- update to 3.0.20

Feature Improvements * Added Force10 dictionary. * Update dictionary.hp with new attributes. #2690. * Update dictionary.aruba with new attributes. #2696. * Fix side-channel leak in EAP-PWD (bsc#1166858, CVE-2019-20510) * Relax OpenSSL version checks, now that their API is both public, and stable. * Note that tls_min_version/tls_max_version also support "1.3" Since there is no standard yet for EAP with TLS 1.3, it will not work. * Added tripplite dictionary from #2760. * Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout. * Added new LDAP option 'allow_dangling_group_ref'. * Updated documentation and functionality for EAP session caching See "cache" section of mods-available/eap. * Tighten systemd unit file security. Fixes #2637. * Disable TLS 1.0 and TLS 1.1 support in the default configuration We STRONGLY recommend doing this for all installations. * Add expansions for *outgoing* Radsec connections "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes #2839. * Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS connections. * Update dictionary.lancom with new attributes. #2847. * Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental. * Added more documentation in sites-available/robust-proxy-accounting. * sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts * Add support to radmin keep the history in ~/.radmin_history. OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=133
2020-03-24 14:20:37 +00:00 · 2020-03-24 14:20:37 +00:00 · dc40c1af74
commit dc40c1af74
parent ca3a555f3d
9 changed files with 1926 additions and 76 deletions
--- a/freeradius-python3_patches.patch
+++ b/freeradius-python3_patches.patch
--- a/freeradius-server-3.0.19.tar.bz2
+++ b/freeradius-server-3.0.19.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f457c356e07b6c3cce3e05231c68e23bdfba8452d0db479fe1c85e114e6283c9
-size 3127564
--- a/freeradius-server-3.0.19.tar.bz2.sig
+++ b/freeradius-server-3.0.19.tar.bz2.sig
--- a/freeradius-server-3.0.20.tar.bz2
+++ b/freeradius-server-3.0.20.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e25247870aeb154d2f75efde22573095c0f105d85740ef95a2ad186c5e5ec815
+size 3161984
--- a/freeradius-server-3.0.20.tar.bz2.sig
+++ b/freeradius-server-3.0.20.tar.bz2.sig
--- a/freeradius-server-enable-python3.patch
+++ b/freeradius-server-enable-python3.patch
@ -0,0 +1,32 @@
+Index: freeradius-server-3.0.20/src/modules/stable
+===================================================================
+--- freeradius-server-3.0.20.orig/src/modules/stable
+++ freeradius-server-3.0.20/src/modules/stable
+@@ -25,6 +25,7 @@ rlm_passwd
+ rlm_perl
+ rlm_preprocess
+ rlm_python
+rlm_python3
+ rlm_radutmp
+ rlm_realm
+ rlm_rest
+Index: freeradius-server-3.0.20/src/modules/rlm_python3/example.py
+===================================================================
+--- freeradius-server-3.0.20.orig/src/modules/rlm_python3/example.py
+++ freeradius-server-3.0.20/src/modules/rlm_python3/example.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python3
+#!/usr/bin/python3
+ #
+ # Python module example file
+ # Miguel A.L. Paraz <mparaz@mparaz.com>
+Index: freeradius-server-3.0.20/src/modules/rlm_python3/radiusd.py
+===================================================================
+--- freeradius-server-3.0.20.orig/src/modules/rlm_python3/radiusd.py
+++ freeradius-server-3.0.20/src/modules/rlm_python3/radiusd.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python3
+#!/usr/bin/python3
+ #
+ # Definitions for RADIUS programs
+ #
--- a/freeradius-server-opensslversion.patch
+++ b/freeradius-server-opensslversion.patch
@ -2,45 +2,17 @@ Author: Adam Majer <adam.majer@suse.de>
 Summary: SUSE OpenSSL version scheme does not follow upstream.
 Relax, breathe, apply.

