuse} )
%bcond_without freetds
%else
%bcond_with freetds
%endif
%if 0%{?is_opensuse}
%bcond_without memcached
%else
@ -47,6 +52,8 @@ Group: Productivity/Networking/Radius/Servers
Url: http://www.freeradius.org/
Source: ftp://ftp.freeradius.org/pub/freeradius/%{name}-%{version}.tar.bz2
Source99: ftp://ftp.freeradius.org/pub/freeradius/%{name}-%{version}.tar.bz2.sig
# keyring downloaded via link @ ftp://ftp.freeradius.org/pub/freeradius/README
Source100: freeradius.keyring
Source1: radiusd.service
Source2: freeradius-tmpfiles.conf
Patch1: freeradius-server-tmpfiles.patch
@ -54,6 +61,8 @@ Patch2: freeradius-server-radiusd-logrotate.patch
Patch3: freeradius-server-rcradiusd.patch
Patch4: freeradius-server-fix-cert-bootstrap.patch
Patch5: freeradius-server-rlm_sql_unixodbc-configure.patch
Patch6: freeradius-server-radclient-init-error-buffer.patch
Patch7: freeradius-server-opensslversion.patch
BuildRequires: apache2-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: db-devel
@ -84,7 +93,7 @@ BuildRequires: libtool
BuildRequires: ncurses-devel
BuildRequires: net-snmp-devel
BuildRequires: openldap2-devel
BuildRequires: openssl-devel
BuildRequires: openssl-devel > 1.0
BuildRequires: pam-devel
BuildRequires: perl
BuildRequires: postgresql-devel
@ -112,7 +121,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build
%{?libperl_requires}
Conflicts: radiusd-livingston radiusd-cistron icradius
%if %{with systemd}
BuildRequires: systemd
BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
%endif
@ -226,6 +235,8 @@ FreeRADIUS plugin providing SQLite support.
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%build
modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")"
@ -259,12 +270,13 @@ export LDFLAGS="-pie"
--without-rlm_cache_memcached \
%endif
%if ! %{with freetds}
--without-rlm_freetds \
--without-rlm_sql_freetds \
%endif
%if ! %{with json}
--without-rlm_rest \
%endif
--disable-silent-rules
--disable-silent-rules \
--disable-openssl-version-check
make %{?_smp_mflags}
%install
@ -346,12 +358,6 @@ getent passwd radiusd >/dev/null || %{_sbindir}/useradd -r -g radiusd \
%endif
%post
# Generate default certificates
if [ $1 -eq 1 ]; then
%{_sysconfdir}/raddb/certs/bootstrap
fi
chgrp radiusd %{_sysconfdir}/raddb/certs/*
%if %{with systemd}
%service_add_post %{unitname}.service
systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf
@ -604,8 +610,8 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf
%{_sbindir}/radrelay
%{_sbindir}/raddebug
# man-pages
%doc %{_mandir}/man5/*
%doc %{_mandir}/man8/*
%{_mandir}/man5/*
%{_mandir}/man8/*
# dictionaries
%attr(755,root,root) %dir %{_datadir}/freeradius
%{_datadir}/freeradius/*
@ -665,7 +671,9 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf
%{_libdir}/freeradius/rlm_sql.so
%{_libdir}/freeradius/rlm_sqlcounter.so
%{_libdir}/freeradius/rlm_sqlippool.so
%if %{with freetds}
%{_libdir}/freeradius/rlm_sql_freetds.so
%endif
%{_libdir}/freeradius/rlm_sql_null.so
%{_libdir}/freeradius/rlm_test.so
%{_libdir}/freeradius/rlm_unix.so
@ -681,7 +689,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf
%files utils
%defattr(-,root,root)
%doc %{_mandir}/man1/*
%{_mandir}/man1/*
%{_bindir}/*
%files libs

BIN
freeradius.keyring Normal file
View File

Binary file not shown.