Dirk Mueller
f91e3ccd6e
Feature Improvements * TOTP now supports TOTP-Time-Offset for tokens with times that are out of sync. See mods-available/totp. * radclient now supports forcing the Request Authenticator and ID for Access-Request packets. * Update dictionary.3gpp. * Update advice on shared secrets, including suggesting a secure method for generating useful secrets. Bug Fixes * Allow proxying by pool / home server name to work with auth+acct servers. * Fix OpenSSL API usage which sometimes caused crash in MS-CHAP Previously it would either always crash immediately, or never crash. * Fix packet statistics. Stop double counting some packets, and track packet statistics even if a socket is closed. * Reverted patch in TTLS which broke compatibility with some systems. * Don't crash in debug mode when multiple intermediate certs are used Patch from Alexander Chernikov. OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=174
3208 lines
140 KiB
Plaintext
3208 lines
140 KiB
Plaintext
-------------------------------------------------------------------
|
|
Tue Aug 13 07:43:45 UTC 2024 - Andrea Manzini <andrea.manzini@suse.com>
|
|
|
|
- update to 3.2.5
|
|
Feature Improvements
|
|
* TOTP now supports TOTP-Time-Offset for tokens with times that are out of sync.
|
|
See mods-available/totp.
|
|
* radclient now supports forcing the Request Authenticator and ID for Access-Request
|
|
packets.
|
|
* Update dictionary.3gpp.
|
|
* Update advice on shared secrets, including suggesting a secure method for generating
|
|
useful secrets.
|
|
|
|
Bug Fixes
|
|
* Allow proxying by pool / home server name to work with auth+acct servers.
|
|
* Fix OpenSSL API usage which sometimes caused crash in MS-CHAP
|
|
Previously it would either always crash immediately, or never crash.
|
|
* Fix packet statistics. Stop double counting some packets, and track packet
|
|
statistics even if a socket is closed.
|
|
* Reverted patch in TTLS which broke compatibility with some systems.
|
|
* Don't crash in debug mode when multiple intermediate certs are used Patch
|
|
from Alexander Chernikov.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 31 14:28:03 UTC 2024 - Adam Majer <adam.majer@suse.de>
|
|
|
|
- update to 3.2.4
|
|
Configuration changes
|
|
* Better handle backslashes in strings in the configuration files.
|
|
If the configuration items contain backslashes, then behavior may change.
|
|
However, the previous behavior didn't work as expected,
|
|
and therefore is not likely to be used.
|
|
* reject_delay no longer applies to proxied packets. All servers
|
|
should now set reject_delay = 1 for security and scalability.
|
|
* %{randstr:...} now returns the requested amount of data,
|
|
instead of one too many bytes.
|
|
|
|
Feature Improvements
|
|
* Preliminary support for TEAP.
|
|
* Update EAP module pre_proxy checks to make them less restrictive
|
|
This prevents the "middle box" effect from affecting future traffic.
|
|
* Many fixes and updates for Docker images.
|
|
* Add dpsk module. See mods-available/dpsk.
|
|
* Print out what cause the TLS operations to be made, such as the EAP
|
|
method name (peap, ttls, etc), or RADIUS/TLS listen / proxy socket.
|
|
* Add auto_escape to sample SQL module config.
|
|
* Add 'if not exists' to mysql create table queries.
|
|
* Update dictionary.aruba; add dictionary.tplink, dictionary.alphion.
|
|
* Allow for 'encrypt=1' attributes to be longer than 128 characters.
|
|
* Added "radsecret" program which generates strong secrets.
|
|
See the top of the "clients.conf" file for more information.
|
|
* radclient now prints packets as hex when using -xxx.
|
|
* Added "-t timeout" to radsniff. It will stop processing packets
|
|
after <timeout> seconds.
|
|
* Support "interface = ..." on OSX and other *BSD which have IP_BOUND_IF.
|
|
* The detail module now has a "dates_as_integer" configuration item
|
|
See mods-available/detail for more information.
|
|
* Add lookback/lookforward steps and more configuration to totp.
|
|
See mods-available/totp.
|
|
* Add "time_since" xlat to calculate elapsed time in seconds,
|
|
milliseconds and microseconds.
|
|
* Support "Post-Auth-Type Challenge" in the inner tunnel.
|
|
* Add "proxy_dedup_window". See radiusd.conf.
|
|
* Document KRB5_CLIENT_KTNAME in the "env" section of radiusd.conf.
|
|
* Add "dedup_key" for misbehaving supplicants. See mods-available/eap.
|
|
|
|
Bug Fixes
|
|
* Fix corner case with empty defaults in rlm_files.
|
|
* When we have multiple attributes of the same name, always use
|
|
the canonical attribute.
|
|
* Make FreeRADIUS-Server-EMA* attributes work again for home
|
|
server exponential moving average statistics.
|
|
* Don't send the global server stats when asked for client stats.
|
|
They use the same attributes, so the result is confusing.
|
|
* Fix multiple typos in MongoDB query.conf (#5130).
|
|
* Add define for illumos. Fixes #5135.
|
|
* Add client configuration for TLS PSK.
|
|
* Permit originate CoA after proxying to an internal virtual server.
|
|
* Use virtual server "default" when passed "-i" and "-p" on the command line.
|
|
* Fix locking issues with rlm_python3.
|
|
* The detail file reader will catch bad times in the file, and
|
|
will not update Acct-Delay-Time with extreme values.
|
|
* Fix issue where Message-Authenticator was calculated incorrectly
|
|
for CoA / Disconnect ACK and NAK packets.
|
|
* Update Python thread and error handling. Fixes #5208.
|
|
* Fix handling of Session-State when proxying. Fixes #5288.
|
|
* Run relevant post-proxy Fail-* section on CoA / Disconnect timeout.
|
|
* Add "limit" section to AWS health check configurtion. Fixes 35300.
|
|
* Use MAX in sqlite queries instead of GREATEST.
|
|
* Fix typo in Mongo queries. Fixes #5301.
|
|
* Fix occasional crash with bad home servers. Fixes #5308.
|
|
* Minor bug fixes to the SQL freetds modules.
|
|
* Fix blocking issue with RADIUS/TLS connection checks.
|
|
* Fix run-time crash on configuration typos of %{substr ...}
|
|
instead of %{substr:...} Fixes #5321.
|
|
* Fix crash with TLS Status-Server requests. Fixes #5326.
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Feb 17 18:11:19 UTC 2024 - Christian Boltz <suse-beta@cboltz.de>
|
|
|
|
- fix directory permissions for
|
|
/etc/raddb/mods-config/sql/moonshot-targeted-ids/*sql*
|
|
(boo#1220025, accidentally discovered via boo#1220024)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 6 08:21:21 UTC 2024 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- provides for user(radiusd), group(radiusd) and group (winbind) bsc#1219600
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 31 13:09:06 UTC 2023 - Adam Majer <adam.majer@suse.de>
|
|
|
|
- update to version 3.2.3 (jsc#PED-6567)
|
|
Feature Improvements
|
|
* Add "max_retries" for connection pools. Fixes #4908.
|
|
* Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and
|
|
dictionary.wispr; add dictionary.eleven.
|
|
* You can now list "eap" in the "pre-proxy" section. If the packet contains a
|
|
malformed EAP message, then the request will be rejected The home server
|
|
will either reject (or discard) this packet anyways, so this change can
|
|
only help with large proxy scenarios.
|
|
* Show warnings if libldap is not using OpenSSL.
|
|
* Support RADIUS/1.1. See
|
|
https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by
|
|
default, can be enabled by passing `--with-radiusv11` to the configure
|
|
script. For now, this is for testing interoperability.
|
|
* Add extra sanity checks for malformed EAP attributes.
|
|
* More TLS debugging output.
|
|
* Clear old module instance data before HUP reload. Avoids burst memory use
|
|
when e.g. using large data files with rlm_files.
|
|
* `rlm_cache_redis` is now included in the freeradius-redis packages.
|
|
|
|
Bug Fixes
|
|
* Don't leak MD contexts with OpenSSL 3.0.
|
|
* Increase internal buffer size for TLS connections, which can help with
|
|
high-load proxies.
|
|
* Send Status-Server checks for TLS connections.
|
|
* Give descriptive error if "update CoA" is used with "fake" packets, as it
|
|
won't work. i.e. inner-tunnel and virtual home servers.
|
|
* Many small ASAN / LSAN fixes from Jorge Pereira.
|
|
* Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a
|
|
TLS error, it will now close the socket, so proxies do not have an open
|
|
(but dead) TLS connection.
|
|
* Fix mutex locking issues on inbound RADIUS/TLS connections This change
|
|
avoids random issues with "bad record mac".
|
|
* Improve REST encoding loop. Patch from Herwin Weststrate. Closes #4950.
|
|
* Correctly report the LDAP group a user was found in. Fixes #3084.
|
|
* Force correct packet type when running Post-Auth-Type. Helps with #4980.
|
|
* Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996.
|
|
* Fix TCP socket statistics. Closes #4990.
|
|
* Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use checks. Helps with #5010.
|
|
|
|
|
|
Changes in version 3.2.2:
|
|
|
|
Feature Improvements
|
|
|
|
* The "configure" process now gives a much clearer report when it's finished
|
|
* Fallback to "uname -n" on missing "hostname". Fixes #4771.
|
|
* Export thread details in radmin "stats threads". Fixes #4770.
|
|
* Improve queries for processing radacct into periodic usage data
|
|
* Update dictionary.juniper.
|
|
* Add dictionary.calix.
|
|
* Fix dictionary.rfc6519 DS-Lite-Tunnel-Name to be "octets".
|
|
* Update documentation for robust-proxy-accounting, and be more aggressive about sending packets.
|
|
* Add per-module README.md files in the source.
|
|
* Add default Visual Studio configuration for developers.
|
|
* Postgres can now automatically use alternate queries for errors other than duplicate keys.
|
|
* %{listen:TLS-PSK-Identity} is now set when using PSK and psk_query This
|
|
helps the server track the identity of the client which is connecting.
|
|
* Include thread stats in Status-Server attributes. Fixes #4870.
|
|
* Mark rlm_unbound stable and add to packages.
|
|
* Remove broken/unsupported Dockerfiles for centos8 and debian9.
|
|
|
|
Bug Fixes
|
|
|
|
* Preliminary support for non-blocking TLS sockets. Helps with #3501.
|
|
* Fix support for partial certificate chains after adding reload support. Fixes #4753.
|
|
* Fix handling of debug_condition.
|
|
* Clean up home server states, and re-sync with the dictionaries.
|
|
* Correct certificate order when creating TLS-* attributes Fixes #4785.
|
|
* Update use of isalpha() etc. so broken configurations have less impact on the server.
|
|
* Outgoing TLS sockets now set SNI correctly from the "hostname" configuration item.
|
|
* Support Apple Homebrew on the M1. Fixes #4754.
|
|
* Better error messages when %{listen:TLS-...} is used.
|
|
* Getting statistics via Status-Server can now be done within a virtual server. Fixes #4868.
|
|
* Make TTLS+MS-CHAP work with TLS 1.3. Fixes #4878.
|
|
* Fix md5 xlat memory leak when using OpenSSL 3.0
|
|
|
|
- freeradius-server-rlm_sql_unixodbc-configure.patch: refreshed
|
|
- spec file cleanup: remove duplicate BR: from subpackages
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 6 16:57:33 UTC 2023 - Adam Majer <adam.majer@suse.de>
|
|
|
|
- update to version 3.2.1:
|
|
Feature Improvements
|
|
* Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries
|
|
* Add simultaneous-use queries for MS SQL
|
|
* Add radmin command for "stats pool <module-name>"
|
|
which prints out statistics about the connection pools.
|
|
* Client statistics now shows "conflicts",
|
|
to count conflicting packets.
|
|
* New optional "lightweight accounting-on/off" strategy.
|
|
When refreshing queries.conf you should also add the new
|
|
nasreload table and corresponding GRANTs to your DB schema.
|
|
* Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps
|
|
with Eduroam.
|
|
* Allow auth+acct for TCP sockets, too.
|
|
* Add rlm_cache_redis. See raddb/mods-available/cache for details.
|
|
* Allow radmin to look up home servers by name, too.
|
|
* Ensure that dynamic clients don't create loops on duplicates
|
|
* Removed rlm_sqlhpwippool. There was no documentation, no configuration,
|
|
and the module was ~15 years old with no one using it.
|
|
* Marked rlm_python3 as stable.
|
|
* Add sigalgs_list. See raddb/mods-available/eap
|
|
* For rlm_linelog, when opening files in /dev, look at "permissions"
|
|
to see whether to open them r/w.
|
|
* More flexibility for dynamic home servers. See
|
|
doc/configuration/dynamic_home_servers.md and
|
|
raddb/home_servers/README.md.
|
|
* Allow setting of application_name for PostgreSQL.
|
|
See mods-available/sql.
|
|
|
|
Bug Fixes
|
|
* Correct test for open sessions in radacct for MS SQL.
|
|
* The linelog module now opens /dev/stdout in "write-only" mode
|
|
if the permissions are set to "u+w" (0002).
|
|
* Various fixes to rlm_unbound from Nick Porter.
|
|
* PEAP now correctly runs Post-Auth-Type Accept.
|
|
* Create "TLS-Cert-*" for outbound Radsec, instead of
|
|
TLS-Client-Cert-* Fixes #4698. See sites-available/tls,
|
|
and fix_cert_order.
|
|
* Minor updates and fixes to CI, Dockerfiles and packaging.
|
|
* Fix rlm_python3 build with python >= 3.10. Fixes #4441.
|
|
|
|
Changes in version 3.2.0:
|
|
Feature Improvements
|
|
All features from 3.0.x are included in the 3.2.x releases.
|
|
In addition:
|
|
* Add 'reset_day' and '%%r' parameter for rlm_sqlcounter to
|
|
specify which day of the month the counter should be reset.
|
|
* Partial backport of rlm_json from v4, providing the json_encode
|
|
xlat See mods-available/json for documentation.
|
|
* Support for haproxy "PROXY" protocol See sites-available/tls,
|
|
"proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/.
|
|
* Support for sending CoA-Request and Disconnect-Request packets
|
|
in "reverse" down RadSec tunnels. Experimental for now,
|
|
and undocumented.
|
|
* It is now possible to run a virtual server when saving / loading
|
|
TLS cache attributes. See sites-available/tls-cache for more
|
|
information.
|
|
* Removed the "cram" module. It was undocumented,
|
|
and used old and insecure authentication methods.
|
|
* Remove the "otp" module. The "otpd" program it needs is
|
|
no longer available, and the module has not been usable since
|
|
at least 2015.
|
|
* All features from 3.0.x are included in the 3.2.x releases.
|
|
* 3.2.0 requires OpenSSL 1.0.2 or greater.
|
|
|
|
Bug Fixes
|
|
* All bug fixes from 3.0.x are included in the 3.2.x releases, including
|
|
* fixes information leakage in EAP-PWD (bsc#1206204, CVE-2022-41859)
|
|
* fixes crash on unknown option in EAP-SIM (bsc#1206205, CVE-2022-41860)
|
|
* fixes crash on invalid abinary data (bsc#1206206, CVE-2022-41861)
|
|
|
|
- freeradius-server-enable-python3.patch: refreshed
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 13 11:06:06 UTC 2023 - Stefan Schubert <schubi@suse.com>
|
|
|
|
- Migration of PAM settings to /usr/lib/pam.d.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 29 08:57:18 UTC 2022 - Michael Ströder <michael@stroeder.com>
|
|
|
|
- use chown with colon instead dot in radiusd.service
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 21 00:49:49 UTC 2022 - William Brown <william.brown@suse.com>
|
|
|
|
- Resolve issue with linking python3 with rlm-python
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 2 11:59:44 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
- Remove libwbclient-devel BuildRequires in favor of
|
|
pkgconfig(wbclient); (jsc#SLE-20577);
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 7 21:34:06 UTC 2021 - Michael Ströder <michael@stroeder.com>
|
|
|
|
- update to 3.0.25:
|
|
* `correct_escapes` has been added back into the default configuration.
|
|
* A segfault when trying to proxy to zombie home servers has been fixed.
|
|
* A number of other small bugs and compiler warnings were fixed.
|
|
* Added support for building with PostgreSQL 14.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 7 15:02:11 UTC 2021 - Adam Majer <adam.majer@suse.de>
|
|
|
|
- Update to version 3.0.24 (jsc#SLE-21237)
|
|
Feature Improvements
|
|
* Add sanitizer options to configure script.
|
|
* Log information needed by Wireshark to decode TLS sessions.
|
|
* Allow more liberal SQL commands in rlm_sql_map.
|
|
* Update dictionary.apc, dictionary.h3c.
|
|
* Add new Acct-Status-Type Subsystem-On and Subsystem-Off See
|
|
dictionary.iana and
|
|
https://freeradius.org/rfc/acct_status_type_subsystem.html.
|
|
* Add reject_unknown_intermediate_ca. See mods-available/eap.
|
|
* Add dynamic loading of certificates via TLS-Session-Cert-File
|
|
See raddb/certs/realms/README.md.
|
|
* Add Server Name Indication (SNI) for outbound RadSec connections
|
|
See raddb/sites-available/tls, and the home server tls
|
|
configuration.
|
|
* Support SNI for inbound RadSec connections. Certificates will be
|
|
loaded from "realm_dir" in the "tls" section. SNI will be cached
|
|
in the TLS-Server-Name-Indication attribute.
|
|
* Preliminary support for haproxy "PROXY" protocol See sites-available/tls,
|
|
"proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/.
|
|
* Generate parse errors in more circumstances when we know that
|
|
the configuration is wrong.
|
|
* Add "weeklycounter" to sample sqlcounter configuration.
|
|
* Add certificate attributes to the request list, even if
|
|
the certificates have expired.
|
|
* The Simultaneous-Use code is now IPv6 aware, and can deal
|
|
with NAS-IPv6-Address.
|
|
* Add dictionary.cambium.