-Index: freeradius-server-3.0.12/src/main/version.c
+Index: freeradius-server-3.0.20/src/main/version.c
 ===================================================================
--- freeradius-server-3.0.12.orig/src/main/version.c
-+++ freeradius-server-3.0.12/src/main/version.c
-@@ -50,36 +50,7 @@ static long ssl_built = OPENSSL_VERSION_
+--- freeradius-server-3.0.20.orig/src/main/version.c
+++ freeradius-server-3.0.20/src/main/version.c
+@@ -52,6 +52,9 @@ static long ssl_built = OPENSSL_VERSION_
  */
 int ssl_check_consistency(void)
 {
-	long ssl_linked;
-
-	ssl_linked = SSLeay();
-
-	/*
-	 *	Status mismatch always triggers error.
-	 */
-	if ((ssl_linked & 0x0000000f) != (ssl_built & 0x0000000f)) {
-	mismatch:
-		ERROR("libssl version mismatch.  built: %lx linked: %lx",
-		      (unsigned long) ssl_built,
-		      (unsigned long) ssl_linked);
-
-		return -1;
-	}
-
-	/*
-	 *	Use the OpenSSH approach and relax fix checks after version
-	 *	1.0.0 and only allow moving backwards within a patch
-	 *	series.
-	 */
-	if (ssl_built & 0xf0000000) {
-		if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000) ||
-		    (ssl_built & 0x00000ff0) > (ssl_linked & 0x00000ff0)) goto mismatch;
-	/*
-	 *	Before 1.0.0 we require the same major minor and fix version
-	 *	and ignore the patch number.
-	 */
-	} else if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000)) goto mismatch;
-
-+	// noop, since ABI is compatible for SUSE OpenSSL
- 	return 0;
- }
+    // noop, since ABI is compatible for SUSE OpenSSL
+    return 0;
+
+ 	long ssl_linked;
 
