Feature Improvements
* Add "max_retries" for connection pools. Fixes#4908.
* Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and
dictionary.wispr; add dictionary.eleven.
* You can now list "eap" in the "pre-proxy" section. If the packet contains a
malformed EAP message, then the request will be rejected The home server
will either reject (or discard) this packet anyways, so this change can
only help with large proxy scenarios.
* Show warnings if libldap is not using OpenSSL.
* Support RADIUS/1.1. See
https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by
default, can be enabled by passing `--with-radiusv11` to the configure
script. For now, this is for testing interoperability.
* Add extra sanity checks for malformed EAP attributes.
* More TLS debugging output.
* Clear old module instance data before HUP reload. Avoids burst memory use
when e.g. using large data files with rlm_files.
* `rlm_cache_redis` is now included in the freeradius-redis packages.
Bug Fixes
* Don't leak MD contexts with OpenSSL 3.0.
* Increase internal buffer size for TLS connections, which can help with
high-load proxies.
* Send Status-Server checks for TLS connections.
* Give descriptive error if "update CoA" is used with "fake" packets, as it
won't work. i.e. inner-tunnel and virtual home servers.
* Many small ASAN / LSAN fixes from Jorge Pereira.
* Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a
TLS error, it will now close the socket, so proxies do not have an open
(but dead) TLS connection.
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=161
Feature Improvements
* Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries
* Add simultaneous-use queries for MS SQL
* Add radmin command for "stats pool <module-name>"
which prints out statistics about the connection pools.
* Client statistics now shows "conflicts",
to count conflicting packets.
* New optional "lightweight accounting-on/off" strategy.
When refreshing queries.conf you should also add the new
nasreload table and corresponding GRANTs to your DB schema.
* Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps
with Eduroam.
* Allow auth+acct for TCP sockets, too.
* Add rlm_cache_redis. See raddb/mods-available/cache for details.
* Allow radmin to look up home servers by name, too.
* Ensure that dynamic clients don't create loops on duplicates
* Removed rlm_sqlhpwippool. There was no documentation, no configuration,
and the module was ~15 years old with no one using it.
* Marked rlm_python3 as stable.
* Add sigalgs_list. See raddb/mods-available/eap
* For rlm_linelog, when opening files in /dev, look at "permissions"
to see whether to open them r/w.
* More flexibility for dynamic home servers. See
doc/configuration/dynamic_home_servers.md and
raddb/home_servers/README.md.
* Allow setting of application_name for PostgreSQL.
See mods-available/sql.
Bug Fixes
* Correct test for open sessions in radacct for MS SQL.
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=159
Feature Improvements
* New stored procedure for allocating IPs with PostgreSQL
Rates of 1500 IPs per second are now possible
See raddb/mods-config/sql/ippool/postgresql/procedure.sql
* Add SQL IP pool support for Microsoft SQL Server
See raddb/mods-config/sql/ippool/mssql/
* Added RCNTEC dictionary. Closes#3168.
* Added Pica8 dictionary. Closes#3179.
* Add TLS-Client-Cert-Valid-Since attribute holding not
Before date Patch from Boris Lytochkin. Fixes#3157.
* Generate attributes containing unknown OIDs See raddb/sites-available/tls
* Update the WiMAX dictionary.
* Added ability to rlm_python(Python2) show a stacktrace
from errors. #2979.
* Add WiFi Alliance Policy OIDs.
See raddb/certs/xpextensions
* radmin now shows coa stats, too.
* Sample schema extensions for summarizing data in SQL
See mods-config/sql/main/*/process-radacct.sql
* Update dictionary.aerohive, dictionary.fortinet,
dictionary.arista and dictionary.erx.
* Added VAS Experts dictionary.
* Many updates to RPM and jenkins builds from Matthew Newton.
* Added %C (time now in seconds) and %c (microsecond component of now)
back-ported from the "master" branch.
* Add reload capability to systemd unit file in Debian and RedHat.