|
|
* No longer logs passwords in logfiles (bsc#1184016)
|
|
|
|
Bug Fixes
|
|
* Fix crash in trustrouter module (#4115)
|
|
* Fix crash in state handling.
|
|
* Don't alter global options in redhat logrotate scripts.
|
|
* EAP-FAST will print errors and continue, rather than exiting
|
|
when OpenSSL fails various internal sanity checks.
|
|
* Allow admin to manually change core limits, even when core
|
|
limits are disabled.
|
|
* Fix chunked rlm_rest HTTP body. Closes #4131
|
|
* Many fixes around the SQL ippool queries.conf and schema
|
|
* Fix MySQL stored procedures. PR #4170
|
|
* Rework connection pool management for corner cases Fixes #4161, #4162, #4163.
|
|
* Final fix for double free in #3188.
|
|
* Fix sqlcounter wrong memory free. PR #4192
|
|
* Accept slow writes from proxies over TCP, which allows the server
|
|
to make more progress when it receives partial packets.
|
|
* Add 'weeklycounter' for rlm_sqlcounter.
|
|
* Outbound proxying over TCP / TLS is better able to deal with
|
|
partial TCP reads, and has fewer issues with slow networks.
|
|
* Fix wrong data-type of Acct-Delay-Time in rlm_unix.
|
|
* Fix EAP-FAST PAC lifetime calculation.
|
|
* Print correct encoded packet length when debugging.
|
|
|
|
- remove python2 build
|
|
- drop references to SLE11
|
|
- freeradius-server-radiusd-logrotate.patch: upstreamed
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jun 27 15:43:02 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>
|
|
|
|
- Add ldap-schemas subpackage for OpenLDAP radius schemas
|
|
- Add freeradius-server-fix-perl-shbang.patch to fix RPMlint warnings
|
|
- Fix RPMlint warnings about macros and permissions
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jun 26 21:12:24 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>
|
|
|
|
- Update to version 3.0.23
|
|
* Feature improvements
|
|
* Add "set home_server state ... down" in order to mark the home
|
|
server as administratively down. Use "alive" to bring it back
|
|
to life.
|
|
* Add Post-Auth-Type "Client-Lost" which should make it easier
|
|
to log when clients stop responding.
|
|
* Cache TLS messages in &session-state, for more debugging.
|
|
* Notes in eap configuration about TLS 1.0 / TLS 1.1, and setting
|
|
cipher_list = "DEFAULT@SECLEVEL=1"
|
|
* Added MANY warning messages about using TLS 1.3 with EAP.
|
|
* Bug fixes
|
|
* Fix crash in some cases when home server is down, in debug mode.
|
|
* Fix (again) "read clients from SQL" functionality.
|
|
* Fix sql_map to return values in more situations.
|
|
* Silently ignore LEAP configuration instead of erroring out.
|
|
- Update to version 3.0.22
|
|
* Feature improvements
|
|
* Limited support for dynamic home servers.
|
|
* Add support for prepend operator ^=.
|
|
* Added rlm_totp, for use with the Google Authenticator app.
|
|
* The default minimum TLS version is now TLS 1.2, as per RFC 8996.
|
|
Older versions can be allowed by setting tls_min_version, and
|
|
updating "cipher_list".
|
|
* Significantly improve the readability and contents of TLS
|
|
debug messages.
|
|
* Allow CoA and Disconnect messages over TLS sockets.
|
|
* Automatically set fragment size / MTU, so that PEAP/EAP-TLS
|
|
works, and no longer requires manual changes to the configuration.
|
|
* Allow "configurable_client_cert=yes" for EAP-TLS.
|
|
* Add TLS 1.2 support for EAP-Fast.
|
|
* Add ca_path_reload_interval option for tls.
|
|
* Add "tls_min_version" to ldap module configuration.
|
|
* Support running policies when receiving a RadSec connection.
|
|
* Update TLS "ecdh_curve" code to allow for multiple curves.
|
|
* Allow delta CRLs.
|
|
* add rlm_sql_map, which can handle multiple columns from an SQL
|
|
query. See raddb/mods-available/sql_map.
|
|
* New xlat for setting status of rlm_always instances and new
|
|
resource-check example virtual server for manipulating control flow
|
|
in unlang policies based on status of some external resource.
|
|
Patches from Terry Burton.
|
|
* Update radmin to show more information about the home servers
|
|
using "show home_server list all".
|
|
* The default configuration now replies with EAP-Key-Name, if it
|
|
is available, and was requested.
|
|
* Include extensions in generated certificates.
|
|
* Ignore user-provided dhparams in FIPS mode.
|
|
* Remove native support for Cisco LEAP. It is insecure, and
|
|
should not be used. Proxying LEAP is still supported.
|
|
* Allow use of password preparation methods with rlm_eap_pwd.
|
|
* More RFC compliance for various corner cases of DHCP,
|
|
* Use DHCP-specific schemas.
|
|
* Add stored procedures for DHCP lease allocation
|
|
* Add support for DHCP-Decline.
|
|
* Added mods-available/dhcp_sql which is a DHCP-specific instance
|
|
of the SQL module.
|
|
* Treat DHCP Discover and Request differently for lease allocation times.
|
|
* Add support for PBKDF2 keys.
|
|
* Update default PostgreSQL schema to use "text" instead of
|
|
a fixed-size "varchar".
|
|
* Add radmin command "show client list verbose", which gives a lot
|
|
more information about each client.
|
|
* Add support for EAPS-AKA authentication to rlm_wimax.
|
|
* Add rlm_rest support for HTTP/2.
|
|
* Add REST-HTTP-Status-Code attribute holding HTTP status code.
|
|
* Add option to set http_negotiation in rlm_rest. Fixes #2821.
|
|
* Encode / decode NAS-Filter-Rule according to RFC 4849.
|
|
* Allow attributes using old names in configuration files, SQL,
|
|
or modules to match attributes in the packet which use
|
|
new names.
|
|
* Allow querying IPv6 stats via FreeRADIUS-Stats-Client-IPv6-Address
|
|
and FreeRADIUS-Stats-Server-IPv6-Address
|
|
* Add warnings if there is no "real" User-Name to identify users.
|
|
* Add sample configuration to update Stripped-User-Name and/or
|
|
Class for user sessions. See sites-available/default
|
|
* Add configuration to suppress printing values for User-Name, etc.
|
|
* Support dictionary.telrad, which is also in WiMAX format.
|
|
* PEAP 'proxy_tunneled_request_as_eap' is now configurable
|
|
at runtime with Proxy-Tunneled-Request-As-EAP.
|
|
* Debug output now lists client/server proposed TLS ciphers.
|
|
* Add support for TLS1.3
|
|
* Bug fixes
|
|
* Fix long-term double free due to PCRE calling our "free"
|
|
function twice.
|
|
* Respect the "log_reject" configuration item in more places.
|
|
* Run Post-Proxy-Type Fail... when all home servers are down.
|
|
* Note that rlm_replicate can only use UDP, and not TCP or TLS.
|
|
* DHCP pool lookup is now keyed by Client Identifier (Option 61)
|
|
when supplied by client, otherwise the hardware address is used.
|
|
Compliant with RFC 2132. This change will not affect existing
|
|
systems on upgrade, but new installations will use the new behavior.
|
|
* Don't print invalid tags in rlm_cache, among other places.
|
|
* Do home_server failover immediately when an initial TCP / Radsec
|
|
connection fails.
|
|
* Clear error on SQLITE_BUSY to prevent memory leak in corner cases.
|
|
* Properly add SQL clients to virtual servers.
|
|
* Use better API when decoding DHCP packets, to avoid unnecessary work.
|
|
* Parse locale-dependent dates.
|
|
* Fix radiusd.conf ENV LD_PRELOAD function.
|
|
* Make the "date" module handle UTC more consistently.
|
|
* Check for, and complain about, inconsistent use of tls_min_version
|
|
versus disable_tlsv1
|
|
* Fix "read client from SQL" code so that it properly ties clients
|
|
to a virtual server. Also document the behavior.
|
|
* Fix leak with unknown attributes in detail reader.
|
|
* Fix parenting issues in rlm_yubikey.
|
|
- Drop __DATE__ __TIME__ fixes, implicitly done with source_date_epoch
|
|
variable supported by gcc >= 7
|
|
-------------------------------------------------------------------
|
|
Mon Jan 4 12:51:06 UTC 2021 - Adam Majer <adam.majer@suse.de>
|
|
|
|
- freeradius-server-radiusd-logrotate.patch: move logrotate
|
|
options into specific parts for each log as "global" options
|
|
will persist past and clobber global options in the
|
|
main logrotate config (bsc#1180525)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 1 16:52:22 UTC 2020 - pgajdos@suse.com
|
|
|
|
- remove redundant definitions of apache rpm macros
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 26 11:32:15 UTC 2020 - Adam Majer <adam.majer@suse.de>
|
|
|
|
- freeradius-server-radiusd-logrotate.patch: fix permissions in
|
|
logrotate global section (bsc#1170505, bsc#1174905)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 24 15:31:22 UTC 2020 - Adam Majer <adam.majer@suse.de>
|
|
|
|
- update to 3.0.21 (jsc#SLE-11896)
|
|
|
|
Feature Improvements
|
|
|
|
* New stored procedure for allocating IPs with PostgreSQL
|
|
Rates of 1500 IPs per second are now possible
|
|
See raddb/mods-config/sql/ippool/postgresql/procedure.sql
|
|
* Add SQL IP pool support for Microsoft SQL Server
|
|
See raddb/mods-config/sql/ippool/mssql/
|
|
* Added RCNTEC dictionary. Closes #3168.
|
|
* Added Pica8 dictionary. Closes #3179.
|
|
* Add TLS-Client-Cert-Valid-Since attribute holding not
|
|
Before date Patch from Boris Lytochkin. Fixes #3157.
|
|
* Generate attributes containing unknown OIDs See raddb/sites-available/tls
|
|
* Update the WiMAX dictionary.
|
|
* Added ability to rlm_python(Python2) show a stacktrace
|
|
from errors. #2979.
|
|
* Add WiFi Alliance Policy OIDs.
|
|
See raddb/certs/xpextensions
|
|
* radmin now shows coa stats, too.
|
|
* Sample schema extensions for summarizing data in SQL
|
|
See mods-config/sql/main/*/process-radacct.sql
|
|
* Update dictionary.aerohive, dictionary.fortinet,
|
|
dictionary.arista and dictionary.erx.
|
|
* Added VAS Experts dictionary.
|
|
* Many updates to RPM and jenkins builds from Matthew Newton.
|
|
* Added %C (time now in seconds) and %c (microsecond component of now)
|
|
back-ported from the "master" branch.
|
|
* Add reload capability to systemd unit file in Debian and RedHat.
|
|
* Increase timestamp precision in postauth to maximum supported by each
|
|
database and simplify (and make more consistent between drivers)
|
|
the timestamps in SQL queries by using expansions.
|
|
* Option to set dictionary path in raduat script.
|
|
|
|
Bug Fixes
|
|
|
|
* Various fixes found by PVS-Studio.
|
|
* Set permissions of certificates in bootstrap shell script Fixes #3132.
|
|
* Increase the 'nasportid' SQL field for 'varchar(32)'. #3141.
|
|
* Skip processing proxy reply if there are no home servers available.
|
|
* Update SQLite IPPool queries. Fixes #3177
|
|
* rlm_sql_unixodbc fixes. Fixes #2822.
|
|
* Fixes when building with LibreSSL.
|
|
* Fix the rlm_python3 build. Note that this module is experimental. #3183.
|
|
* The rlm_python should append the 'python_path' paths in 'sys.path'.
|
|
It fixes the expected behavior to use the existing Python modules
|
|
Fixes #3180.
|
|
* Fix rlm_python to print the script errors properly.
|
|
* Bound total query time for PostgreSQL. Fixes #3253.
|
|
* Many fixes to Oracle sqlippool. It now does 500 IPs per second
|
|
without any tuning. Fixes #3270.
|
|
* Reference sqlippool by it's correct name. Fixes #3272.
|
|
* Revert 3.0.20 patch which caused crashes on duplicate clients.
|
|
* Update WiMAX-MSK attribute. Fixes #3280.
|
|
* Fix crash when trying to access non-existant regex capture group.
|
|
* Use timestamps (request or server) rather than SQL NOW()
|
|
in accounting queries so that these are stable when replayed
|
|
from a file buffer.
|
|
|
|
- freeradius-python3_patches.patch: upstreamed
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 17 13:42:37 UTC 2020 - Adam Majer <adam.majer@suse.de>
|
|
|
|
- update to 3.0.20 (bsc#1146848)
|
|
|
|
Feature Improvements
|
|
* Added Force10 dictionary.
|
|
* Update dictionary.hp with new attributes. #2690.
|
|
* Update dictionary.aruba with new attributes. #2696.
|
|
* Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456)
|
|
* Relax OpenSSL version checks, now that their API is both public, and stable.
|
|
* Note that tls_min_version/tls_max_version also support "1.3"
|
|
Since there is no standard yet for EAP with TLS 1.3, it will not work.
|
|
* Added tripplite dictionary from #2760.
|
|
* Switch to the async interface for rlm_sql_postgresql so that
|
|
we can enforce query_timeout.
|
|
* Added new LDAP option 'allow_dangling_group_ref'.
|
|
* Updated documentation and functionality for EAP session caching
|
|
See "cache" section of mods-available/eap.
|
|
* Tighten systemd unit file security. Fixes #2637.
|
|
* Disable TLS 1.0 and TLS 1.1 support in the default configuration
|
|
We STRONGLY recommend doing this for all installations.
|
|
* Add expansions for *outgoing* Radsec connections
|
|
"%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and
|
|
TLS-Cert-* attributes. Fixes #2839.
|
|
* Add %{listen:tls} which returns "yes" or "no" for
|
|
TLS or non-TLS connections.
|
|
* Update dictionary.lancom with new attributes. #2847.
|
|
* Added rlm_sql_mongo. See raddb/mods-available/sql.
|
|
Note that this module is experimental.
|
|
* Added more documentation in sites-available/robust-proxy-accounting.
|
|
* sqlippool now re-allocates unexpired leases, to prevent IP pool
|
|
exhaustion when clients perform multiple reauthentication attempts
|
|
* Add support to radmin keep the history in ~/.radmin_history.
|
|
* Add support for ENV and LD_PRELOAD in radiusd.conf.
|
|
See the new ENV sub-section of radiusd.conf.
|
|
* Update dictionary.aptilo. #3002.
|
|
* Update dictionary.airespace. #3039.
|
|
* Add sites-available/coa-relay, which makes CoA easier #3045.
|
|
* Add example stored procedure for IP Pools in MySQL
|
|
See mods-config/sql/ippool/mysql/procedure.sql
|
|
* Update dictionary.dhcp dictionary with the recent hardware types.
|
|
* Add experimental rlm_python3. This should largely work
|
|
the same as rlm_python, which was Python2 only.
|
|
* Add Dockerfiles for Debian10 and CentOS8.
|
|
* Add RPM spec file compatibility for RHEL/CentOS 8.
|
|
* Notes on certificate constraints. See raddb/certs/server.cnf.
|
|
* Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585.
|
|
|
|
Bug Fixes
|
|
|
|
* Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627
|
|
* ERX-Acct-Request-Reason is "integer". Closes #2635.
|
|
* Fix a slow memory leak in the file management code.
|
|
* Try to fix file permissions if they get modified while
|
|
the server is running
|
|
* Fix slow memory leak with clients.
|
|
* Fix request and connection timeouts in rlm_rest.
|
|
* Fix systemd issues.
|
|
* Fixes from clang analyzer.
|
|
* Fix missing include for the dictionaries:
|
|
alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn,
|
|
audiocodes,avaya,bristol, columbia_university,freedhcp,garderos,
|
|
infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus.
|
|
* Fix internal sanity check when running with "-Xx".
|
|
* Allow "inner-tunnel" virtual servers to work better
|
|
with "accept" and "reject" policies.
|
|
* Fix dictionary.huawei data types for
|
|
Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address.
|
|
* Framed-Interface-ID in postgresql/queries.conf is string,
|
|
not inet Fixes #2817.
|
|
* Fix rlm_cache to complain on unknown attributes in the "update"
|
|
section of its configuration.
|
|
* Add configure checks for -latomic. This helps on armel,
|
|
mips and mipsel. Fixes #2828.
|
|
* Add support to Oracle 19 and 18. Via #2857.
|
|
* Add support for decoding tags in rlm_rest. Fixes #2848.
|
|
* Use correct passwords when updating CRLs in raddb/certs/.
|
|
* Properly separate "originate-coa" packets when accounting
|
|
packets are read from the detail file reader.
|
|
* Use the correct virtual server for pre/post-proxy.
|
|
* radsqlrelay fixes backported from "master" branch
|
|
* Fix DoS issues due to multithreaded BN_CTX access
|
|
(bsc#1166847, CVE-2019-17185)
|
|
|
|
- disable python2 for SLE15 and Factory
|
|
- freeradius-server-enable-python3.patch: enable Python3 module
|
|
- freeradius-python3_patches.patch: backport python3 fixes from upstream
|
|
- freeradius-server-opensslversion.patch: updated
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 11 13:18:37 UTC 2020 - Adam Majer <adam.majer@suse.de>
|
|
|
|
- Enable memcached driver on SLE15
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 23 15:06:54 UTC 2019 - Johannes Engel <jcnengel@gmail.com>
|
|
|
|
- Add missing BuildRequire on samba-core-devel required for windbind
|
|
support in rlm_mschap.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 10 17:01:55 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
|
|
|
- update to 3.0.19 (jira#SLE-5890)
|
|
|
|
Feature improvements
|
|
* Update dictionary.cisco
|
|
* Update sqlippool to allow for stored procedures with
|
|
PostgreSQL. This increases performance substantially.
|
|
Patch from Nathan Ward. Fixes #2540.
|
|
* Re-added "show client config" command to radmin.
|
|
* Cleaned up mods-available/sql example so that it is
|
|
easier to understand.
|
|
* Added pfSense dictionary. Closes #2581
|
|
* Update dictionary.h3c Closes #2592
|
|
* Update elasticsearch/logstash config for v6.7.0.