+ 	ssl_linked = SSLeay();
--- a/freeradius-server.changes
+++ b/freeradius-server.changes
@ -1,3 +1,93 @@
+-------------------------------------------------------------------
+Tue Mar 17 13:42:37 UTC 2020 - Adam Majer <adam.majer@suse.de>
+
+- update to 3.0.20
+
+Feature Improvements
+  * Added Force10 dictionary.
+  * Update dictionary.hp with new attributes. #2690.
+  * Update dictionary.aruba with new attributes. #2696.
+  * Fix side-channel leak in EAP-PWD (bsc#1166858, CVE-2019-20510)
+  * Relax OpenSSL version checks, now that their API is both public, and stable.
+  * Note that tls_min_version/tls_max_version also support "1.3"
+    Since there is no standard yet for EAP with TLS 1.3, it will not work.
+  * Added tripplite dictionary from #2760.
+  * Switch to the async interface for rlm_sql_postgresql so that
+    we can enforce query_timeout.
+  * Added new LDAP option 'allow_dangling_group_ref'.
+  * Updated documentation and functionality for EAP session caching
+    See "cache" section of mods-available/eap.
+  * Tighten systemd unit file security. Fixes #2637.
+  * Disable TLS 1.0 and TLS 1.1 support in the default configuration
+    We STRONGLY recommend doing this for all installations.
+  * Add expansions for *outgoing* Radsec connections
+    "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and
+    TLS-Cert-* attributes. Fixes #2839.
+  * Add %{listen:tls} which returns "yes" or "no" for
+    TLS or non-TLS connections.
+  * Update dictionary.lancom with new attributes. #2847.
+  * Added rlm_sql_mongo. See raddb/mods-available/sql.
+    Note that this module is experimental.
+  * Added more documentation in sites-available/robust-proxy-accounting.
+  * sqlippool now re-allocates unexpired leases, to prevent IP pool
+    exhaustion when clients perform multiple reauthentication attempts
+  * Add support to radmin keep the history in ~/.radmin_history.
+  * Add support for ENV and LD_PRELOAD in radiusd.conf.
+    See the new ENV sub-section of radiusd.conf.
+  * Update dictionary.aptilo. #3002.
+  * Update dictionary.airespace. #3039.
+  * Add sites-available/coa-relay, which makes CoA easier #3045.
+  * Add example stored procedure for IP Pools in MySQL
+    See mods-config/sql/ippool/mysql/procedure.sql
+  * Update dictionary.dhcp dictionary with the recent hardware types.
+  * Add experimental rlm_python3. This should largely work
+    the same as rlm_python, which was Python2 only.
+  * Add Dockerfiles for Debian10 and CentOS8.
+  * Add RPM spec file compatibility for RHEL/CentOS 8.
+  * Notes on certificate constraints. See raddb/certs/server.cnf.
+  * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585.
+
+Bug Fixes
+
+  * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627
+  * ERX-Acct-Request-Reason is "integer". Closes #2635.
+  * Fix a slow memory leak in the file management code.
+  * Try to fix file permissions if they get modified while
+    the server is running
+  * Fix slow memory leak with clients.
+  * Fix request and connection timeouts in rlm_rest.
+  * Fix systemd issues.
+  * Fixes from clang analyzer.
+  * Fix missing include for the dictionaries:
+    alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn,
+    audiocodes,avaya,bristol, columbia_university,freedhcp,garderos,
+    infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus.
+  * Fix internal sanity check when running with "-Xx".
+  * Allow "inner-tunnel" virtual servers to work better
+    with "accept" and "reject" policies.
+  * Fix dictionary.huawei data types for
+    Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address.
+  * Framed-Interface-ID in postgresql/queries.conf is string,
+    not inet Fixes #2817.
+  * Fix rlm_cache to complain on unknown attributes in the "update"
+    section of its configuration.
+  * Add configure checks for -latomic. This helps on armel,
+    mips and mipsel. Fixes #2828.
+  * Add support to Oracle 19 and 18. Via #2857.
+  * Add support for decoding tags in rlm_rest. Fixes #2848.
+  * Use correct passwords when updating CRLs in raddb/certs/.
+  * Properly separate "originate-coa" packets when accounting
+    packets are read from the detail file reader.
+  * Use the correct virtual server for pre/post-proxy.
+  * radsqlrelay fixes backported from "master" branch
+  * Fix DoS issues due to multithreaded BN_CTX access
+    (bsc#1166847, CVE-2019-17185)
+
+- disable python2 for SLE15 and Factory
+- freeradius-server-enable-python3.patch: enable Python3 module
+- freeradius-python3_patches.patch: backport python3 fixes from upstream
+- freeradius-server-opensslversion.patch: updated
+
 -------------------------------------------------------------------
 Wed Mar 11 13:18:37 UTC 2020 - Adam Majer <adam.majer@suse.de>

--- a/freeradius-server.spec
+++ b/freeradius-server.spec
@ -20,9 +20,15 @@
 %define apxs2 apxs2-prefork
 %define apache2_sysconfdir %(%{_sbindir}/%{apxs2} -q SYSCONFDIR)
 Name:           freeradius-server
-Version:        3.0.19
+Version:        3.0.20
 Release:        0