* Increase timestamp precision in postauth to maximum supported by each
database and simplify (and make more consistent between drivers)
the timestamps in SQL queries by using expansions.
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=135
Feature Improvements
* Added Force10 dictionary.
* Update dictionary.hp with new attributes. #2690.
* Update dictionary.aruba with new attributes. #2696.
* Fix side-channel leak in EAP-PWD (bsc#1166858, CVE-2019-20510)
* Relax OpenSSL version checks, now that their API is both public, and stable.
* Note that tls_min_version/tls_max_version also support "1.3"
Since there is no standard yet for EAP with TLS 1.3, it will not work.
* Added tripplite dictionary from #2760.
* Switch to the async interface for rlm_sql_postgresql so that
we can enforce query_timeout.
* Added new LDAP option 'allow_dangling_group_ref'.
* Updated documentation and functionality for EAP session caching
See "cache" section of mods-available/eap.
* Tighten systemd unit file security. Fixes#2637.
* Disable TLS 1.0 and TLS 1.1 support in the default configuration
We STRONGLY recommend doing this for all installations.
* Add expansions for *outgoing* Radsec connections
"%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and
TLS-Cert-* attributes. Fixes#2839.
* Add %{listen:tls} which returns "yes" or "no" for
TLS or non-TLS connections.
* Update dictionary.lancom with new attributes. #2847.
* Added rlm_sql_mongo. See raddb/mods-available/sql.
Note that this module is experimental.
* Added more documentation in sites-available/robust-proxy-accounting.
* sqlippool now re-allocates unexpired leases, to prevent IP pool
exhaustion when clients perform multiple reauthentication attempts
* Add support to radmin keep the history in ~/.radmin_history.
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=133
- update to 3.0.14 (still FATE#322416)
Feature improvements
* Enforce TLS client certificate expiration on session resumption,
and Session-Timeout. See CVE-2017-9148 (bnc#1041445)
* Updated dictionary.cisco.vpn3000, dictionary.patton
* Added dictionary.dellemc
* Lowered the log output for failed PEAP sessions.
* ALlow utc in rlm_date.
* The internal OpenSSL session cache has been disabled.
Please see mods-available/eap
* Update detail reader documentation.
* Make outgoing RadSec connections non-blocking.
* Add SQL backing to Moonshot-*-TargetedId generation.
Bug Fixes
* radtest uses Cleartext-Password for EAP, not User-Password.
* Update documentation for mods-enabled/ linking.
* Enhanced checks for moonshot salt.
* Allow session resumption for RadSec connections.
* Update "huntgroups" file to note that port ranges are not supported
* Fix OpenSSL permissions issues on default key files.
* Certificates are not required when PSK is used.
* Allow SubjectAltName as first extension in cert.
* Fixed talloc issue with TLS session resumption.
* "&Attr-26 := 0x01" now produces useful error messages.
* Handle connection error in rlm_ldap_cacheable_groupobj.
* Fix endian issues in DHCP.
* Multiple minor fixes for Coverity complaints.
* Handle unexpected regex.
* Fix minor issues in dictionaries.
* Fix typos and grammar. Patches from Alan Buxey.
* Fix erroneous VP creation in rlm_preproces.
* Fix MIB. Patch from Jeff Gehlbach.
* Trust router updates from Alejandro Perez.
* Allow build with LibreSSL.
* Use correct packet for channel bindings.
* Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us
a test license. Please see the git commit history for more info.
* Fix incorrect length check in EAP-PWD. This may be exploitable.
* Stop rotating session database files (radutmp, radwtmp) since
these are not logfiles.
- freeradius-server-radiusd-logrotate.patch: updated
OBS-URL: https://build.opensuse.org/request/show/499628
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=98
- Merge changes from SLE to OpenSUSE (FATE#322416):
* freeradius-server-radclient-init-error-buffer.patch - make sure
we initialize error buffer. bsc#911886: radclient error free()
invalid pointer
* freeradius-server-opensslversion.patch: remove OpenSSL version
check and assume we know what we are doing. (bnc#1013311)
* merge .changes file, mostly.