|
|
* EAP-PWD security fixes from Mathy Vanhoef. See
|
|
http://freeradius.org/security/
|
|
(CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664)
|
|
|
|
Bug fixes
|
|
* Update dynamic_client module and server core so that
|
|
the functionality works. This has been broken since
|
|
at least v2.
|
|
* Fix crash in sqlippool due to escaping changes.
|
|
Patch from Nathan Ward. Fixes #2532, #2533.
|
|
* Fix systemd notify, watchdog and unit files.
|
|
Fixes #2541, #2499.
|
|
* Fix erroneous length check in EAP-FAST.
|
|
* Update documentation to remove old "ignore_null"
|
|
configuration. Fixes #2578.
|
|
* Fix default POD port. Should be 3799. Fixes #2591
|
|
* Correctly encode vendor-specific "encrypted" attributes.
|
|
Fixes #2600
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 27 11:37:53 UTC 2019 - adam.majer@suse.de
|
|
|
|
- reformat changelog mostly by wrapping lines
|
|
- add missing bug numbers for security fixes
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 26 21:17:00 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
|
|
|
- update to 3.0.18
|
|
|
|
* cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss.
|
|
* Do-Not-Respond policies can now be set in the "post-auth" section.
|
|
* Encode / Decode ADSL Forum DHCP options.
|
|
* Fix module ordering issues. e.g. when "sqlippool" needs "sql".
|
|
See the "instantiate" section of radiusd.conf.
|
|
* Add Big Switch dictionary. Fixes #2252.
|
|
* Add sql_session_start policy (raddb/policy.d/accounting)
|
|
This minimizes race conditions when using Simultaneous-Use (#2257).
|
|
* For rlm_perl, all variables are now tainted by default.
|
|
See raddb/mods-available/perl, and the "perl_flags" configuration item.
|
|
This change should only affect people who are using variables in
|
|
insecure ways.
|
|
* Allow "sqlcounter" module to be listed in "post-auth".
|
|
* Add support for IPv6 attributes in SQL. Fixes #2280
|
|
* The server is better at handling fail-over for outbound RadSec and
|
|
TCP connections. Fixes #2284.
|
|
* The server is now more aggressive about retrying failed outbound
|
|
RadSec and TCP connections. Fixes #2284.
|
|
* Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list.
|
|
* Add expansion for Radsec connections. "%{listen:TLS-...}" for
|
|
TLS-Client-Cert-* and TLS-Cert-* attributes.
|
|
* Add notes on running "ldapsearch" using the parameters from the LDAP module.
|
|
* "ipaddr" attributes can now be cast to "integer" type attributes
|
|
in an "update" section.
|
|
* Move main thread queue to using atomic queues. This should help
|
|
with contention in high load scenarios.
|
|
* Add "recv_buff" setting to listeners. For more details,
|
|
see sites-available/default.
|
|
* The sqlippool module can now use attributes other than "Pool-Name"
|
|
to assign IP pools. The "Pool-Name" attribute is still the default.
|
|
* The "unpack" expansion can now unpack substrings.
|
|
See mods-available/unpack for documentation and examples.
|
|
* The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair
|
|
Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE.
|
|
* Allow for <instance>-LDAP-UserDN. See mods-available/ldap for more information.
|
|
* Add sanitizing of control list for moonshot. Fixes #2318.
|
|
* Update rlm_sql_mysql to be compatible with MySQL 8
|
|
Fixes https://bugs.launchpad.net/bugs/1795310.
|
|
* Allow logging of only Access-Accept or Access-Reject messages
|
|
See radiusd.conf, "auth_accept" and "auth_reject".
|
|
* Removed Connect-Rate comparison. It was unused and broken.
|
|
* Add dictionary.infinera.
|
|
* Use OpenSSL HMAC functions instead of local ones.
|
|
* Some SQL modules can now use "auto_escape" to escape unsafe strings
|
|
See mods-config/sql/main/mysql/queries.conf.
|
|
* Add wispr2date conversion in mods-available/date.
|
|
* Implement dictionary-based handling in rlm_python.
|
|
Fixes #2334 See mods-available/python for details.
|
|
* Add support for SKIP LOCKED in sqlippool. This can improve performance
|
|
by an order of magnitude or more.
|
|
See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383
|
|
* Allow PSK and certificates at the same time Except for TLS 1.3
|
|
which does not support that.
|
|
* Update docker scripts. Fixes #2306 Patch from Matthew Newton.
|
|
* Add crypt xlat.
|
|
* MySQL connections can now skip verifying the server certificate.
|
|
Fixes #2481. See mods-available/sql.
|
|
* Add better mechanism to detect MariaDB (Old MySQL).
|
|
* Add RFC 7532 "bang path" support for realms Fixes #2492.
|
|
* Update dictionary.ukerna documentation. Fixes #2493.
|
|
* Add support for systemd service and watchdogs Fixes #2499.
|
|
* Check for openss/rand.h, and allow building without OpenSSL engine.
|
|
Patch from Eneas U de Queiroz Fixes #2517.
|
|
* The default PosgtreSQL queries now use "ON CONFLICT" to better
|
|
deal with issues. This requires PostgreSQL 9.5 or later.
|
|
Please use a recent version of PostgreSQL, or edit the default
|
|
queries to remove "ON CONFLICT".
|
|
|
|
BUG FIXES
|
|
* The session-state list is no longer cleaned in the inner-tunnel.
|
|
This lets the outer Access-Reject section access session-state.
|
|
* Fix typo in lock initialization for TLS sockets Found by Sergio NNX.
|
|
* Add check for crash when home server down Fixes #2233.
|
|
* Add username key for postauth table.
|
|
* Better libpcap checks, when the header files or libraries are missing. Fixes #2245.
|
|
* Allow building with old versions of OpenSSL Fixes #2247.
|
|
* Allow non-FreeRADIUS State attributes to be used with the
|
|
"session-state" list. i.e. State length != 16.
|
|
* Be more aggressive about cleaning up zombie children when running in debug mode.
|
|
* Use LTDL_DEEPBIND, which fixes issues with Oracle libraries
|
|
exporting LDAP API functions.
|
|
* unlock files when asked to unlock them.
|
|
* return error instead of asserting in map code.
|
|
* Don't write 0 bytes to SSL. Fixes #2270.
|
|
* Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262.
|
|
* Various dictionary cleanups and consistency checks Fixes #2281.
|
|
* rlm_python has stronger thread locking to prevent reported issues.
|
|
Performance may be affected.
|
|
* Don't allow Message-Authenticator to overflow past the end of a large packet.
|
|
* Fix crash in sqlippool when SQL server goes away Fixes #2300.
|
|
* Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303.
|
|
* Fix crash with CoA packets/ Fixes #2304.
|
|
* Fix crash in rlm_exec with CoA. Fixes #2328.
|
|
* Print errors while parsing the log config, and don't quit when
|
|
deprecated log settings are found.
|
|
* Fix DHCP encoder xlat so that it can be used with a list of attributes.
|
|
It previously only encoded the first member of the list,
|
|
and now encodes all members.
|
|
* The "expr" module now skips more whitespace.
|
|
* Remove internal FreeRADIUS-Response-Delay attributes from
|
|
attr_filter Access-Reject.
|
|
* Don't send junk to redis when maximum args reached.
|
|
* Small updates to IPv6 for accounting schema Fixes #2364.
|
|
* Fix OpenDirectory integration in rlm_mschap.
|
|
* Fix slow memory leak with dynamic clients.
|
|
* Don't artificially truncate debug output for long strings.
|
|
* Fix memory leak in EAP-PWD.
|
|
* Fix crash in "hints" file with Fall-Through = yes.
|
|
* Fix crash / timer issues with many CoA packets.
|
|
* Fix attr_filter so that it does not treat vendor attributes of
|
|
number 26 as Vendor-Specific.
|
|
* Fix reconnect correctly in rlm_sql_mysql.
|
|
* Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485.
|
|
* Fix rare occurance of bad xlat expansion.
|
|
* Check for rare race condition when a proxy reply arrives too late.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 4 14:54:50 UTC 2018 - adam.majer@suse.de
|
|
|
|
- install license as %license instead of documentation
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 26 18:24:21 UTC 2018 - michael@stroeder.com
|
|
|
|
- also fix ownership of /var/log/radius in systemd unit
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 17 22:00:15 UTC 2018 - michael@stroeder.com
|
|
|
|
- update to 3.0.17
|
|
|
|
Feature Improvements
|
|
* Add CURLOPT_CAINFO. Patch from Nicolas C #2167.
|
|
* "stats home server" now supports "src IPADDR", to specify home
|
|
server also by source IP. Fixes #2169.
|
|
* Add Dockerfiles for a selection of common systems.
|
|
* Increase number of permitted file descriptors, for systems with many
|
|
home servers.
|
|
* Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs
|
|
Patch from Isaac Boukris. Fixes #2205.
|
|
* Update main READMEs. Patches from Matthew Newton.
|
|
* Added dictionary.mimosa.
|
|
|
|
Bug Fixes
|
|
* Don't call post-proxy twice when proxying to a virtual server.
|
|
Matthew Newton, #2161.
|
|
* Use "raw" string value for shared secrets and dynamic clients
|
|
It now parses strings with backslashes and "special characters"
|
|
correctly. Fixes #2168.
|
|
* Fix RuntimeDirectory for RedHat, from Alan Buxey.
|
|
* Relax checks in 'if' parser from Isaac Bourkis.
|
|
* Minor cleanups for %{debug_attr:&request} from Isaac Boukris.
|
|
* Be more aggressive about cleaning up cached certificate attributes,
|
|
due to deficiencies in OpenSSL. Reported by Nicolas Reich.
|
|
* Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall.
|
|
* Fix double free in rlm_sql. Fixes #2180.
|
|
* rlm_detail now writes empty Access-Accept packets.
|
|
* rlm_python can now create tagged attributes.
|
|
* Don't crash on duplicate realm + authhost / accthost
|
|
* Allow partial certificate chain to trusted CA. Fixes #2162.
|
|
* Treat SSL_read() returning zero as error. Fixes #2164.
|
|
* detail writer now checks if the file was renamed or deleted.
|
|
* Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name.
|
|
* RedHat Systemd updates. Fixes #2184.
|
|
* Use correct API for State variable in rlm_securid.
|
|
* Remove broken radclient option "-i".
|
|
* Fix "users" file (and hints, etc). So that it does not get confused
|
|
about entry ordering with multiple $INCLUDEs.
|
|
* Fix rlm_sql to expand the un-escaped string, not the raw string.
|
|
* Link default and inner-tunnel only if they exist. Fixes #2206.
|
|
* Don't use both IP_PKTINFO and IP_SENDSRCADDR.
|
|
* Always install signal handler for SIGINT (needed by Docker).
|
|
* Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs
|
|
which are not self-signed will now be checked.
|
|
* sqlippool now returns "fail" if it fails IP allocation.
|
|
* Fix rlm_yubikey to look for correct attribute in replay attack check.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 11 23:15:49 UTC 2018 - michael@stroeder.com
|
|
|
|
- update to 3.0.16
|
|
|
|
Feature improvements
|
|
* rlm_python now supports multiple lists. From #2031.
|
|
* Add trust router re-keying. From #2007.
|
|
* Add support for Samba / AD LDAP schema.
|
|
See doc/schemas/ldap/samba/README.txt and
|
|
doc/schemas/ldap/samba/
|
|
* Add "tls_min_version" and "tls_max_version" to EAP module
|
|
for Debian OpenSSL issues.
|
|
* Better documentation for client certificates in PEAP and TTLS:
|
|
it usually doesn't work. Fixes #2068.
|
|
* Distinguish login failure from AD unavailable. Fixes #2069.
|
|
* Update RH spec files. Fixes #2070.
|
|
* Run Post-Proxy-Type if all home servers are dead.
|
|
Fixes #2072.
|
|
* Print offending IP addresses when EAP sessions come from
|
|
two upstream home servers, and rate-limit the messages.
|
|
* Minor packaging updates.
|
|
* Better documentation for rlm_rest.
|
|
* EAP-FAST now has it's own "cipher_list", so that it is
|
|
easier to configure.
|
|
* EAP-FAST now forcibly disables TLS1.2, until such time
|
|
as we implement the new keying mechanism from TLS1.2.
|
|
* Add documentation for allow_expired_crl.
|
|
* Update Debian logrotation. #2093 and #2101.
|
|
* DHCP relay can now drop responses. #2095.
|
|
* rlm_sqlippool can now assign Delegated-IPv6-Prefix.
|
|
It also now can assign any IPv4 or IPv6 address.
|
|
Based on patches from maximumG. #2094.
|
|
See raddb/mods-available/sqlippool for changes.
|
|
* radeapclient can now use EAP-SIM-Ki to dynamically
|
|
create the necessary triplets.
|
|
* Explain why many LDAP connections are closed.
|
|
Fixes #1969.
|
|
* Debian build / package issues fixed by Matthew Newton.
|
|
* dictionary.patton updates from Brice Schaffner. Fixes #2137.
|
|
* Added scripts to build "inner-server.pem", and updated
|
|
mods-config/inner-eap and certs/README to match.
|
|
* Added provisions for using an external CA. See raddb/certs/
|
|
* Include dhcpclient binary in freeradius-dhcp debian packge.
|
|
|
|
Bug fixes
|
|
* Bind the lifetime of program name and python path to the module
|
|
FR-AD-002 (redone)
|
|
* Pass correct statement length into sqlite3_prepare[_v2]
|
|
FR-AD-003 (redone)
|
|
* Allow 100-Continue responses with additional headers in rlm_rest.
|
|
* fix corner case where detail files were not being locked
|
|
correctly.
|
|
* Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group.
|
|
Fixes #1947
|
|
* Clean up exfile code. Which should help to avoid issues
|
|
with reading / writing 100's of detail files.
|
|
* Fix build for winbind. Patch from Alex Clouter.
|
|
* Fix checkrad for Mikrotik. Patch from Muchael Ducharme.
|
|
* Fix home server stats lookup. Patch from Phil Mayers.
|
|
* Add libjson-c3 as an optional dependency.
|
|
* Require LTB OpenLDAP on CentOS / Redhat, to avoid linking
|
|
against NSS, which breaks the server. Fixes #2040.
|
|
* rlm_python fixes. Fixes #2041
|
|
* Typos in "man" pages. Fixes #2045
|
|
* Expand "next" in %{%{...}:-%{...}}. Fixes #2048
|
|
* Don't add TLS attributes twice. Fixes #2050.
|
|
* Fix memory allocation in rlm_rest. Fixes #2051.
|
|
* Update trustrouter for new API. Fixes #2059.
|
|
* Fix SQLite issues on FreeBSD. Fixes #2060
|
|
* Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802)
|
|
* More graceful handling of "die" in rlm_perl. Fixes #2073.
|
|
* Fix occasional crash when using
|
|
cisco_accounting_username_bug = yes
|
|
* EAP-FAST fixes from Isaac Boukris.
|
|
#2078, #2076, and #2082, #2126.
|
|
* DHCP fixes, relay, #2092, add run-time check, #2028
|
|
* Decode multiple RADIUS packets at a time in highly loaded
|
|
RadSec connections. Patch from Jan Tomasek. #2106.
|
|
* TunnelPassword is not "single value" in LDAP schema.
|
|
Fixes #2061.
|
|
* sql log now opens the expanded filename, not the input one.
|
|
This was a regression introduced in 3.0.15.
|
|
* Remove unnecessary UNIQUE constrain in Oracle schemas.
|
|
* Fix SSL thread and locking issues when modules also use SSL.
|
|
Fixes #2125 and #2129.
|
|
* Re-add dhcpclient "raw packet" changes. Patches from
|
|
Nicolas Chaigne and Matthew Newton. Fixes #2155.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 19 11:18:53 UTC 2017 - adam.majer@suse.de
|
|
|
|
- Fix permissions of radiusd.service (bnc#1053654)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 25 11:32:56 UTC 2017 - varkoly@suse.com
|
|
|
|
- bsc#1055679 - freeradius-server does not provide winbind/AD auth
|
|
Added libwbclient-devel as buildrequires
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 17 13:46:41 UTC 2017 - michael@stroeder.com
|
|
|
|
- update to 3.0.15 with security fixes for
|
|
issues found via fuzzing by Guido Vranken (bsc#1049086)
|
|
https://freeradius.org/security/fuzzer-2017.html
|
|
* CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret()
|
|
* CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63
|
|
* CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax()
|
|
* CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes
|
|
* CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp()
|
|
* CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions()
|
|
* CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly
|
|
* FR-AD-002 (v3) String lifetime issues in rlm_python
|
|
* FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 29 12:40:52 UTC 2017 - adam.majer@suse.de
|
|
|
|
- update to 3.0.14 (still FATE#322416)
|
|
|
|
Feature improvements
|
|
* Enforce TLS client certificate expiration on session resumption,
|
|
and Session-Timeout. See CVE-2017-9148 (bnc#1041445)
|
|
* Updated dictionary.cisco.vpn3000, dictionary.patton
|
|
* Added dictionary.dellemc
|
|
* Lowered the log output for failed PEAP sessions.
|
|
* ALlow utc in rlm_date.
|
|
* The internal OpenSSL session cache has been disabled.
|
|
Please see mods-available/eap
|
|
* Update detail reader documentation.
|
|
* Make outgoing RadSec connections non-blocking.
|
|
* Add SQL backing to Moonshot-*-TargetedId generation.
|
|
|
|
Bug Fixes
|
|
* radtest uses Cleartext-Password for EAP, not User-Password.
|
|
* Update documentation for mods-enabled/ linking.
|
|
* Enhanced checks for moonshot salt.
|
|
* Allow session resumption for RadSec connections.
|
|
* Update "huntgroups" file to note that port ranges are not supported
|
|
* Fix OpenSSL permissions issues on default key files.
|
|
* Certificates are not required when PSK is used.
|
|
* Allow SubjectAltName as first extension in cert.
|
|
* Fixed talloc issue with TLS session resumption.
|
|
* "&Attr-26 := 0x01" now produces useful error messages.
|
|
* Handle connection error in rlm_ldap_cacheable_groupobj.
|
|
* Fix endian issues in DHCP.
|
|
* Multiple minor fixes for Coverity complaints.
|
|
* Handle unexpected regex.
|
|
* Fix minor issues in dictionaries.
|
|
* Fix typos and grammar. Patches from Alan Buxey.
|
|
* Fix erroneous VP creation in rlm_preproces.
|
|
* Fix MIB. Patch from Jeff Gehlbach.
|
|
* Trust router updates from Alejandro Perez.
|
|
* Allow build with LibreSSL.
|
|
* Use correct packet for channel bindings.
|
|
* Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us
|
|
a test license. Please see the git commit history for more info.
|
|
* Fix incorrect length check in EAP-PWD. This may be exploitable.
|
|
* Stop rotating session database files (radutmp, radwtmp) since
|
|
these are not logfiles.
|
|
|
|
- freeradius-server-radiusd-logrotate.patch: updated
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 6 23:07:21 UTC 2017 - michael@stroeder.com
|
|
|
|
- removed obsolete freeradius-server-fix-cert-bootstrap.patch
|
|
because recent /etc/raddb/certs/bootstrap simply works
|
|
- update to 3.0.13 (still FATE#322416)
|
|
|
|
Feature improvements
|
|
* Add dictionary.rfc7930. Note that we do not implement
|
|
the RFC.
|
|
* Added 'cipher_server_preference' to mods-available/eap
|
|
Patch from #1797.
|
|
* OpenSSL 1.1.0 compatibility fixes.
|
|
* rlm_perl: radiusd::xlat to evaluate xlat string
|
|
within perl script
|
|
* Allow authentication retry in winbind. Patch from
|
|
Herwin Weststrate. See raddb/mods-available/mschap.
|
|
* Added "recv-coa" method to rlm_rest. It behaves the
|
|
same as "authorize".
|
|
* Document Trust Router tr_port option. Patch from
|
|
Stefan Paetow.
|
|
* Update elasticsearch/logstash examples so that they work
|
|
with elastic stack v5. Patch from Matthew Newton.
|
|
* Print information about packets, replies, and contents
|
|
in the detail file reader.
|
|
* Update abfab-tr policy. Pull request #1893
|
|
from Stefan Paetow.
|
|
* Reject packets which contain User-Password and
|
|
EAP-Message.
|
|
* Add example for filtering Access-Challenge.
|
|
See sites-enabled/default.
|
|
* Pull symlink fixes from v4.0.x. Fixes #1859.
|
|
* Add systemd reload. Not everything is reloaded, but
|
|
some is. Fixes #1662.
|
|
* Better documentation for listen "ipaddr". Fixes #1921
|
|
* Add dictionary.cnergee, updated dictionary.nomadix.
|
|
* radclient no longer needs -x to print statistics with -s.
|
|
|
|
Bug fixes
|
|
* Minor typos. Fixes #1763
|
|
* Fix typo in RPM build. Closes #1767.
|
|
* rlm_mschap check for password expiry only
|
|
if password was correct. Fixes #1762.
|
|
* Update debian build.
|
|
* update rlm_counter "man" page. Fixes #1775.
|
|
* Remove erroneous assert. Fixes #1778.
|
|
* fix mschap password change test. Fixes #1792.
|
|
* Cleanup config file on data remove. Fixes #1795.
|
|
* passwd module returns "notfound" if not found.
|
|
* Check for old OpenSSL, and don't build rlm_eap_fast
|
|
if it necessary. Fixes #1803
|
|
* Cleanup memory better after ldap version query.
|
|
Patch from Aleksey Katargin.
|
|
* Rename lt_* functions to avoid linker issues with
|
|
libtool. Fixes #1277
|
|
* Many miscellaneous fixes and typos.
|
|
* Allow long strings in %{%{foo} bar:-%{baz} blah".
|
|
Fixes #1866
|
|
* Fix filtering operators, along with more documentation and
|
|
more tests for them.
|
|
* Fix OpenSSL fixes. Fixes #1876.
|
|
* Finish SQL select queries even when SELECT returns no rows.
|
|
Fixes #1879.
|
|
* Set Module-Failure-Message for more EAP errors.
|
|
* Correct typo in dictionary.rfc5580. Fixes #1882
|
|
* Remove obselete systemd syslog.target.
|
|
* Client-Port-Balance load-balancing now uses client port.
|
|
* Radrelay examples fixed from Alex Clouter.
|
|
* Update systemd target. Pull request #1896.
|
|
* Trim starting whitespace in xlat strings.
|
|
* Get MySQL result lengths using normal API.
|
|
* suid down after fchown(). Fixes #1914.
|
|
* Fix cases of comparing pointer to NUL character. Fixes #1915.
|
|
* OpenSSL v1.1 fixes. Pull request #1921.
|
|
* Better Handle v4/v6 host names. Pull request #1919.
|
|
* Remove "Auth-Type = System" from docs and examples.
|
|
* Don't crash on malformed %{home_server}. Fixes #1922
|
|
* fix erroneous use of talloc destructor in rlm_eap
|
|
* Issue trigger modules.sql.fail. Fixes #1923
|
|
* Document python_path gotcha's. Fixes #1845
|
|
* dlopen() the specific version of Python. Fixes #1592
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 20 15:27:28 CET 2017 - kukuk@suse.de
|
|
|
|
- Don't require insserv if we use systemd
|
|
- Remove require for unused fillup
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 30 15:46:54 UTC 2017 - adam.majer@suse.de
|
|
|
|
- Merge changes from SLE to openSUSE (FATE#322416):
|
|
* freeradius-server-radclient-init-error-buffer.patch - make sure
|
|
we initialize error buffer. bsc#911886: radclient error free()
|
|
invalid pointer
|
|
* freeradius-server-opensslversion.patch: remove OpenSSL version
|
|
check and assume we know what we are doing. (bnc#1013311)
|
|
* merge .changes file, mostly.
|
|
- do not attempt to detect "vulnerable" OpenSSL versions. SUSE
|
|
security fixes do not necessarily bump version numbers as
|
|
does upstream OpenSSL (bnc#1021375)
|
|
- do not generate certificates in %post. End-user needs to do this
|
|
manually.
|
|
- keep FreeTDS disabled on SLE12 - we never shipped it enabled
|
|
- require OpenSSL 1.0+
|
|
- use pkgconfig(systemd) instead of plain systemd as BuildRequires
|
|
- don't list manual pages as %doc
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jan 1 13:39:57 UTC 2017 - jengelh@inai.de
|
|
|
|
- Remove --with-pic which is for static libs only.
|
|
- Use SUSE RPM group names. Trim filler words from description.
|
|
- Do not hide errors from groupadd/useradd.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 18 14:48:59 UTC 2016 - adam.majer@suse.de
|
|
|
|
- Add upstream keyring
|
|
- 2 new modules: rlm_sql_freetds and rlm_eap_fast
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 29 20:14:34 UTC 2016 - michael@stroeder.com
|
|
|
|
- update to 3.0.12 - still fate#320481
|
|
The focus of this release is stability.
|
|
* Feature improvements
|
|
+ Add support for =~ and !~ in update sections. See "man unlang"
|
|
+ Add dictionary.checkpoint.
|
|
+ Simultaneous-Use prints out more information.
|
|
+ Print WARNING in debug mode when packets may be truncated.
|
|
+ Added expansions %{home_server:state} and
|
|
%{home_server_pool:state}, which show the state of the
|
|
server / pool.
|
|
+ Mark rlm_sql_freetds as stable.
|
|
+ Make rlm_perl less fragile. Patch from Herwin Weststrate.
|
|
+ Allow extended attributes to have "encrypt=2"
|
|
+ Update dictionary.aruba.
|
|
+ Add support for EAP-FAST. This is an isolated feature which
|
|
does not affect anything else.
|
|
+ Update OpenSSL vulnerability list. Use a version of OpenSSL
|
|
released after September 20, 2016.
|
|
+ EAP certificate verification is now done when "verify" is
|
|
enabled and "ocsp" is disabled.
|
|
+ New dhcpclient and rlm_rad_counter man pages.
|
|
+ Minor abfab and moonshot additions.
|
|
+ Pass CFLAGS through from environment in RPM builds. Allows
|
|
more custom builds.
|
|
+ Build with Heimdal in addtion to libkrb5.
|
|
* Bug Fixes
|
|
+ Use correct typedef for older versions of sqlite.
|
|
+ Update mssql schema to add priority
|
|
+ don't complain on /dev/urandom in ldap
|
|
+ fix == operator in update sections
|
|
+ Don't create DHCP strings with many trailing zeros.
|
|
+ Allow MS-CHAP change passwords instead of complaining on
|
|
large buffer.
|
|
+ Allow assignment or equality operator on SQL.
|
|
+ Update aclocal tests for FreeBSD 10.
|
|
+ Remove occasional hang in rlm_linelog.
|
|
+ Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544
|
|
+ A few minor bugfixes caught in v3.1.x cleanup, and
|
|
back-ported to v3.0.x.
|
|
+ do_not_respond again works in post-proxy
|
|
+ Allow realm "~^.*$" {} and User-Name with no realm.
|
|
+ Fix leak when creating unknown attributes
|
|
+ Fix Debian / logrotate.
|
|
+ Make OpenSSL error functions thread-safe.
|
|
+ Fix crash with rlm_sql and updating SQL-User-Name.
|
|
+ Debian build updates.
|
|
+ Allow regular expression comparisons in radclient.
|
|
+ Fix memory leak on unknown attributes in detail file reader.
|
|
+ Update example paths in "man" pages when installing them
|
|
+ Build fixes for rlm_mschap. Fixes #1489.
|
|
+ BSD build fixes. Patch from issue #1583.
|
|
+ Be more careful about /lib/ when building. Fixes #1585.
|
|
+ Correct ifdef placement error. Fixes #1572.
|
|
+ Allow for more files in internal "exfile" API So it will be
|
|
possible to open more than 64 "detail" files at the same
|
|
time.
|
|
+ Remove support for statically built EAP modules. Fixes #1591.
|
|
+ Many fixes to rlm_python from Guillaume Pannatier.
|
|
+ Use correct week adjustment in SQLcounter. Fixes #1608
|
|
+ Minor fixes to allow compilation without DHCP, VMPS, or TCP.
|
|
+ Fix checks for module / config file change on HUP.
|
|
+ Compile regex comparisons when sent via "debug condition".
|
|
+ Update filenames in documentation and examples.
|
|
+ Don't crash if SQL connection becomes unavailable.
|
|
+ Disallow originate_coa when proxy_requests = no.
|
|
+ Free rad_perlconf_hv in correct perl context.
|
|
+ Multiple fixes for Debian builds. #1510, among others.
|
|
+ Set OpenSSL FIPS compatibility flag when necessary.
|
|
+ Pulled fixes for the build system over from other branches.
|
|
+ Fix OCSP for RADIUS over TLS.
|
|
+ Fix skip_if_ocsp_ok behavior.
|
|
+ Better fixes for systems without closefrom() but which have
|
|
/proc.
|
|
+ Minor build fixes back-ported from v4.0.x.
|
|
+ build --whout-ascend-binary. Fixes #1761.
|
|
+ Be more aggressive about not opening new connections in
|
|
debug mode after CTRL-C. Address #1604.
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 2 12:16:56 UTC 2016 - adam.majer@suse.de
|
|
|
|
- use %{with} macro for conditional inclusions instead of hardcoding
|
|
version numbers
|
|
- improved package descriptions
|
|
- fixed builds on SLE12 and SLE11SP4
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 25 18:48:55 UTC 2016 - michael@stroeder.com
|
|
|
|
- removed installation of experimental module rlm_sqlhpwippool.so
|
|
- update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763,
|
|
bsc#935573, CVE-2015-4680)
|
|
* Changes of version 3.0.11
|
|
+ Feature improvements
|
|
- "unlang" comparisons of IP addresses to IP prefixes are now
|
|
detected, and types automatically cast.
|
|
- Allow shorthand form of ipv4prefix values e.g. 127/8.
|
|
- Add "auto_chain" to raddb/mods-available/eap, tls subsection.
|
|
This allows the disabling of OpenSSL auto-chaining of
|
|
certificates. Which might be wrong.
|
|
- Added printing of coa and disconnect stats (radmin).
|
|
- radclient defaults to expecting Access-Accept responses to
|
|
Status-Server.
|
|
- Updated dictionary.lancom, dictionary.starent.
|
|
- Portability fixes for Solaris.
|
|
- More errors from ntlm_auth gets passed to MS-CHAP.
|
|
- Update abfab-tr-idp virtual server.
|
|
- Added "filter_password" in policy.d/filter. This removes
|
|
embedded zero bytes in User-Password, for compatibility with
|
|
broken clients.
|
|
- The server now issues a WARNING message if duplicate
|
|
configuration items are found.
|
|
- TLS can skip the "verify" section if OCSP returns OK. See
|
|
raddb/mods-available/eap, "skip_if_ocsp_ok".
|
|
- Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the
|
|
result from the OCSP check.
|
|
- Interoperate with AD and "LmCompatibiltyLevel = 5", by
|
|
always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind
|
|
in rlm_mschap.
|
|
- TTLS and PEAP now require "virtual_server" to be a real
|
|
server.
|
|
- Print WARNING when TTLS or PEAP identities are spoofed or
|
|
not properly anonymized. See RFC 7542 for requirements.
|
|
- Various rlm_python fixes from Herwin Weststrate.
|
|
- Allow setting Response-Packet-Type in "Post-Proxy-Type Fail",
|
|
which is useful when the home server does not respond.
|
|
- elasticsearch updates from Matthew Newton
|
|
+ Bug Fixes
|
|
- Fix issue where field nas_type would not be accessible via
|
|
the %{client:} xlat, for clients loaded from SQL.
|
|
- Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to
|
|
msg_callback with 'pseudo' content types.
|
|
- Data type "ipv4prefix" is parsed correctly.
|
|
- Use correct talloc context in rlm_exec. Fixes #1338.
|
|
- Complain in unlang if "else" is used with no previous "if"
|
|
or "elsif".
|
|
- Send accounting status packets to the accounting port.
|
|
Fixes #1364.
|
|
- Print out CFLAGS when doing "radiusd -Xxv"
|
|
- Fixed bug with coa/acct stats value #1339. Based on patch
|
|
from Jorge Pereira.
|
|
- Fixes for LEAP proxying. Don't use LEAP!
|
|
- Fix issue with "directory already exists" seen when doing
|
|
"make install".
|
|
- Fixed bug with radmin related to the option "stats detail
|
|
<filename>"
|
|
- Complain if the detail file reader does not have permission
|
|
to read the "detail.work" file. Fixes #1398
|
|
- Fixed SoH. Attributes were not being copied to the virtual
|
|
server.
|
|
- Used a wrong list to global statistics in "stats".
|
|
- Create EAP-PWD identity correctly. Prevents segfaults.
|
|
- Dynamically validate authentication types for PEAP and
|
|
EAP-MSCHAPv2.
|
|
- Fix includes in installed headers.
|
|
- OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys
|
|
correctly. See raddb/mods-available/eap, "disable_tlsv1_2"
|
|
- Allow password change to work for MS-CHAP. This requires
|
|
'r=0', because password changes are not retries.
|
|
- Fix home server fail-over for home servers using TCP and/or
|
|
RadSec.
|
|
- Special characters in expanded regexes are now escaped e.g.
|
|
User-Name containing '.', and comparing /%{User-Name}/, the
|
|
'.' will now be escaped. See src/tests/keywords/regex-escape.
|
|
- Use correct authentication vector when sending Access-Reject
|
|
replies for RadSec.
|
|
- Set FreeRADIUS-Proxied-To in TTLS again. You should use the
|
|
"inner-tunnel" virtual server, instead of relying on this
|
|
attribute.
|
|
- Fix debugging constants in rlm_perl. Patch from Herwin
|
|
Weststrate.
|
|
- Add samba-dev / samba4-dev to debian builds so that
|
|
rlm_mschap can automatically use the new winbind API.
|
|
- Automatically skip zero-length attributes when sending
|
|
packets, instead of erroring out.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 26 12:45:59 UTC 2015 - jkeil@suse.de
|
|
|
|
- fix bsc#951404
|
|
* Rebuild of freeradius-server package fails
|
|
* fix source url
|
|
- ftp://ftp.freeradius.org/pub/freeradius/
|
|
+ ftp://ftp.freeradius.org/pub/freeradius/old/
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 5 19:50:27 UTC 2015 - michael@stroeder.com
|
|
|
|
- update to 3.0.10
|
|
* Changes of version 3.0.10
|
|
+ Feature improvements
|
|
- Do more optimization of unlang policies. This makes run-time
|
|
a bit faster.
|
|
- Re-name most of the functions in src/lib. Third-party module
|
|
authors will have to do the same.
|
|
- More documentation on contributing and how to write modules.
|
|
- Update radiusd.service for systemd.
|
|
- Open IPv6 proxy socket if the server is listening on IPV6
|
|
auth / acct / coa packets.
|
|
- Create debian packages for DHCP. Fixes #1125.
|
|
- Add more tests for "update" section parsing.
|
|
- Update "man" pages.
|
|
- Update attributes for Alcatel 7750
|
|
- Add dictionary for Boingo Wi-Fi
|
|
- Add support for DHCP lease queries.
|
|
See raddb/sites-available/dhcp
|
|
- On HUP, check all modules for config files which have
|
|
changed. And only re-load those modules.
|
|
- Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS
|
|
packets. Patch from Herwin Weststrate.
|
|
- Documentation fixes from Alan Buxey and Matthew Newton.
|
|
- Update "logrotate" script.
|
|
- Added more RFCs to doc/rfc for new standards implemented by
|
|
FreeRADIUS.
|
|
- Don't crash when doing "radmin -e "help hup". Patch from
|
|
Matthew Newton.
|
|
- The dictionary parser now does more sanity checks, which
|
|
prevents run-time problems with invalid attributes.
|
|
- Update debian packages. Patches from Christopher Hoskin.
|
|
- Many other debian packaging fixes from Matthew Netwon and
|
|
Herwin Weststrate.
|
|
- Add "session-state" to Perl. Patch from Herwin Weststrate.
|
|
+ Bug Fixes
|
|
- Fix rlm_files so that there are no collisions when loading
|
|
10's of 1000's of users.
|
|
- Fix radclient to use our internal v4/v6 parsing functions.
|
|
v6 addresses with ports now work correctly.
|
|
- Fix sending/receiving packet messages to wrap v6 addresses
|
|
in square brackets '[]'.
|
|
- Check for sasl/sasl.h when building rlm_ldap, and disable
|
|
SASL functionality if unavailable.
|
|
- Fix issue which caused a non \0 terminated buffer to be
|
|
assigned to attributes if the value being assigned contained
|
|
an invalid escape sequence.
|
|
- Fix deadlock when reconnecting connections in the connection
|
|
pool.
|
|
- Fix potential overrun in functions that used fr_utf8_char
|
|
with a non nul terminated buffer.
|
|
- Fix decoding issue for Tunnel-Password type attributes which
|
|
were very long. Found by Denis Andzakovic.
|
|
- Fix radclient issue with TCP sockets on FreeBSD.
|
|
- The server now creates ${run_dir} and ${logdir} directories
|
|
in daemon mode, when running as "root".
|
|
- Handle tags when using maps. Fixes #1191.
|
|
- Fix crash when CoA packets time out.
|
|
- Fix parse error in rediswho
|
|
- Fix regex support in SQL radcheck the "users" file and
|
|
radsniff.
|
|
- Register listen xlat earlier, so that it's available when
|
|
the virtual servers are being parsed.
|
|
- Parse Ascend-Data-Filter when given as "0x..."
|
|
- Print Ascend-Data-Filter correctly. Add test cases for both.
|
|
- Allow old-style clients again. They will be disallowed for
|
|
3.1.0 and following.
|
|
- Complain instead of crash when "else" and "elsif" are in the
|
|
wrong place.
|
|
- Clean up memory more aggressively. This lowers the maximum
|
|
memory used, most typically for TLS based EAP methods.
|
|
- Prevent the server from unlinking the control socket of an
|
|
already running instance.
|
|
- Fallback to using the configured OCSP URL if one exists, and
|
|
no URL is provided in the certificate.
|
|
- Return CoA-NAK if proxying CoA fails. Based on patch from
|
|
Jorge Pereira.
|
|
- Lower peak memory usage by decreasing size of internal
|
|
memory pools.
|
|
- The control socket is now left in place if a second copy of
|
|
the server is accidentally started.
|
|
- Allow virtual attributes in "switch", "case", etc. Fixes
|
|
#1240 and #1265.
|
|
- Many spell check / typo fixes in comments and example
|
|
configuration files.
|
|
- Better handle multiple DHCP listeners.
|
|
- Don't print secrets for old-style realms. Fixes #1267.
|
|
- Don't fall through in empty "case" statements. Fixes #1274.
|
|
- Update EAP-TTLS so that MPPE keys are correctly calculated
|
|
with TLSv1.2.
|
|
- Always delete MS-MPPE-* from the TTLS inner tunnel. This
|
|
allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206.
|
|
- Fix off by one error that caused some MSCHAP-Error messages
|
|
to be sent without the password change version (V=3) and the
|
|
textual message component (M=).
|
|
- Always include C= V= and M= in MSCHAPv2 errors. RFC 2759
|
|
does not say that any of these fields are optional, and not
|
|
including V= caused errors with wpa_supplicant.
|
|
- Do not include M= in MSCHAPv1 errors. It's not supported.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 7 10:56:29 UTC 2015 - jkeil@suse.de
|
|
|
|
- Fix boo#912714: freeradius can't use ntlm_auth
|
|
* Create winbind group
|
|
* Add radiusd to winbind group
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 4 15:19:06 UTC 2015 - jkeil@suse.de
|
|
|
|
- Remove gpg signature file
|
|
* The gpg signature checking is broken and doesn't work
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 4 14:28:24 UTC 2015 - jkeil@suse.de
|
|
|
|
- Fix bsc#935573: Insufficent CRL application for intermediate certificates
|
|
* CVE-2015-4680
|
|
* freeradius-server-CVE-2015-4680.patch based on
|
|
https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 8 20:05:24 UTC 2015 - michael@stroeder.com
|
|
|
|
- update to 3.0.9
|
|
* Changes of version 3.0.9
|
|
+ Feature improvements
|
|
- Make "pool" configurations more consistent, and update
|
|
documentation for them.
|
|
- Move connection pool logic to "most recently started",
|
|
instead of MRU. This should help with pool stability.
|
|
- More VSAs for 3GPP2
|
|
- Added examples of multi-value attributes to rlm_perl.
|
|
- LDAP-Group and SQL-Group attributes are now dynamically
|
|
allocated.
|
|
- Only the "sql" module registers SQL-Group. Other instances
|
|
register "instance-name-SQL-Group", similarly to "ldap".
|
|
- Unknown attributes are now complained about more often when
|
|
used in unlang statements. e.g. if (Foo-Bar == 3) used to be
|
|
a string to string comparison. It is now a parse error.
|
|
- Rename RLM_COMPONENT_* to MOD_* in the code. This makes many
|
|
things easier.
|
|
- Move to C99 initializers for modules.
|
|
- Load modules in raddb/mods-enabled. This allows attributes
|
|
like "LDAP-Group" to be used in the "files" module, without
|
|
explicit ordering or listing in "instantiate".
|
|
- Added 'bootstrap' section to modules. Third-party modules
|
|
will need to be updated.
|
|
- When adding clients from a DB, add them to a virtual server
|
|
if that virtual server has a "listen" section. Otherwise,
|
|
add the clients to the global list.
|
|
- When reading dynamic clients from a file, don't expire them
|
|
if the underlying file is unchanged.
|
|
- Allow the server to originate CoA requests from the
|
|
post-auth stage.
|
|
- The server creates ${run_dir} and ${logdir} in daemon mode,
|
|
if they do not already exist.
|
|
- Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server
|
|
now supports all mandatory and optional attributes for this
|
|
specification.
|
|
- HUP now re-loads the configuration only if the files have
|
|
changed. If all files are unchanged, HUP re-opens the log
|
|
file, and does nothing else.
|
|
- Much better debug messages for EAP-TLS, including which
|
|
attributes are cached, and when they are retrieved.
|
|
- Increase default max_requests to 16384. Memory is cheap now.
|
|
- Added "stats memory" commands to radmin. Debug build only.
|
|
- Aptilo controller dictionary updates.
|
|
- SQL modules now use Acct-Unique-Session-Id everywhere.
|
|
- The redis modules are now stable.
|
|
- The LDAP module now supports SASL "interactive bind" method.
|
|
This allows Kerberos based administrator and user binds.
|
|
- DHCP code is now in libfreeradius-dhcp.
|
|
- More DHCP encoding / decoding unit tests.
|
|
- rlm_replicate can now be listed in the "accounting" section.
|
|
- Better sqlite debugging output.
|
|
- Remove "required" option from many sql_ippool directives.
|
|
- Set default CA "basic constraints" to "critical". Fixes #1073
|
|
- Updates to help / man pages from Jorge Pereira.
|
|
- Added more tests.
|
|
+ Bug Fixes
|
|
- Be more careful about unused config item warnings when
|
|
using -Xx.
|
|
- Move more defines to be auto-generated.
|
|
- Allow virtual servers in proxy fallback.
|
|
- Allow %{module:} to work.
|
|
- Don't crash in RadSec. Closes #980.
|
|
- Return better errors when a unix group / user is not found.
|
|
- Re-enable detail module "locking" parameter.
|
|
- Don't crash when logging replies from Status-Server packets.
|
|
- The couchbase module now uses "update" instead of "map", for
|
|
consistent with the rest of the server.
|
|
See raddb/mods-available/couchbase
|
|
- Don't require NT-Password for MS-CHAP password changes.
|
|
- Be a bit more careful about decrypting MS-CHAP-MPPE-Key
|
|
attributes. Closes #1013. There is no perfect fix, tho.
|
|
- Fix security issues with EAP-PWD.
|
|
See http://freeradius.org/security.html#eap-pwd-2015
|
|
- Fix dynamic clients read from SQL in non-debug mode
|
|
- MS-CHAP now allows retries (i.e. password change) when
|
|
passwords are expired.
|
|
- Allow "user=radiusd" when the server is already user
|
|
"radiusd"
|
|
- suid up/down works on non-Linux systems. This means that the
|
|
control socket should have the correct ownership.
|
|
- Fix issue which caused the server to sometimes have problems
|
|
when a home server was marked zombie.
|
|
- Fix format.pl because Perl is now more picky.
|
|
- Fix proxy to Packet-Dst-IP-Address, so that it uses the
|
|
correct destination port.
|
|
- Fix corner case with cursor functions and removal.
|
|
- OpenDirectory fixes and documentation.
|
|
- Fix leaks in rlm_redis.
|
|
- RFC 6929 "evs" attributes are now encoded / decoded properly.
|
|
- Fix talloc pool leaks when receiving malformed or
|
|
retransmitted Accounting/CoA requests.
|
|
- Printed attributes again use double quotes instead of single
|
|
quotes.
|
|
- Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to
|
|
eap.conf. Fixes oCert CVE-2015-4680.
|
|
- rlm_expr now errors out correctly on malformed attribute
|
|
references instead of triggering an assert.
|
|
- Make "break" work in "foreach" loops
|
|
- Allow dynamic expansions to work again in the "hints" file.
|
|
- Correct minor typos in comments and examples from Alan Buxy.
|
|
- Re-urlencode the path portion of ldapi:// urls before
|
|
passing it to ldap_initialise.
|
|
- freeradius-server-rlm_sql_unixodbc-configure.patch removes
|
|
hard-coded directory in configure script of rlm_sql_unixodbc
|
|
- install new module rlm_sqlhpwippool.so
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 23 14:22:17 UTC 2015 - vcizek@suse.com
|
|
|
|
- minor adjustments/cleanup of spec and changes
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 22 20:31:44 UTC 2015 - michael@stroeder.com
|
|
|
|
- update to 3.0.8
|
|
* Changes of version 3.0.8
|
|
+ Feature improvements
|
|
- Allow syslog_severity to be set in rlm_linelog.
|
|
- Allow defaults to be set for bulk clients in LDAP and
|
|
couchbase.
|
|
- Updates to dhcpclient. Patches from Nicolas C.
|
|
- rlm_mschap now supports direct connections to winbind,
|
|
which is faster than ntlm_auth.
|
|
See raddb/mods-available/mschap. Patch from Matthew Newton.
|
|
- Recommend /dev/urandom for TLS randomness, instead of
|
|
${certdir}/random
|
|
- Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}.
|
|
- Allow Expanded EAP types where vendor is 0 (IETF) and type
|
|
is normal EAP type. Supplicants sending Expanded EAP types
|
|
like this are broken.
|
|
- Add support for server side sort controls when searching
|
|
for user objects in rlm_ldap.
|
|
+ Bug Fixes
|
|
- Don't complain about "authorize" in "server {}" blocks, but
|
|
only if there's no "server" block.
|
|
- Fix cosmetic issue where debug from the first packet read by
|
|
a detail reader thread would be emited during config parsing.
|
|
- Fix ASSERT on truncated detail packets.
|
|
- Don't use main server log functions from within panic_action,
|
|
as in the case of syslog this would cause deadlocks if the
|
|
fault was triggered from within a malloc.
|
|
- Fix issue in "switch" when "correct_escapes = false".
|
|
Fixes #911.
|
|
- Fix sqlcounter configuration to use "%%b" instead of "%b",
|
|
otherwise the new syntax validation will fail.
|
|
- Allow forward references in configuration items. Modules
|
|
aren't always loaded in a sane order.
|
|
- Fix more escaping issues. Closes #912.
|
|
- Decode MAC addresses correctly for VMPS.
|
|
- Fix memory leak with TLS connections.
|
|
- Fix state machine threading issues for conflicting packets.
|
|
- Fix copy_request_to_tunnel issues for tagged attributes.
|
|
- Allow "ok" to over-ride "updated" inside of Auth-Type
|
|
sections.
|
|
- Update state machine so that post-proxy is run though child
|
|
threads for performance, instead of blocking the main thread.
|
|
- Allow "netmask" to work again in client definitions.
|
|
- Relax restrictions on SQL group queries.
|
|
- track outgoing proxy sockets and clean them up more
|
|
aggressively.
|
|
- track proxy statistics, including CoA and Disconnect.
|
|
- If radmin has a connection failure when running a command,
|
|
it re-connects and runs the command again.
|
|
- mark home servers "unknown" less aggressively.
|
|
- Fix potential SEGV in PostgreSQL driver on error.
|
|
- Fix issue where fields like nas_type would not be
|
|
accessible via the %{client:} xlat, for dynamic clients.
|
|
- Set default busy_timeout (of 200ms) in the sqlite driver, so
|
|
writes don't cause selects to fail in multithreaded mode.
|
|
This is user configurable, and may be increased if required.
|
|
- Convert Password-With-Header attributes to binary (from hex
|
|
or base64), in the authorize method of rlm_pap.
|
|
- Fix invalid assert in state.c, that could cause abort in
|
|
post-auth.
|
|
- Fix double free when -m flag is used, and connection pools
|
|
are referenced by multiple modules.
|
|
- RADIUS over TLS accounting uses the same port as
|
|
authentication.
|
|
- Regularized return codes from radmin commands.
|
|
- Fix RHEL spec file so it works correctly for Centos7 which
|
|
uses systemd, and didn't like the SystemV init script.
|
|
- radwho and radlast now have a -D option to load dictionaries
|
|
- DHCP packets are no longer checked for duplicates.
|
|
- Don't crash in sql module group comparisons in corner case.
|
|
- Calculate MPPE keys correctly when using TLS 1.2.
|
|
- Fix load-balance sections. Closes #945
|
|
- TLS certificates are available again in the post-auth
|
|
section. They are not available for session resumption.
|
|
- radclient encodes CHAP-Password properly when using -c
|
|
Closes #955.
|
|
- Fix issue in rlm_cache_memcached driver that caused variable
|
|
length values to be truncated.
|
|
- Fix track functionality in detail reader, so it no longer
|
|
fails with a "Failed marking detail request as done: Bad
|
|
file descriptor" error.
|
|
- Actually add the peer identity (as User-Name) to the inner
|
|
tunnel in EAP-PWD requests, so it's available for lookups.
|
|
- Fixes to PostgreSQL queries. Patches from Santiago Gimeno.
|
|
- new set of consolidated patch files:
|
|
deleted:
|
|
* freeradius-server-2.1.1-logrotate_su.patch
|
|
* freeradius-server-2.1.6-rcradiusd.patch
|
|
* freeradius-server-initscript-pidfile.patch
|
|
* freeradius-server-radius-reload-logrotate.patch
|
|
* freeradius-server-var_run.patch
|
|
added:
|
|
* freeradius-server-radiusd-logrotate.patch
|
|
* freeradius-server-rcradiusd.patch
|
|
* freeradius-server-tmpfiles.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 14 13:10:11 UTC 2015 - tchvatal@suse.com
|
|
|
|
- Do not disable as-needed build
|
|
- Remove the with_sysconfig switch and just stick with versions
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 13 09:42:05 UTC 2015 - vcizek@suse.com
|
|
|
|
- update to 3.0.6
|
|
- fixes a segmentation fault in PEAP module (bnc#912588)
|
|
Feature improvements:
|
|
* radmin / raddebug conditional errors are printed to the output, instead of being discarded.
|
|
* raddebug will exit if condition set with -c was invalid.
|
|
* radmin auto-reconnects if the connection to the server has gone away.
|
|
* rlm_cache now has submodule support. See raddb/mods-available/cache
|
|
* New memcached driver for rlm_cache. See raddb/mods-available/cache
|
|
* Add support for &Attribute-Name[*] in conditions. See "man unlang" for details.
|
|
* Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n].
|
|
* Allow for redundant string expansions. See the "instantiate" section of radiusd.conf.
|
|
* When checking IP addresses in conditions, make the right side be parsed as an IP prefix.
|
|
* Support JIT compilation of compiled regular expressions when built with libpcre.
|
|
* Support named capture groups with "%{regex:<name>}" when built with libpcre.
|
|
* Increase regular expression capture groups from 8 to 32.
|
|
* Emit error markers for badly formed regular expressions.
|
|
* Allow 'm' flag to enable multiline mode in regular expressions.
|
|
* Support limited implicit attribute conversion in update sections.
|
|
* Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 22 09:09:16 UTC 2014 - dimstar@opensuse.org
|
|
|
|
- Drop .keyring and .sig file: freeradius-server still uses MD5
|
|
signatures, which are no longer validated/accepted by GPG 2.1.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 3 14:22:03 UTC 2014 - vcizek@suse.com
|
|
|
|
- update to 3.0.5
|
|
Some of the new features:
|
|
* Allow LDAP to specify arbitrary attributes for dynamic
|
|
clients.
|
|
* Allow one level of backslashes (finally). See radiusd.conf,
|
|
"correct_escapes" setting.
|
|
* When supported by OpenSSL, allow TLS 1.1 and TLS 1.2
|
|
in EAP methods.
|
|
* Allow multiple new connections to be spawned simultaneously
|
|
in the connection pool, to cope with spikes in traffic.
|
|
* Use kqueue on systems which support it. This allows for
|
|
better scaling when using many sockets.
|
|
* Home server "response_window" can now take fractions of a
|
|
second. See proxy.conf.
|
|
* radmin now supports "show module status", as thee counterpart
|
|
to "set module status"
|
|
* "ipaddr" will now use v6 if no v4 address is present. You should
|
|
use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
|
|
* "client" sections will allow "ipaddr = 192.192.0/24". The old
|
|
"netmask" is still accepted, but the new format is preferred.
|
|
* Allow custom HTTP headers to be set for rlm_rest requests using
|
|
control:REST-HTTP-Header (attributes consumed after use).
|
|
* Extend format of %{rest:} expansion to allow HTTP method and POST
|
|
data to be specified
|
|
and urlquoting.
|
|
* Add support for aliases in rlm_ldap.
|
|
* Add support for connection pool sharing to all modules that use
|
|
the connection pool (pool = <instance>).
|
|
* "tls" sections now have a "psk_query" configuration item, for dynamic
|
|
queries to discover a key from a PSK identity.
|
|
* Preliminary support for EAP channel bindings.
|
|
* Foundational work for dynamic home servers. They do not yet work,
|
|
but this is now only a matter of updating the "realm" module in
|
|
a future release.
|
|
* Support &attr[*] syntax to copy all instances of an attribute when
|
|
used with the += operator in an update section. May be qualified with
|
|
a tag.
|
|
* The logintime and expiration modules can now be listed in the
|
|
post-auth section. This makes some configurations simpler.
|
|
* rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get
|
|
Framed-IPv6-Prefix returned. The SQL queries have NOT been updated.
|
|
Please submit patches.
|
|
and numerous; bugfixes
|
|
- remove gpg-offline
|
|
- create /run/radiusd after install
|
|
- drop freeradius-server-opensslversion.patch (upstream)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 1 10:52:28 UTC 2014 - meissner@suse.com
|
|
|
|
- freeradius-server-opensslversion.patch: do not check the minor
|
|
version of openssl, minor versions are supposed to be compatible.
|
|
bnc#906682
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Aug 3 18:31:49 UTC 2014 - sfalken@opensuse.org
|
|
|
|
- added patch to changelog to fix factory-auto failure (Req #242825)
|
|
added:
|
|
freeradius-server-var_run.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 28 12:28:44 UTC 2014 - vcizek@suse.com
|
|
|
|
- fixed SUSE spelling in a filename (bnc#889034)
|
|
* don't install suse/README.SuSE
|
|
- remove old tarball and signature file
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 22 12:17:52 UTC 2014 - vcizek@suse.com
|
|
|
|
- spec run through spec-cleaner
|
|
- don't install files to /var/run
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 16 13:31:41 UTC 2014 - vcizek@suse.com
|
|
|
|
- update to 3.0.3
|
|
Many bugfixes
|
|
Feature improvements
|
|
* Everything now builds with no warnings from the C compiler,
|
|
clang static analyzer, or cppcheck.
|
|
* rlm_ldap now supports defining the LDAP attribute name via
|
|
backticked expansion (i.e. shell command) in
|
|
RADIUS <-> LDAP mappings.
|
|
* rlm_ldap now supports older style generic attributes.
|
|
* dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed
|
|
when the server starts. Syntax errors in the strings
|
|
are caught, and a descriptive error is printed.
|
|
* Static regular expressions (e.g. /a*b/) are now parsed
|
|
when the server starts. Syntax errors in the strings
|
|
are caught, and a descriptive error is printed.
|
|
* dynamic expansions are cached after being parsed. They are
|
|
no longer re-parsed at run-time for every request.
|
|
* regular expressions are now parsed and cached when the server
|
|
starts.
|
|
* Added the %{rest:} expansion to rlm_rest, which will send
|
|
a GET request to the URL passed as the format string.
|
|
Any body text will be written to the expansion buffer.
|
|
* rlm_rest now available as a debian package.
|
|
* When an 'if' condition statically evaluates to true/false,
|
|
unlang does more static optimization. For examples, see
|
|
src/tests/keywords/if-skip
|
|
* All modules are marked as safe for '-C', which lets the
|
|
dynamic expansion checks work in more situations.
|
|
* Added 'none' and 'custom' rlm_rest body types. 'custom'
|
|
allows sending of arbitrary expanded text and content-type
|
|
headers.
|
|
* Added "config" section to Perl. See mods-available/perl
|
|
* Added '%v' which expands to the server version - Patch
|
|
from Alan Buxey.
|
|
* more mis-matched casts are caught in "if" conditions,
|
|
and descriptive errors are printed.
|
|
* Support basic response validation in radclient. This allows
|
|
administrators to write local test cases for their
|
|
site-specific configurations.
|
|
* Removed radconf2xml and radmin "show client config" and
|
|
"show home_server config".
|
|
* Forbid running with vulnerable versions of OpenSSL.
|
|
See "allow_vulnerable_openssl" in the "security"
|
|
subsection of "radiusd.conf"
|
|
* Catch underlying "heartbleed" problem, so that nothing bad
|
|
happens even when using a vulnerable version of OpenSSL.
|
|
* Add locking API for sql_null, linelog, and detail modules,
|
|
which should improve performance and work around issues
|
|
on platforms with bad file locking.
|
|
* Allow DHCP NAKs to be delayed, via setting
|
|
reply:FreeRADIUS-Response-Delay = 1
|
|
* Allow tag and array references anywhere attributes
|
|
are allowed in "unlang".
|
|
* many enhancements to radsniff, including output
|
|
to collectd, ipv6 support and packet loss statistics.
|
|
* Many dictionary updates (ZTE, Brocade, Motorola).
|
|
* rlm_yubikey now automatically splits passwords from OTP
|
|
strings.
|
|
* The detail file reader is now threaded by default.
|
|
This should improve performance reading the files.
|
|
- dropped freeradius-server-CVE-2014-2015.patch (upstream)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 28 09:04:08 UTC 2014 - vcizek@suse.com
|
|
|
|
- fix for CVE-2014-2015 (bnc#864576)
|
|
* denial of service in rlm_pap hash processing
|
|
* added freeradius-server-CVE-2014-2015.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 29 13:53:30 UTC 2014 - vcizek@suse.com
|
|
|
|
- remove the old 3.0.0 sources
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jan 25 14:44:31 UTC 2014 - mardnh@gmx.de
|
|
|
|
- update to 3.0.1
|
|
Feature improvements
|
|
* Add "timeout" to exec, and "ntlm_auth_timeout" to mschap.
|
|
So that run-away child processes are caught earlier.
|
|
* Allow TLS clients to use "proto = tls", in which case
|
|
TLS is required. The shared secret is then set to "radsec".
|
|
* More documentation in the tls virtual server.
|
|
* Add "date" module for date formatting.
|
|
See raddb/mods-available/date.
|
|
* Added unit test suite for internal server functionality
|
|
* When loading "update" sections, check if the RHS is a literal
|
|
value. If so, syntax check it immediately.
|
|
* Update LDAP module documentation and functionality.
|
|
The generic attribute can now update lists.
|
|
* Updated dictionary.extreme.
|
|
* Update sqlippool to do clears as a separate transaction,
|
|
and at most once per second. This should help MySQL.
|
|
* Respect control:Response-Packet-Type for all types of
|
|
requests.
|
|
* Add support for SSL encryption to the MySQL driver.
|
|
* Allow arbitrary connection parameters to be used with the
|
|
PostgreSQL driver.
|
|
* Changes to the OpenLDAP schema to fully expose functionality
|
|
of the new LDAP module.
|
|
* Update debian packaging to include a freeradius-config
|
|
package. This package may be provided as a site local
|
|
package to avoid fighting with the preinstalled config
|
|
files.
|
|
Bug fixes
|
|
* Use correct field for ARP setting in DHCP.
|
|
* Fix crash on debug condition (#454).
|
|
* Fix a number of minor issues caught by the clang
|
|
analyzer.
|
|
* Set WARNING messages to yellow instead of normal text.
|
|
* Correct debug colorise logic. Patch from Phil Mayers.
|
|
* Encode attributes of type "ethernet". No one uses them,
|
|
but it makes sense.
|
|
* Work around regex initialization issues.
|
|
* Fix build when linking against OpenSSL.
|
|
* Print IDs as positive numbers, which helps for large DHCP
|
|
XIDs.
|
|
* Fix issue with sql_ippool.
|
|
* sqlcounter now uses 64-bit counters, to deal with 4G overflow.
|
|
* Fix issues with DHCP subsystem.
|
|
* Don't build / install disabled modules, or their config
|
|
files.
|
|
* Fix build for OSX Mavericks, which hid the header files
|
|
in a magical place.
|
|
* Fix LEAP buffer issue. You should still avoid LEAP.
|
|
* Mark "unknown" WiMAX attributes as being WiMAX.
|
|
* Fix typo in packet decoder for fragmented extended attrs
|
|
* RPM spec fixes.
|
|
* Fix rlm_perl build issues when not using threads.
|
|
* Enable %{Response-Packet-Type} again.
|
|
* Update configuration file parser to handle "bool"
|
|
consistently.
|
|
* Update declarations of global boolean variables to use
|
|
"bool" consistently. This fixes an issue where some
|
|
modules were instantiated in "config check" mode and
|
|
did not work correctly.
|
|
* Make more messages debug instead of info, to avoid
|
|
polluting the logs with messages that can't be fixed.
|
|
* Set operator in internal unlang code to suppress spurious
|
|
warning messages.
|
|
* Fix debian packaging.
|
|
* Added "status" to Debian init script.
|
|
* Fix "update outer.request" to update the outer request.
|
|
* Don't print TLS debugging messages when not in debug mode.
|
|
* Correctly manage counters for "limit" sections of TCP / TLS
|
|
"listen" sockets.
|
|
* Fix libldap debug output.
|
|
* Fix rlm_ldap tls functionality.
|
|
* Initialise OpenSSL globals early to avoid issues with the
|
|
PostgreSQL library.
|
|
* Fix typo in sqlcounter expansion code. Fixes #463
|
|
* Overwrite previous instances of SQL-User-Name when adding
|
|
it to the request.
|
|
* Work around bugs in both MIT and heimdal versions of
|
|
krb5_copy_context(), which caused segfaults in
|
|
multithreaded mode.
|
|
* Provide meaningful error messages if Heimdal krb5 is used.
|
|
* Fix attribute supression in rlm_detail.
|
|
* Exit with error code if child fails to complete server
|
|
initialisation after forking. This allows init scripts to
|
|
correctly report whether the server started ok.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 21 12:06:19 UTC 2013 - vcizek@suse.com
|
|
|
|
- don't build with experimental modules
|
|
- fix packaging bugs:
|
|
* install init scripts only on <= 11.4
|
|
* install systemd unit
|
|
* add %defattr for submodules
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 15 15:15:24 UTC 2013 - vcizek@suse.com
|
|
|
|
- update to 3.0.0
|
|
* new feature release
|
|
* see /usr/share/doc/packages/freeradius-server/ChangeLog
|
|
for complete list of changes in this release
|
|
* documentation for upgrading from 2.x is in /etc/raddb/README.rst
|
|
- drop oracle support (wasn't built anyway)
|
|
- dropped patches (obsolete):
|
|
* freeradius-server-2.1.6-codecleanup.patch
|
|
* freeradius-server-2.1.6-dialup_admin.patch
|
|
* freeradius-server-2.1.1-edirectory.patch
|
|
- added systemd service unit
|
|
* radiusd.service
|
|
- added systemd-tmpfile for /var/run/radiusd
|
|
* freeradius-tmpfiles.conf
|
|
- added gpg-offline verification
|
|
* freeradius-server.keyring
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 5 17:22:43 CEST 2013 - mls@suse.de
|
|
|
|
- add libperl_requires, as we link against libperl and thus
|
|
need a specific version of perl
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 14 15:17:37 UTC 2013 - vcizek@suse.com
|
|
|
|
- fixed a bug in the logrotate script (bnc#797292)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 1 11:34:31 UTC 2012 - vcizek@suse.com
|
|
|
|
- files in sites-available/ are now %config(noreplace) [bnc#781756]
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Sep 10 14:20:57 UTC 2012 - vcizek@suse.com
|
|
|
|
- update to 2.2.0
|
|
- see /usr/share/doc/packages/freeradius-server/ChangeLog
|
|
for complete list of changes in this release
|
|
- fixes CVE-2012-3547 (bnc#777834)
|
|
- dropped freeradius-server-2.1.6-overflow.patch (upstream)
|
|
- dropped freeradius-server-sha1-default.patch (upstream)
|
|
- refreshed freeradius-server-fix-cert-bootstrap.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 28 11:47:32 UTC 2012 - vcizek@suse.com
|
|
|
|
- Use the new 'su' logrotate option (bnc#677335)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 14 21:47:20 UTC 2012 - joop.boonen@opensuse.org
|
|
|
|
- Enable the same CFLAGS as for other hardware
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 19 13:55:27 UTC 2011 - vcizek@suse.com
|
|
|
|
- update to 2.1.12
|
|
Feature improvements
|
|
* Updates to dictionary.erx, dictionary.siemens, dictionary.starent,
|
|
dictionary.starent.vsa1, dictionary.zyxel, added dictionary.symbol
|
|
* Added support for PCRE from Phil Mayers
|
|
* Configurable file permission in rlm_linelog
|
|
* Added "relaxed" option to rlm_attr_filter. This copies attributes
|
|
if at least one match occurred.
|
|
* Added documentation on dynamic clients.
|
|
See raddb/modules/dynamic_clients.
|
|
* Added support for elliptical curve cryptography.
|
|
See ecdh_curve in raddb/eap.conf.
|
|
* Added support for 802.1X MIBs in checkrad
|
|
* Added support for %{rand:...}, which generates a uniformly
|
|
distributed number between 0 and the number you specify.
|
|
* Created "man" pages for all installed commands, and documented
|
|
options for all commands. Patch from John Dennis.
|
|
* Allow radsniff to decode encrypted VSAs and CoA packets.
|
|
Patch from Bjorn Mork.
|
|
* Always send Message-Authenticator in radtest. Patch from John Dennis.
|
|
radclient continues to be more flexible.
|
|
* Updated Oracle schema and queries
|
|
* Added SecurID module. See src/modules/rlm_securid/README
|
|
Bug fixes
|
|
* Fix memory leak in rlm_detail
|
|
* Fix "failed to insert event"
|
|
* Allow virtual servers to be reloaded on HUP.
|
|
It no longer complains about duplicate virtual servers.
|
|
* Fix %{string:...} expansion
|
|
* Fix "server closed socket" loop in radmin
|
|
* Set ownership of control socket when starting up
|
|
* Always allow root to connect to control socket, even if
|
|
"uid" is set. They're root. They can already do anything.
|
|
* Save all attributes in Access-Accept when proxying inner-tunnel
|
|
EAP-MSCHAPv2
|
|
* Fixes for DHCP relaying.
|
|
* Check certificate validity when using OCSP.
|
|
* Updated Oracle "configure" script
|
|
* Fixed typos in dictionary.alvarion
|
|
* WARNING on potential proxy loop.
|
|
* Be more aggressive about clearing old requests from the
|
|
internal queue
|
|
* Don't open network sockets when using -C
|
|
- freeradius-server-snprintf-overflow.patch merged in upstream
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 27 13:05:59 UTC 2011 - vcizek@suse.com
|
|
|
|
- fixed interaction with eDirectory (bnc#720620)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 24 09:18:52 UTC 2011 - puzel@novell.com
|
|
|
|
- update to 2.1.11
|
|
- see /usr/share/doc/packages/freeradius-server/ChangeLog
|
|
for complete list of changes in this release
|
|
- add freeradius-server-snprintf-overflow.patch
|
|
- use spec-cleaner
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 24 19:18:44 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
- Supress timestamps in binaries, breaks build-compare.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 4 10:54:23 UTC 2010 - puzel@novell.com
|
|
|
|
- update to 2.1.10
|
|
- see /usr/share/doc/packages/freeradius-server/ChangeLog
|
|
for complete list of changes in this release
|
|
- drop freeradius-server-2.1.6-edir-64bit.patch (fixed upstream)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 16 14:22:15 CEST 2010 - pgajdos@suse.cz
|
|
|
|
- radiusd reload after logrotate [bnc#634445]
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 21 19:24:08 UTC 2010 - puzel@novell.com
|
|
|
|
- update to 2.1.9 (bnc#615699)
|
|
- bugfix release, for list of changes please see
|
|
/usr/share/doc/packages/freeradius-server/ChangeLog
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 3 13:50:08 UTC 2010 - puzel@novell.com
|
|
|
|
- add freeradius-server-initscript-pidfile.patch
|
|
- handle /var/run on tmpfs
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Mar 21 08:43:58 UTC 2010 - puzel@novell.com
|
|
|
|
- specfile cleanup
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 11 12:44:18 UTC 2010 - puzel@novell.com
|
|
|
|
- drop freeradius-server-2.1.6-ltdl.patch - not needed anymore
|
|
- clean up specfile
|
|
- remove bind-libs, zlib-devel from BuildRequires - not needed
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 9 15:01:46 UTC 2010 - puzel@novell.com
|
|
|
|
- update to 2.1.8
|
|
- for full list of changes, please see
|
|
/usr/share/doc/packages/freeradius-server/ChangeLog
|
|
- drop freeradius-server-no-default-case.patch: fixed upstream
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 17 15:50:19 UTC 2009 - puzel@novell.com
|
|
|
|
- update to 2.1.7
|
|
- for full list of changes, please see
|
|
/usr/share/doc/packages/freeradius-server/ChangeLog
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 22 09:05:35 UTC 2009 - puzel@novell.com
|
|
|
|
- freeradius-server-no-default-case.patch (bnc#527742)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 15 09:05:18 UTC 2009 - puzel@novell.com
|
|
|
|
- freeradius-server-sha1-default.patch (bnc#546042)
|
|
- freeradius-server-fix-cert-bootstrap.patch (bnc#546041)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 19 10:35:46 CEST 2009 - coolo@novell.com
|
|
|
|
- disable as-needed for this package as it fails to build with it
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 2 15:50:59 CEST 2009 - puzel@suse.cz
|
|
|
|
- updated to 2.1.6
|
|
o Feature improvements
|
|
* radclient exits with 0 on successful (accept / ack), and 1
|
|
otherwise (no response / reject)
|
|
* Added support for %{sql:UPDATE ..}, and insert/delete
|
|
Patch from Arran Cudbard-Bell
|
|
* Added sample "do not respond" policy. See raddb/policy.conf
|
|
and raddb/sites-available/do_not_respond
|
|
* Cleanups to Suse spec file from Norbert Wegener
|
|
* New VSAs for Juniper from Bjorn Mork
|
|
* Include more RFC dictionaries in the default install
|
|
* More documentation for the WiMAX module
|
|
* Added "chase_referrals" and "rebind" configuration to rlm_ldap.