+%if 0%{?suse_version} >= 1500
+%bcond_with python2
+%else
+%bcond_without python2
+%endif
+
 %if 0%{?suse_version} > 1140
 %bcond_without systemd
 %bcond_without libjson
@ -59,9 +65,11 @@ Source2:        freeradius-tmpfiles.conf
 Patch1:         freeradius-server-tmpfiles.patch
 Patch2:         freeradius-server-radiusd-logrotate.patch
 Patch3:         freeradius-server-rcradiusd.patch
+Patch4:         freeradius-python3_patches.patch
 Patch5:         freeradius-server-rlm_sql_unixodbc-configure.patch
 Patch6:         freeradius-server-radclient-init-error-buffer.patch
 Patch7:         freeradius-server-opensslversion.patch
+Patch8:         freeradius-server-enable-python3.patch
 BuildRequires:  apache2-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  db-devel
@ -96,7 +104,10 @@ BuildRequires:  openssl-devel > 1.0
 BuildRequires:  pam-devel
 BuildRequires:  perl
 BuildRequires:  postgresql-devel
+%if 0%{with python2}
 BuildRequires:  python-devel
+%endif
+BuildRequires:  python3-devel
 BuildRequires:  sqlite3-devel
 BuildRequires:  unixODBC-devel
 %if 0%{?suse_version} > 1110
@ -110,14 +121,12 @@ Requires:       %insserv_prereq
 Requires:       %{name}-libs = %{version}
 Requires:       coreutils
 Requires:       pwdutils
-Requires:       python
 Requires(pre):  openssl
 Requires(pre):  perl
 Recommends:     logrotate
 Provides:       freeradius = %{version}
 Provides:       radiusd
 Obsoletes:      freeradius < %{version}
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{?libperl_requires}
 Conflicts:      radiusd-livingston radiusd-cistron icradius
 %if %{with systemd}
@ -199,12 +208,19 @@ FreeRADIUS plugin providing Perl support.
 %package python
 Summary:        Python support for freeradius
 Group:          System/Daemons
-BuildRequires:  python-devel
 Requires:       %{name} = %{version}

 %description python
 FreeRADIUS plugin providing Python support.

+%package python3
+Summary:        Python3 support for freeradius
+Group:          System/Daemons
+Requires:       %{name} = %{version}
+
+%description python3
+FreeRADIUS plugin providing Python3 support.
+
 %package mysql
 Summary:        MySQL support for freeradius
 Group:          System/Daemons
@ -233,15 +249,10 @@ Requires:       %{name} = %{version}
 FreeRADIUS plugin providing SQLite support.

 %prep
-%setup -q
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
+%autosetup -p1