- do not attempt to detect "vulnerable" OpenSSL versions. SUSE
security fixes do not necessarily bump version numbers as
does upstream OpenSSL (bnc#1021375)
- do not generate certificates in %post. End-user needs to do this
manually.
- keep FreeTDS disabled on SLE12 - we never shipped it enabled
- require OpenSSL 1.0+
- use pkgconfig(systemd) instead of plain systemd as BuildRequires
- don't list manual pages as %doc
- Add upstream keyring
- 2 new modules: rlm_sql_freetds and rlm_eap_fast
OBS-URL: https://build.opensuse.org/request/show/453646
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=89
- minor adjustments/cleanup of spec and changes
- update to 3.0.8
* for a detailed list of changes look at:
/usr/share/doc/packages/freeradius-server/ChangeLog
- new set of consolidated patch files:
deleted:
* freeradius-server-2.1.1-logrotate_su.patch
* freeradius-server-2.1.6-rcradiusd.patch
* freeradius-server-initscript-pidfile.patch
* freeradius-server-radius-reload-logrotate.patch
* freeradius-server-var_run.patch
added:
* freeradius-server-radiusd-logrotate.patch
* freeradius-server-rcradiusd.patch
* freeradius-server-tmpfiles.patch
OBS-URL: https://build.opensuse.org/request/show/298810
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=72
- update to 3.0.6
- fixes a segmentation fault in PEAP module (bnc#912588)
Feature improvements:
* radmin / raddebug conditional errors are printed to the output, instead of being discarded.
* raddebug will exit if condition set with -c was invalid.
* radmin auto-reconnects if the connection to the server has gone away.
* rlm_cache now has submodule support. See raddb/mods-available/cache
* New memcached driver for rlm_cache. See raddb/mods-available/cache
* Add support for &Attribute-Name[*] in conditions. See "man unlang" for details.
* Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n].
* Allow for redundant string expansions. See the "instantiate" section of radiusd.conf.
* When checking IP addresses in conditions, make the right side be parsed as an IP prefix.
* Support JIT compilation of compiled regular expressions when built with libpcre.
* Support named capture groups with "%{regex:<name>}" when built with libpcre.
* Increase regular expression capture groups from 8 to 32.
* Emit error markers for badly formed regular expressions.
* Allow 'm' flag to enable multiline mode in regular expressions.
* Support limited implicit attribute conversion in update sections.
* Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).
OBS-URL: https://build.opensuse.org/request/show/280999
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=68
- update to 3.0.5
Some of the new features:
* Allow LDAP to specify arbitrary attributes for dynamic
clients.
* Allow one level of backslashes (finally). See radiusd.conf,
"correct_escapes" setting.
* When supported by OpenSSL, allow TLS 1.1 and TLS 1.2
in EAP methods.
* Allow multiple new connections to be spawned simultaneously
in the connection pool, to cope with spikes in traffic.
* Use kqueue on systems which support it. This allows for
better scaling when using many sockets.
* Home server "response_window" can now take fractions of a
second. See proxy.conf.
* radmin now supports "show module status", as thee counterpart
to "set module status"
* "ipaddr" will now use v6 if no v4 address is present. You should
use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
* "client" sections will allow "ipaddr = 192.192.0/24". The old
"netmask" is still accepted, but the new format is preferred.
* Allow custom HTTP headers to be set for rlm_rest requests using
control:REST-HTTP-Header (attributes consumed after use).
* Extend format of %{rest:} expansion to allow HTTP method and POST
data to be specified
and urlquoting.
* Add support for aliases in rlm_ldap.
* Add support for connection pool sharing to all modules that use
the connection pool (pool = <instance>).
* "tls" sections now have a "psk_query" configuration item, for dynamic
queries to discover a key from a PSK identity.
OBS-URL: https://build.opensuse.org/request/show/264534
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=65