|
|
This helps with Active Directory. See raddb/modules/ldap
|
|
* Don't load pre/post-proxy if proxying is disabled.
|
|
* Added %{md5:...}, which returns MD5 hash in hex.
|
|
* Added configurable "retry_interval" and "poll_interval"
|
|
for "detail" listeners.
|
|
* Added "delete_mppe_keys" configuration option to rlm_wimax.
|
|
Apparently some WiMAX clients misbehave when they see those keys.
|
|
* Added experimental rlm_ruby from
|
|
http://github.com/Antti/freeradius-server/tree/master
|
|
* Add Tunnel attributes to ldap.attrmap
|
|
* Enable virtual servers to be reloaded on HUP. For now, only
|
|
the "authorize", "authenticate", etc. processing sections are
|
|
reloaded. Clients and "listen" sections are NOT reloaded.
|
|
* Updated "radwatch" script to be more robust. See scripts/radwatch
|
|
* Added certificate compatibility notes in raddb/certs/README,
|
|
for compatibility with different operating systems. (i.e. Windows)
|
|
o Bug fixes
|
|
* Minor changes to allow building without VQP.
|
|
* Minor fixes from John Center
|
|
* Fixed raddebug example
|
|
* Don't crash when deleting attributes via unlang
|
|
* Be friendlier to very fast clients
|
|
* Updated the "detail" listener so that it only polls once,
|
|
and not many times in a row, leaking memory each time...
|
|
* Update comparison for Packet-Src-IP-Address (etc.) so that
|
|
the operators other than '==' work.
|
|
* Did autoconf magic to work around weird libtool bug
|
|
* Make rlm_perl keep tags for tagged attributes in more situations
|
|
* Update UID checking for radmin
|
|
* Added "include_length" field for TTLS. It's needed for RFC
|
|
compliance, but not (apparently) for interoperability.
|
|
- FreeRADIUS 2.1.5
|
|
* Release number skipped due to procedural issues.
|
|
- FreeRADIUS 2.1.4
|
|
o Feature improvements
|
|
* Permit multiple "-e" in radmin.
|
|
* Add support for originating CoA-Request and Disconnect-Request.
|
|
See raddb/sites-available/originate-coa.
|
|
* Added "lifetime" and "max_queries" to raddb/sql.conf.
|
|
This helps address the problem of hung SQL sockets.
|
|
* Allow packets to be injected via radmin. See "inject help"
|
|
in radmin.
|
|
* Answer VMPS reconfirmation request. Patch from Hermann Lauer.
|
|
* Sample logrotate script in scripts/logrotate.freeradius
|
|
* Add configurable poll interval for "detail" listeners
|
|
* New "raddebug" command. This prints debugging information from
|
|
a running server. See "man raddebug.
|
|
* Add "require_message_authenticator" configuration to home_server
|
|
configuration. This makes the server add Message-Authenticator
|
|
to all outgoing Access-Request packets.
|
|
* Added smsotp module, as contributed by Siemens.
|
|
* Enabled the administration socket in the default install.
|
|
See raddb/sites-available/control-socket, and "man radmin"
|
|
* Handle duplicate clients, such as with replicated or
|
|
load-balanced SQL servers and "readclients = yes"
|
|
o Bug fixes
|
|
* Clean up control sockets when they are closed, so that we don't
|
|
leak memory.
|
|
* Define SUN_LEN for systems that don't have it.
|
|
* Correct some boundary conditions in the conditional checker ("if")
|
|
in "unlang". Bug noted by Arran Cudbard-Bell.
|
|
* Work around minor building issues in gmake. This should only
|
|
have affected developers.
|
|
* Change how we manage unprivileged user/group, so that we do not
|
|
create control sockets owned by root.
|
|
* Fixed more minor issues found by Coverity.
|
|
* Allow raddb/certs/bootstrap to run when there is no "make"
|
|
command installed.
|
|
* In radiusd.conf, run_dir depends on the name of the program,
|
|
and isn't hard-coded to "..../radiusd"
|
|
* Check for EOF in more places in the "detail" file reader.
|
|
* Added Freeswitch dictionary.
|
|
* Chop ethernet frames in VMPS, rather than droppping packets.
|
|
* Fix EAP-TLS bug. Patch from Arnaud Ebalard
|
|
* Don't lose string for regex-compares in the "users" file.
|
|
* Expose more functions in rlm_sql to rlm_sqlippool, which
|
|
helps on systems where RTLD_GLOBAL is off.
|
|
* Fix typos in MySQL schemas for ippools.
|
|
* Remove macro that was causing build issues on some platforms.
|
|
* Fixed issues with dead home servers. Bug noted by Chris Moules.
|
|
* Fixed "access after free" with some dynamic clients.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 26 15:58:44 CET 2009 - crrodriguez@suse.de
|
|
|
|
- do not ship static modules
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 10 10:38:27 CET 2009 - prusnak@suse.cz
|
|
|
|
- updated to 2.1.3
|
|
o Feature Improvements
|
|
* Allow running with user=radiusd and binding to secure sockets.
|
|
* Start sending Status-Server "are you alive" messages earlier,
|
|
which helps with proxying multiple realms to a home server.
|
|
* Removed thread pool code from rlm_perl. It's not necessary.
|
|
* Added example Perl configuration to raddb/modules/perl
|
|
* Force OpenSSL to support certificates with SHA256. This seems
|
|
to be necessary for WiMAX certs.
|
|
o Bug Fixes
|
|
* Fix Debian patch to allow it to build.
|
|
* Fix potential NULL dereference in debugging mode on certain
|
|
platforms for TTLS and PEAP inner tunnels.
|
|
* Fix uninitialized memory in handling of vendor definitions
|
|
* Fix parsing of quoted (but non-string) attributes in
|
|
the users< file.
|
|
* Initialize unknown NAS IP to 255.255.255.255, rather than 0.0.0.0
|
|
* use SUN_LEN in control socket, to avoid truncation on some platforms.
|
|
* Correct internal handling of debug condition to prevent it
|
|
from being over-written.
|
|
* Check return code of regcomp in unlang, so that invalid regular
|
|
expressions are caught rather than mishandled.
|
|
* Make rlm_sql use <ltdl.h>. Addresses bug #610.
|
|
* Document list "type = status" better. Closes bug #580.
|
|
* Set "default days" for certificates, because OpenSSL won't do it.
|
|
This closes bug #615.
|
|
* Reference correct list in example raddb/modules/ldap. Closes #596.
|
|
* Increase default schema size for Acct-Session-Id to 64. Closes #540.
|
|
* Fix use of temporary files in dialup-admin. Closes #605
|
|
and addresses CVE-2008-4474.
|
|
* Addressed a number of minor issues found by Coverity.
|
|
* Added DHCP option 150 to the dictionary. Closes #618.
|
|
|
|
- removed CVE-2008-4474.patch (included in update)
|
|
|
|
- fixed buffer overflow (overflow.patch)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 10 10:19:32 CET 2009 - prusnak@suse.cz
|
|
|
|
- fixed eDirectory bug on 64bit architectures (edir-64bit.patch)
|
|
[bnc#474006]
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 6 15:19:04 CET 2009 - prusnak@suse.cz
|
|
|
|
- moved manpages from section 1 to utils subpackage [bnc#469682]
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 9 16:04:22 CET 2009 - prusnak@suse.cz
|
|
|
|
- fixed bootstraping of certificates in %post [bnc#461998]
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 9 11:41:06 CEST 2008 - prusnak@suse.cz
|
|
|
|
- fixed CVE-2008-4474 [bnc#433762]
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 9 11:37:04 CEST 2008 - prusnak@suse.cz
|
|
|
|
- updated to 2.1.1
|
|
o Feature Improvements
|
|
* Many more options and features are available via radmin.
|
|
See man radmin and raddb/sites-available/control-socket.
|
|
* Many more commands available via the control socket.
|
|
Connect via radmin, and type help for more information.
|
|
* Added dictionary.networkphysics and dictionary.lancom.
|
|
* Calculate WiMAX MIP keys, and added sample WiMAX SQL tables.
|
|
o Bug Fixes
|
|
* Fixed bug that made radmin not work.
|
|
* Fixed Suse && Debian package scripts.
|
|
* Fixed issues with dynamic clients.
|
|
* Fixed configure checks for -lreadline
|
|
* rlm_sqlippool no longer needs to be linked to rlm_sql.
|
|
* Add statistics for detail file listeners. This closes bug #593.
|
|
* Fixed printing of some WiMAX attributes.
|
|
* Fixed double free on exit() in rlm_attr_filter.
|
|
* Fixed build issues on Solaris.
|
|
* Fixed fast session resumption for EAP-TLS.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 15 12:37:31 CEST 2008 - ro@suse.de
|
|
|
|
- make radrelay a hardlink to radiusday (instead of identical copy)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 9 19:49:08 CEST 2008 - prusnak@suse.cz
|
|
|
|
- updated to 2.1.0
|
|
o Feature Improvements
|
|
* Clients may now be defined dynamically, based on IP address.
|
|
See raddb/sites-available/dynamic-clients.
|
|
* SNMP support is now available through an experimental Perl script.
|
|
See scripts/snmp-proxy/README
|
|
* SNMP statistics are also available through Status-Server packets.
|
|
See raddb/sites-available/status
|
|
* Added more Microsoft attributes from bug #568.
|
|
* The linelog module has more functionality and flexibility.
|
|
See raddb/modules/linelog.
|
|
* The debugging output has been sanitized. It should be much more
|
|
readable.
|
|
* Debug logs can now be turned on/off while the server is running,
|
|
for a user, group, realm, etc. See the log section of raddb/radiusd.conf.
|
|
* Added support for WiMAX Forum attributes. The dynamic keys are
|
|
not yet calculated. See share/dictionary.wimax
|
|
* Added session resumption for PEAP and TTLS.
|
|
See raddb/eap.conf, and the cache sub-section.
|
|
* Added radmin command-line tool for administering a running server.
|
|
See man radmin and raddb/sites-available/control-socket.
|
|
o Bug Fixes
|
|
* Double escaping of '\\' in the users (and some other) files
|
|
has been fixed. If you have '\\' in the users file, your
|
|
configuration will need to be checked, and fixed!
|
|
* Parse security section of radiusd.conf. This was accidentally
|
|
deleted in 2.0.5. Closes bug #566.
|
|
* Bind to interface before IP, which allows DHCP sockets to listen
|
|
on "*" for multiple interfaces.
|
|
* Fix handling of giaddr in DHCP responses.
|
|
* Corrected parsing of status_check in home_server so that it works.
|
|
* Fix hints so that "Puser" works again.
|
|
* Removed length restrictions on attribute names in the dictionaries.
|
|
* Update socket code to avoid C compiler optimizations.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 28 01:31:33 CEST 2008 - ro@suse.de
|
|
|
|
- remove deprecated startvar from fillup_and_insserv call
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 26 12:01:12 CEST 2008 - pth@suse.de
|
|
|
|
- Fix Required-Stop in init scripts.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 23 11:06:13 CEST 2008 - prusnak@suse.cz
|
|
|
|
- updated to 2.0.5
|
|
Feature improvements
|
|
* Permit SQL authorize_reply_query to be empty.
|
|
* Allow setting response packet type in Post-Proxy-Type Fail
|
|
handler.
|
|
* Added install-chown target to set correct permission and ownership
|
|
make RADMIN=radmin RGROUP=radius install-chown
|
|
* Support for LDAP-Group and other dynamic comparison attributes
|
|
in unlang. Developed from a patch by Jason Alderfer.
|
|
* Added chroot support. See radiusd.conf for comments.
|
|
* Allow clients of 0/0. We do not recommend using this, though.
|
|
* Moved many module configurations into raddb/modules/*
|
|
|
|
Bug fixes
|
|
* Allow proxying to virtual servers for accounting packets, too.
|
|
* Added "num fields" function to PostgreSQL client.
|
|
* Updated proxy fallback mechanism to validate fallback servers,
|
|
and to process fallback requests in a child thread.
|
|
* rlm_realm returns "ok" for LOCAL realms, not "noop".
|
|
* Fixed some DHCP code handling. The examples should now work.
|
|
|
|
- updated to 2.0.4
|
|
Feature improvements
|
|
* Allow "virtual_server" in "realm" and "home_server" sections.
|
|
See raddb/proxy.conf and raddb/sites-available/virtual.example.com.
|
|
* Allow "passwd" module to be listed in "accounting" and "post-auth".
|
|
* Added "fallback" to "home_server_pool" configuration, to handle
|
|
the case of all home servers being dead. See raddb/proxy.conf.
|
|
* Added sample text to raddb/sites-available/inner-tunnel which
|
|
can simplify debugging of inner tunnel configurations.
|
|
* Added regular expression matching in realm names. See
|
|
raddb/proxy.conf for examples.
|
|
* Added simple DHCP server functionality. For comments, see
|
|
raddb/sites-available/dhcp.
|
|
* Added file globbing capabilities to detail file reader
|
|
* Added sample raddb/sites-available/robust-proxy-accounting
|
|
* Clients in SQL can now refer to a virtual server.
|
|
Patch from Michael Bretterklieber.
|
|
* Added some examples of creating RADIUS administrator in SQL,
|
|
and assigning appropriate access rights.
|
|
|
|
Bug fixes
|
|
* Install all files in raddb/sites-available
|
|
* Allow non-threaded builds.
|
|
* Don't treat '0x' as special for known attributes that are not
|
|
of type "octets".
|
|
* Fix log error in rlm_pap.
|
|
* Remove documentation about non-existent functionality.
|
|
* Updated warning messages in debug output.
|
|
* Fix handling of timeouts in rlm_ldap that affected 64-bit systems.
|
|
This fix was supposed to go into 2.0.3, but did not make it.
|
|
* Fix event handling in debug mode for failed proxy requests.
|
|
* Fix memleak in fifos. Closes #537.
|
|
* Fix memleak on blocked threads. Closes #538.
|
|
* Perform additional checks on NULL realms. Closes #541.
|
|
* Fix handling of "clients" in "listen" section.
|
|
* When detail file cannot process a packet, sleep for longer
|
|
to let the rest of the server do something.
|
|
* Add missing table to raddb/sql/mssql/schema.sql. Closes #545.
|
|
* Updated rlm_sql_postgresql to build with PostgreSQL 7.x.
|
|
Closes #533.
|
|
* Fix "postauth" of rlm_ldap to look for LDAP-UserDn in the
|
|
correct place.
|
|
* Update rlm_attr_filter for some corner cases. Closes #543.
|
|
* Fixed memory leak in libfreeradius event handler.
|
|
* In the SQL Accounting on/off queries, remove the restriction
|
|
that the session time had to be zero.
|
|
|
|
- dropped obsoleted patches
|
|
* event-fifo-threads.patch (included in update)
|
|
* raddb.patch (no longer needed)
|
|
|
|
- added logrotate to Recommends
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 13 18:25:19 CEST 2008 - prusnak@suse.cz
|
|
|
|
- fix crashes in events, fifo and threads (event-fifo-threads.patch)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 5 15:02:10 CEST 2008 - pth@suse.de
|
|
|
|
- Fix coding errors that made the package fail to build.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 19 17:23:48 CET 2008 - prusnak@suse.cz
|
|
|
|
- updated to 2.0.3
|
|
Feature improvements
|
|
* Updated raddb/certs/ca.cnf with extensions to allow ca.der
|
|
to be imported as a CA on Symbian and Windows Mobile devices.
|
|
Closes bug #524
|
|
* Enable multiple matches in "hints" via Fall-Through = Yes.
|
|
Closes bug #477
|
|
* Added preliminary SQLite driver, contibuted by Apple.
|
|
Untested, with no sample configuration. This address bug #470.
|
|
* Updated logging sub-system so that log messages from libfreeradius
|
|
can go to the log file, and not stdout.
|
|
* Added dictionary.rfc5176
|
|
* EAP module now checks for instance name, and uses that for
|
|
authentication. This avoids the need to set Auth-Type when
|
|
there are multiple instances of the EAP module.
|
|
* Added Module-Return-Code attribute, which contains the value
|
|
returned by the previous module (ok/fail/update/etc.)
|
|
Bug fixes
|
|
* Corrected typos in rlm_dbm. Closes bugs #521 and #522.
|
|
* Detail file "listen" sections now work much better.
|
|
* Don't allow old "log_*" to over-ride new format. Closes bug #525
|
|
* Initialize allocated memory in Oracle SQL driver. This fixes
|
|
occasional crashes on some systems. Closes bug #518
|
|
* Call correct function in rlm_protocol_filter. This enables the
|
|
module to build. Closes bug #512.
|
|
* Added deprecated flag to build for rlm_krb5. This allows it to
|
|
run on 64-bit systems. Closes bug #491
|
|
* Corrected error message when parsing invalid configurations
|
|
so it doesn't crash. Closes bug #527
|
|
* Fix handling of timeouts in rlm_ldap that affected 64-bit systems.
|
|
* Handle $INCLUDE's in "instantiate" section. Closes #528.
|
|
* Format updates to "man" pages from Stephen Gran.
|
|
|
|
- updated to 2.0.2
|
|
Feature improvements
|
|
* Added notes on how to debug the server in radiusd.conf
|
|
* Moved all "log_*" in radiusd.conf to log{} section.
|
|
The old configurations are still accepted, though.
|
|
* Added ca.der target in raddb/certs/Makefile. This is
|
|
needed for importing CA certs into Windows.
|
|
* Added ability send raw attributes via "Raw-Attribute = 0x0102..."
|
|
This is available only debug builds. It can be used
|
|
to create invalid packets! Use it with care.
|
|
* Permit "unlang" policies inside of Auth-Type{} sub-sections
|
|
of the authenticate{} section. This makes some policies easier
|
|
to implement.