 %build
+./autogen.sh
 modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")"
 DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\""
 TIME="\"$(date -d "${modified}" "+%%R")\""
@ -251,6 +262,7 @@ export LDFLAGS="-pie"
 %configure \
  --disable-static \
  --libdir=%{_libdir}/freeradius \
+  --with-unixodbc-dir=%{_prefix} \
  --disable-ltdl-install \
  --enable-strict-dependencies \
  --with-edir \
@ -269,6 +281,10 @@ export LDFLAGS="-pie"
  --without-rlm_rediswho \
  --without-rlm_sql_oracle \
  --without-rlm_securid \
+%if ! %{with python2}
+  --without-rlm_python \
+%endif
+  --with-rlm-python3-include-dir=%{_includedir}/python%{python3_version}%{py3_abiflags} \
 %if ! %{with memcached}
  --without-rlm_cache_memcached \
 %endif
@ -313,32 +329,38 @@ cp -al %{buildroot}%{_sbindir}/radiusd %{buildroot}%{_sbindir}/radrelay
 install -D -d -m 0710 %{buildroot}%{runpath}/radiusd
 mv -v doc/README doc/README.doc
 # remove unneeded stuff
-rm -f %{buildroot}%{_sysconfdir}/raddb/certs/*.crt
-rm -f %{buildroot}%{_sysconfdir}/raddb/certs/*.csr
-rm -f %{buildroot}%{_sysconfdir}/raddb/certs/*.der
-rm -f %{buildroot}%{_sysconfdir}/raddb/certs/*.key
-rm -f %{buildroot}%{_sysconfdir}/raddb/certs/*.pem
-rm -f %{buildroot}%{_sysconfdir}/raddb/certs/*.p12
-rm -f %{buildroot}%{_sysconfdir}/raddb/certs/index.*
-rm -f %{buildroot}%{_sysconfdir}/raddb/certs/serial*
-rm -f %{buildroot}%{_sysconfdir}/raddb/certs/dh
-rm -f %{buildroot}%{_sysconfdir}/raddb/certs/random
-rm -rf doc/00-OLD
-rm -rf doc/.gitignore
-rm -rf doc/source/.gitignore
-rm -f %{buildroot}%{_sbindir}/rc.radiusd
-rm -rf %{buildroot}%{_datadir}/doc/freeradius*
-rm -rf %{buildroot}%{_libdir}/freeradius/*.*a
-rm -f %{buildroot}%{_defaultdocdir}/%{name}/Makefile
-rm -f %{buildroot}%{_defaultdocdir}/%{name}/examples/Makefile
-rm -rf %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/main/mssql
-rm -rf %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/ippool/oracle
-rm -rf %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/oracle
-rm -rf %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/main/oracle
-rm -rf %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/postgresql
+rm %{buildroot}%{_sysconfdir}/raddb/certs/*.crl
+rm %{buildroot}%{_sysconfdir}/raddb/certs/*.crt
+rm %{buildroot}%{_sysconfdir}/raddb/certs/*.csr
+rm %{buildroot}%{_sysconfdir}/raddb/certs/*.der
+rm %{buildroot}%{_sysconfdir}/raddb/certs/*.key
+rm %{buildroot}%{_sysconfdir}/raddb/certs/*.pem
+rm %{buildroot}%{_sysconfdir}/raddb/certs/*.p12
+rm %{buildroot}%{_sysconfdir}/raddb/certs/index.*
+rm %{buildroot}%{_sysconfdir}/raddb/certs/serial*
+rm %{buildroot}%{_sysconfdir}/raddb/certs/dh
+#rm -r doc/00-OLD
+#rm -r doc/.gitignore
+#rm -r doc/source/.gitignore
+rm %{buildroot}%{_sbindir}/rc.radiusd
+rm -r %{buildroot}%{_datadir}/doc/freeradius*
+rm -r %{buildroot}%{_libdir}/freeradius/*.*a
+# rm %{buildroot}%{_defaultdocdir}/%{name}/Makefile
+# rm %{buildroot}%{_defaultdocdir}/%{name}/examples/Makefile
+rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/main/mssql
+rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/ippool/oracle
+rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/oracle
+rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/main/oracle
+#rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/postgresql
 %if ! %{with json}
 rm %{buildroot}%{_sysconfdir}/raddb/mods-available/rest
 %endif
+%if ! %{with python2}
+rm %{buildroot}%{_sysconfdir}/raddb/mods-available/python
+%endif
+rm %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/ippool/mongo/queries.conf
+rm %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/main/mongo/queries.conf
+rm %{buildroot}%{_sysconfdir}/raddb/sites-available/coa-relay

 %pre
 getent group radiusd >/dev/null || %{_sbindir}/groupadd -r radiusd
@ -441,8 +463,8 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/moonshot-targeted-ids/*
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/moonshot-targeted-ids
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/preprocess/*
-%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/python
-%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/python/radiusd.py
+#%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/python
+#%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/python/radiusd.py
 %dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/mysql
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql
 %dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool/postgresql
@ -535,7 +557,10 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/pap
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/passwd
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/preprocess
+%if %{with python2}
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/python
+%endif
+%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/python3
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/radutmp
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/realm
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/redis
@ -729,11 +754,21 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf

 %{_libdir}/freeradius/rlm_perl.so

+%if %{with python2}
 %files python
 %defattr(-,root,root)
 %dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/python
+%attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/python/radiusd.py
 %{_sysconfdir}/raddb/mods-config/python/example.py*
 %{_libdir}/freeradius/rlm_python.so
+%endif
+
+%files python3
+%defattr(-,root,root)
+%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/python3
+%attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/python3/example.py
+%attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/python3/radiusd.py
+%{_libdir}/freeradius/rlm_python3.so

 %files mysql
 %defattr(-,root,root)
@ -750,6 +785,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf
 %dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool/mysql
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool/mysql/queries.conf
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool/mysql/schema.sql
+%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool/mysql/procedure.sql

 %dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/mysql
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf