- update to 3.0.21
Feature Improvements
* New stored procedure for allocating IPs with PostgreSQL
Rates of 1500 IPs per second are now possible
See raddb/mods-config/sql/ippool/postgresql/procedure.sql
* Add SQL IP pool support for Microsoft SQL Server
See raddb/mods-config/sql/ippool/mssql/
* Added RCNTEC dictionary. Closes#3168.
* Added Pica8 dictionary. Closes#3179.
* Add TLS-Client-Cert-Valid-Since attribute holding not
Before date Patch from Boris Lytochkin. Fixes#3157.
* Generate attributes containing unknown OIDs See raddb/sites-available/tls
* Update the WiMAX dictionary.
* Added ability to rlm_python(Python2) show a stacktrace
from errors. #2979.
* Add WiFi Alliance Policy OIDs.
See raddb/certs/xpextensions
* radmin now shows coa stats, too.
* Sample schema extensions for summarizing data in SQL
See mods-config/sql/main/*/process-radacct.sql
* Update dictionary.aerohive, dictionary.fortinet,
dictionary.arista and dictionary.erx.
* Added VAS Experts dictionary.
* Many updates to RPM and jenkins builds from Matthew Newton.
* Added %C (time now in seconds) and %c (microsecond component of now)
back-ported from the "master" branch.
* Add reload capability to systemd unit file in Debian and RedHat.
* Increase timestamp precision in postauth to maximum supported by each
database and simplify (and make more consistent between drivers)
the timestamps in SQL queries by using expansions.
OBS-URL: https://build.opensuse.org/request/show/787864
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/freeradius-server?expand=0&rev=81
Feature Improvements
* New stored procedure for allocating IPs with PostgreSQL
Rates of 1500 IPs per second are now possible
See raddb/mods-config/sql/ippool/postgresql/procedure.sql
* Add SQL IP pool support for Microsoft SQL Server
See raddb/mods-config/sql/ippool/mssql/
* Added RCNTEC dictionary. Closes#3168.
* Added Pica8 dictionary. Closes#3179.
* Add TLS-Client-Cert-Valid-Since attribute holding not
Before date Patch from Boris Lytochkin. Fixes#3157.
* Generate attributes containing unknown OIDs See raddb/sites-available/tls
* Update the WiMAX dictionary.
* Added ability to rlm_python(Python2) show a stacktrace
from errors. #2979.
* Add WiFi Alliance Policy OIDs.
See raddb/certs/xpextensions
* radmin now shows coa stats, too.
* Sample schema extensions for summarizing data in SQL
See mods-config/sql/main/*/process-radacct.sql
* Update dictionary.aerohive, dictionary.fortinet,
dictionary.arista and dictionary.erx.
* Added VAS Experts dictionary.
* Many updates to RPM and jenkins builds from Matthew Newton.
* Added %C (time now in seconds) and %c (microsecond component of now)
back-ported from the "master" branch.
* Add reload capability to systemd unit file in Debian and RedHat.
* Increase timestamp precision in postauth to maximum supported by each
database and simplify (and make more consistent between drivers)
the timestamps in SQL queries by using expansions.
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=135
Feature Improvements
* Added Force10 dictionary.
* Update dictionary.hp with new attributes. #2690.
* Update dictionary.aruba with new attributes. #2696.
* Fix side-channel leak in EAP-PWD (bsc#1166858, CVE-2019-20510)
* Relax OpenSSL version checks, now that their API is both public, and stable.
* Note that tls_min_version/tls_max_version also support "1.3"
Since there is no standard yet for EAP with TLS 1.3, it will not work.
* Added tripplite dictionary from #2760.
* Switch to the async interface for rlm_sql_postgresql so that
we can enforce query_timeout.
* Added new LDAP option 'allow_dangling_group_ref'.
* Updated documentation and functionality for EAP session caching
See "cache" section of mods-available/eap.
* Tighten systemd unit file security. Fixes#2637.
* Disable TLS 1.0 and TLS 1.1 support in the default configuration
We STRONGLY recommend doing this for all installations.
* Add expansions for *outgoing* Radsec connections
"%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and
TLS-Cert-* attributes. Fixes#2839.
* Add %{listen:tls} which returns "yes" or "no" for
TLS or non-TLS connections.
* Update dictionary.lancom with new attributes. #2847.
* Added rlm_sql_mongo. See raddb/mods-available/sql.
Note that this module is experimental.
* Added more documentation in sites-available/robust-proxy-accounting.
* sqlippool now re-allocates unexpired leases, to prevent IP pool
exhaustion when clients perform multiple reauthentication attempts
* Add support to radmin keep the history in ~/.radmin_history.
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=133
- reformat changelog mostly by wrapping lines
- add missing bug numbers for security fixes
- update to 3.0.18
* cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss.
* Do-Not-Respond policies can now be set in the "post-auth" section.
* Encode / Decode ADSL Forum DHCP options.
* Fix module ordering issues. e.g. when "sqlippool" needs "sql".
See the "instantiate" section of radiusd.conf.
* Add Big Switch dictionary. Fixes#2252.
* Add sql_session_start policy (raddb/policy.d/accounting)
This minimizes race conditions when using Simultaneous-Use (#2257).
* For rlm_perl, all variables are now tainted by default.
See raddb/mods-available/perl, and the "perl_flags" configuration item.
This change should only affect people who are using variables in
insecure ways.
* Allow "sqlcounter" module to be listed in "post-auth".
* Add support for IPv6 attributes in SQL. Fixes#2280
* The server is better at handling fail-over for outbound RadSec and
TCP connections. Fixes#2284.
* The server is now more aggressive about retrying failed outbound
RadSec and TCP connections. Fixes#2284.
* Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list.
* Add expansion for Radsec connections. "%{listen:TLS-...}" for
TLS-Client-Cert-* and TLS-Cert-* attributes.
* Add notes on running "ldapsearch" using the parameters from the LDAP module.
* "ipaddr" attributes can now be cast to "integer" type attributes
in an "update" section.
* Move main thread queue to using atomic queues. This should help
with contention in high load scenarios.
OBS-URL: https://build.opensuse.org/request/show/679792
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/freeradius-server?expand=0&rev=75
- update to 3.0.14 (still FATE#322416)
Feature improvements
* Enforce TLS client certificate expiration on session resumption,
and Session-Timeout. See CVE-2017-9148 (bnc#1041445)
* Updated dictionary.cisco.vpn3000, dictionary.patton
* Added dictionary.dellemc
* Lowered the log output for failed PEAP sessions.
* ALlow utc in rlm_date.
* The internal OpenSSL session cache has been disabled.
Please see mods-available/eap
* Update detail reader documentation.
* Make outgoing RadSec connections non-blocking.
* Add SQL backing to Moonshot-*-TargetedId generation.
Bug Fixes
* radtest uses Cleartext-Password for EAP, not User-Password.
* Update documentation for mods-enabled/ linking.
* Enhanced checks for moonshot salt.
* Allow session resumption for RadSec connections.
* Update "huntgroups" file to note that port ranges are not supported
* Fix OpenSSL permissions issues on default key files.
* Certificates are not required when PSK is used.
* Allow SubjectAltName as first extension in cert.
* Fixed talloc issue with TLS session resumption.
* "&Attr-26 := 0x01" now produces useful error messages.
* Handle connection error in rlm_ldap_cacheable_groupobj.
* Fix endian issues in DHCP.
* Multiple minor fixes for Coverity complaints.
* Handle unexpected regex.
* Fix minor issues in dictionaries.
* Fix typos and grammar. Patches from Alan Buxey.
* Fix erroneous VP creation in rlm_preproces.
* Fix MIB. Patch from Jeff Gehlbach.
* Trust router updates from Alejandro Perez.
* Allow build with LibreSSL.
* Use correct packet for channel bindings.
* Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us
a test license. Please see the git commit history for more info.
* Fix incorrect length check in EAP-PWD. This may be exploitable.
* Stop rotating session database files (radutmp, radwtmp) since
these are not logfiles.
- freeradius-server-radiusd-logrotate.patch: updated
OBS-URL: https://build.opensuse.org/request/show/499628
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=98
- Merge changes from SLE to openSUSE (FATE#322416):
* freeradius-server-radclient-init-error-buffer.patch - make sure
we initialize error buffer. bsc#911886: radclient error free()
invalid pointer
* freeradius-server-opensslversion.patch: remove OpenSSL version
check and assume we know what we are doing. (bnc#1013311)
* merge .changes file, mostly.
- do not attempt to detect "vulnerable" OpenSSL versions. SUSE
security fixes do not necessarily bump version numbers as
does upstream OpenSSL (bnc#1021375)
- do not generate certificates in %post. End-user needs to do this
manually.
- keep FreeTDS disabled on SLE12 - we never shipped it enabled
- require OpenSSL 1.0+
- use pkgconfig(systemd) instead of plain systemd as BuildRequires
- don't list manual pages as %doc
- Add upstream keyring
- 2 new modules: rlm_sql_freetds and rlm_eap_fast
OBS-URL: https://build.opensuse.org/request/show/455207
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/freeradius-server?expand=0&rev=64
- Merge changes from SLE to OpenSUSE (FATE#322416):
* freeradius-server-radclient-init-error-buffer.patch - make sure
we initialize error buffer. bsc#911886: radclient error free()
invalid pointer
* freeradius-server-opensslversion.patch: remove OpenSSL version
check and assume we know what we are doing. (bnc#1013311)
* merge .changes file, mostly.
- do not attempt to detect "vulnerable" OpenSSL versions. SUSE
security fixes do not necessarily bump version numbers as
does upstream OpenSSL (bnc#1021375)
- do not generate certificates in %post. End-user needs to do this
manually.
- keep FreeTDS disabled on SLE12 - we never shipped it enabled
- require OpenSSL 1.0+
- use pkgconfig(systemd) instead of plain systemd as BuildRequires
- don't list manual pages as %doc
- Add upstream keyring
- 2 new modules: rlm_sql_freetds and rlm_eap_fast
OBS-URL: https://build.opensuse.org/request/show/453646
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=89