|
|
* "listen" sections can now have "type = proxy". This lets you
|
|
control which IP is used for sending proxied requests.
|
|
* Added note on SSL performance to raddb/certs/README
|
|
Bug fixes
|
|
* Fixed reading of "detail" files.
|
|
* Allow inner EAP tunneled sessions to be proxied.
|
|
* Corrected MySQL schemas
|
|
* syslog now works in log{} section.
|
|
* Corrected typo in raddb/certs/client.cnf
|
|
* Updated raddb/sites-available/proxy-inner-tunnel to
|
|
permit authentication to work.
|
|
* Ignore zero-length attributes in received packets.
|
|
* Correct memcpy when dealing with unknown attributes.
|
|
* Corrected debugging messages in attr_rewrite.
|
|
* Corrected generation of State attribute in EAP. This
|
|
fixes the "failed to remember handler" issues.
|
|
* Fall back to DEFAULT realm if no realm was found.
|
|
Based on a patch from Vincent Magnin.
|
|
* Updated example raddb/sites-available/proxy-inner-tunnel
|
|
* Corrected behavior of attr_filter to match documentation.
|
|
This is NOT backwards compatible with previous versions!
|
|
See "man rlm_attr_filter" for details.
|
|
|
|
- dropped patches:
|
|
* conf_read.patch (included in update)
|
|
* strncat.patch (obsoleted by update)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 29 14:33:35 CET 2008 - prusnak@suse.cz
|
|
|
|
- replace obsoleted call to conf_read with cf_file_read (conf_read.patch)
|
|
- split off -doc subpackage
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 24 16:39:37 CET 2008 - prusnak@suse.cz
|
|
|
|
- fix strncat usage (strncat.patch)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 22 16:23:12 CET 2008 - prusnak@suse.cz
|
|
|
|
- updated to 2.0.1
|
|
* improve unlang
|
|
* update acct_module
|
|
* fix parsing of syslog logging
|
|
* minor fixes over 2.0.0
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 22 13:58:25 CET 2008 - prusnak@suse.cz
|
|
|
|
- renamed to freeradius-server (to follow upstream change)
|
|
- updated to 2.0.0:
|
|
o Feature improvements
|
|
* Debugging mode is much clearer and easier to read.
|
|
* A new policy language makes many configurations trivial.
|
|
See "man unlang" for a complete description.
|
|
* Virtual servers are now supported. This permits clear separation
|
|
of policies. See raddb/sites-available/README
|
|
* EAP-TLS (PEAP, EAP-TTLS) and OpenSSL certificates "just work".
|
|
See raddb/certs/README for details.
|
|
* Proxying is much more configurable than before.
|
|
See proxy.conf for documentation on pools, and new config items.
|
|
* Full support for IPv6.
|
|
* Much more complete support for the RADIUS SNMP MIBs.
|
|
* HUP now works. Only some modules are re-loaded,
|
|
and the server configuation is *not* reloaded.
|
|
* "check config" option now works. See "man radiusd"
|
|
* radrelay functionality is now included in the server core.
|
|
See raddb/sites-available/copy-acct-to-home-server
|
|
* VMPS support. It is minimal, but functional.
|
|
* Cleaned up internal API's and names, including library names.
|
|
o Bug fixes
|
|
* Many.
|
|
- removed obsolete patch:
|
|
* type_punning.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 4 18:08:41 CET 2007 - prusnak@suse.cz
|
|
|
|
- remove openldap2 from BuildRequires
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 6 13:16:58 CET 2007 - prusnak@suse.cz
|
|
|
|
- updated to 1.1.7
|
|
Feature Improvements
|
|
* Updated LDAP documentation.
|
|
* Added note on DH parameters in eap.conf, and debugging messages
|
|
which complain if DH is used, but not configured properly.
|
|
* Updated the Mikrotik dictionary. Added a note that the sample
|
|
dictionary they supply is broken.
|
|
* Output more information on blocked threads, which should help
|
|
narrow down which modules is causing the problem.
|
|
* Added more eDirectory support.
|
|
* rlm_ldap now prints out attributes in the standard format
|
|
* Enabled server-side handling of procedures in MySQL
|
|
Bug Fixes
|
|
* Added NT-Hash support for mschap_xlat.
|
|
* Corrected documentation to point to correct location of files.
|
|
* Checks for more recent FreeBSD versions.
|
|
* uses -DLDAP_DEPRECATED to avoid OpenLDAP crashes.
|
|
* Use correct value for authentication name in rlm_mschap.
|
|
* Fix over-ride for usernames when use_tunneled_reply = yes.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 20 15:10:28 CEST 2007 - pth@suse.de
|
|
|
|
- Update to 1.1.6. Changes since 1.1.3:
|
|
Feature improvements
|
|
* Added dictionary.rfc4372 (Chargeable User Identity)
|
|
* Added dictionary.rfc4675 (VLAN and Priority)
|
|
* Added dictionary.rfc4679 (ADSL Forum)
|
|
NOTE some name differences from the RFC, due to dictionary.redback
|
|
* Updated rlm_python to something usable
|
|
* Added experimental sql "HPW" IPPools.
|
|
* Added more dictionaries
|
|
* Dictionary files now MUST NOT be globally writable.
|
|
* Configuration files now MUST NOT be globally readable,
|
|
or globally writable.
|
|
* Be more aggressive about freeing memory on clean exit.
|
|
This helps track down run-time leaks.
|
|
* Updated rlm_python to something usable
|
|
* Added experimental sql "HPW" IPPools.
|
|
* Major enhancements to rlm_pap, that make "encryption_scheme"
|
|
a thing of the past. See "man rlm_pap" for details.
|
|
* Added SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag to use
|
|
work-arounds that enable Windows Vista clients to work.
|
|
* Added preliminary code to support Firebird.
|
|
Use at your own risk!
|
|
* Send MS-CHAP2-Success, which makes EAP-TTLS/MSCHAP work on more
|
|
platforms.
|
|
* Add a new "reply-name" directive in rlm_sqlcounter to define the
|
|
name of the reply attribute.
|
|
* Added more dictionaries and attributes
|
|
* Print ntlm_auth failure reason in Module-Failure-Message
|
|
* radsqlrelay is able to get the DB password from a file instead
|
|
of command line.
|
|
|
|
Bug fixes
|
|
* Corrected typo in rlm_pap.c
|
|
* Corrected typo in src/main/auth.c
|
|
* Suppress SSL error messages if error is zero.
|
|
* Don't complain about "Error in read client certificate A"
|
|
if we expect to read it in the next packet. Fix based on patch
|
|
by Dan Lukes.
|
|
* Corrected nearly 30 bugs found by Coverity
|
|
See also http://scan.coverity.com
|
|
* Don't die on HUP. Instead leak memory (sorry). After a few
|
|
hundred HUP's, the server will have leaked a few megabytes of
|
|
memory, and you should probably re-start it. It's ugly, but
|
|
better than dying.
|
|
* Corrected a few double free's
|
|
* Corrected typo in radrelay, which prevented it from working
|
|
* Made Firebird module build
|
|
* Fixed bug in PostgreSQL module that caused server crash.
|
|
* Fixed bug in SQL module that could cause server to crash.
|
|
* Corrected base64 decoding in rlm_pap
|
|
* Don't retransmit accounting packets. The NAS should do this.
|
|
* Handle Client-Error in EAP-SIM.
|
|
* Port OpenSSL locking fixes from CVS head. This makes PEAP
|
|
more stable on some systems.
|
|
* Require Message-Authenticator in Status-Server packets
|
|
* Correct Tunnel-Medium-Type VALUEs in dictionary.rfc2868
|
|
* Be more aggressibe about freeing memory on clean exit.
|
|
This isn't strictly a bug fix, but it makes it easier to
|
|
find memory leaks
|
|
* Increase buffer size for dynamic expansion, which allows
|
|
longer SQL qeuries.
|
|
* Use correct line number when there's a parse error in one
|
|
of the configuration sections.
|
|
* Terminate SSL sessions in EAP on error, rather than continuing
|
|
in some cases.
|
|
* Increase buffer size to allow parsing of long octet strings
|
|
* Fix string termination on xlat in rlm_perl
|
|
* Fix a parse error in the digest module, where malformed
|
|
digest requests would result in the user being accepted. Oops...
|
|
* VALUEs can only be defined for 'integer', to catch mistakes
|
|
with setting VALUEs for type 'string'.
|
|
* Better parsing of VALUE names, so that values starting with
|
|
a digit work correctly.
|
|
* Check return from malloc.
|
|
* Fix a double free() in rlm_eap_tls.c
|
|
* Check return code of malloc() during initialization.
|
|
* Fix a corner case where the proxy port isn't set either in
|
|
radiusd.conf or in proxy.conf.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 26 12:45:29 CEST 2007 - rguenther@suse.de
|
|
|
|
- add gdbm-devel BuildRequires
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Feb 11 18:33:47 CET 2007 - ro@suse.de
|
|
|
|
- one oversight in last change, build tested
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Feb 11 12:00:25 CET 2007 - ro@suse.de
|
|
|
|
- fix build as non-root
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 4 11:18:59 CEST 2006 - kukuk@suse.de
|
|
|
|
- Make sure that pam_nologin.so will always be executed.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 23 20:34:55 CEST 2006 - stark@suse.de
|
|
|
|
- update to version 1.1.3
|
|
* autoconf updates
|
|
* More dictionary updates
|
|
* Security and portability fixes to rlm_otp
|
|
* Miscellaneous bug fixes
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 5 22:31:04 CEST 2006 - stark@suse.de
|
|
|
|
- update to version 1.1.2
|
|
* Allow tagged VSA's for Juniper.
|
|
* Allow Ascend "abinary" format to be specified as octets,
|
|
(e.g. Ascend-Data-Filter = 0x010203...)
|
|
* Added "cipher_list" configuration to the EAP-TLS module.
|
|
See "eap.conf" and "man 1 cipher" for details.
|
|
* Added "check_cert_issuer" configuration to the EAP-TLS module.
|
|
See "eap.conf" for details.
|
|
* Added "suppress" configuration entry to rlm_detail,
|
|
to suppress certain attributes (e.g. User-Password).
|
|
* Write SSL errors to log file, rather than stderr.
|
|
* Allow a core dump on uid change on Linux
|
|
* Bugfixes
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 24 15:58:41 CEST 2006 - schwab@suse.de
|
|
|
|
- Don't strip binaries.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 28 20:22:34 CEST 2006 - stark@suse.de
|
|
|
|
- fixed an error on x86_64 machines when reading dictionaries
|
|
(#161503)
|
|
- make "use_tunneled_reply" work properly for PEAP
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 27 14:32:09 CEST 2006 - ro@suse.de
|
|
|
|
- also use fPIC on s390*
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 23 20:39:02 CET 2006 - stark@suse.de
|
|
|
|
- fixed validation issue with the EAP-MSCHAPv2 module (#160249)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 25 21:36:01 CET 2006 - mls@suse.de
|
|
|
|
- converted neededforbuild to BuildRequires
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 20 18:19:32 CET 2006 - stark@suse.de
|
|
|
|
- fixed directory permissions (#141153)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 19 01:23:36 CET 2006 - ro@suse.de
|
|
|
|
- changed php requires to generic ones (for php5)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jan 14 16:40:53 CET 2006 - stark@suse.de
|
|
|
|
- use --with-udpfromto useful for systems with multiple addresses
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 12 22:48:30 CET 2006 - stark@suse.de
|
|
|
|
- update to version 1.1.0
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 11 16:03:44 CET 2006 - stark@suse.de
|
|
|
|
- adding stack-protector to CFLAGS
|
|
- don't package *.la files for now (#141207)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 21 10:14:01 CET 2005 - stark@suse.de
|
|
|
|
- fixed realloc() in rlm_pam
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 15 21:49:18 CET 2005 - stark@suse.de
|
|
|
|
- moved dialup_admin to subpackage and integrate it into
|
|
Apache 2 configuration
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 26 01:35:29 CEST 2005 - ro@suse.de
|
|
|
|
- added LDAP_DEPRECATED to CFLAGS
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 23 06:09:08 CEST 2005 - stark@suse.de
|
|
|
|
- update to version 1.0.5
|
|
- updated eDirectory integration documentation
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 23 01:38:53 CEST 2005 - ro@suse.de
|
|
|
|
- fix build-dir references in .la files
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 30 12:50:30 CEST 2005 - stark@suse.de
|
|
|
|
- fixed some issues from security audit (#104195)
|
|
(is already upstream for 1.0.5 release)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 15 19:34:18 CEST 2005 - stark@suse.de
|
|
|
|
- fix mysql creation script (#104752)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jun 18 19:37:56 CEST 2005 - stark@suse.de
|
|
|
|
- update to version 1.0.4
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jun 5 00:36:51 CEST 2005 - stark@suse.de
|
|
|
|
- update to version 1.0.3
|
|
- link radiusd with -pie
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 11 11:29:05 CEST 2005 - stark@suse.de
|
|
|
|
- start daemon correctly (#75979)
|
|
- fixed packaging on x86-64 (#75979)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 2 07:19:27 CET 2005 - stark@suse.de
|
|
|
|
- com_err.h patch not needed anymore
|
|
- modified spec-file to work with older distributions
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 18 11:05:35 CET 2005 - stark@suse.de
|
|
|
|
- enabled eDirectory support and added documentation
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 17 08:34:12 CET 2005 - stark@suse.de
|
|
|
|
- update to 1.0.2
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Nov 27 13:44:09 CET 2004 - stark@suse.de
|
|
|
|
- fixed installation of radeapclient (#48549)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Nov 20 12:57:22 CET 2004 - stark@suse.de
|
|
|
|
- don't use heimdal for distributions newer than 9.2
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Nov 15 14:53:25 CET 2004 - kukuk@suse.de
|
|
|
|
- Use common-* PAM configuration
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Oct 23 20:53:51 CEST 2004 - stark@suse.de
|
|
|
|
- update to version 1.0.1
|
|
- moved *.la files to devel package
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Aug 28 13:33:35 CEST 2004 - stark@suse.de
|
|
|
|
- modify logrotate config (#44436)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 17 23:55:38 CEST 2004 - sndirsch@suse.de
|
|
|
|
- fixed syntax error (Typo?) in init script
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 13 07:10:34 CEST 2004 - stark@suse.de
|
|
|
|
- added some sample scripts to documentation
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 10 09:35:03 CEST 2004 - stark@suse.de
|
|
|
|
- update to 1.0.0
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 24 00:03:59 CEST 2004 - ro@suse.de
|
|
|
|
- update to 1.0.0pre3 (version set as 0.9.9)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 5 13:36:54 CET 2004 - stark@suse.de
|
|
|
|
- disabled rlm_sql_iodbc and enabled rlm_sql_unixodb
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 16 13:38:13 CET 2004 - kukuk@suse.de
|
|
|
|
- Add pam-devel to neededforbuild
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 12 10:26:25 CET 2004 - adrian@suse.de
|
|
|
|
- add %defattr
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 28 06:56:46 CET 2003 - stark@suse.de
|
|
|
|
- security update to 0.9.3
|
|
* Fix a remote DoS and possible exploit due to mis-handling
|
|
of tagged attributes, and Tunnel-Password attribute.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 16 09:02:57 CEST 2003 - stark@suse.de
|
|
|
|
- update to 0.9.2
|
|
(see /usr/share/doc/packages/freeradius/ChangeLog)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 1 16:02:14 CEST 2003 - ro@suse.de
|
|
|
|
- fix include path for com_err.h
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 31 06:18:03 CEST 2003 - stark@suse.de
|
|
|
|
- use stop/restart macros
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 23 10:53:20 CEST 2003 - stark@suse.de
|
|
|
|
- use special user for running radiusd
|
|
- modify default configuration to work without changes
|
|
(Auth-Type = Local)
|
|
- added README.SuSE explaining about radiusd user
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 21 08:56:54 CEST 2003 - stark@suse.de
|
|
|
|
- update to 0.9.0
|
|
- build against libiodbc to enable iodbc module
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 4 19:47:02 CEST 2003 - schwab@suse.de
|
|
|
|
- Add db-devel to neededforbuild.
|
|
- Don't use system libtool.
|
|
- Fix use of sort.
|
|
- Avoid running autoconf.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 15 23:46:08 CEST 2003 - ro@suse.de
|
|
|
|
- fixed neededforbuild
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 3 18:20:50 CET 2003 - kukuk@suse.de
|
|
|
|
- removed %ghost stuff from filelist
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 7 13:31:05 CET 2003 - kukuk@suse.de
|
|
|
|
- Use pam_unix2.so instead of pam_unix.so
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 15 15:53:21 CET 2003 - ro@suse.de
|
|
|
|
- use sasl2
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 14 11:42:24 CET 2003 - nadvornik@suse.cz
|
|
|
|
- fixed multi-line string literals
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 12 10:28:13 CET 2002 - stark@suse.de
|
|
|
|
- update to 0.8.1
|
|
* minor bugfixes
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 2 07:20:10 CET 2002 - stark@suse.de
|
|
|
|
- removed radwatch from package
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 19 08:33:36 CET 2002 - stark@suse.de
|
|
|
|
- update to 0.8
|
|
* Support for Status-Server packets
|
|
* Fixed memory leak when proxying
|
|
* Round-robin load balancing when proxying
|
|
* Many bug fixes
|
|
* (/usr/share/doc/packages/ChangeLog)
|
|
- moved modules to /usr/lib/freeradius
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 19 00:06:38 CEST 2002 - ro@suse.de
|
|
|
|
- don't overwrite README's with each other
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 16 09:06:03 CEST 2002 - stark@suse.de
|
|
|
|
- added PreReq (Bug #17838)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 20 01:06:41 CEST 2002 - ro@suse.de
|
|
|
|
- hack ltconfig for ppc64
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 8 11:11:56 CEST 2002 - stark@suse.de
|
|
|
|
- fixed packaging on 64bit platforms
|
|
- added logrotate config
|
|
- added some sample scripts to doc-dir
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 22 15:01:10 CET 2002 - stark@suse.de
|
|
|
|
- update to 0.5
|
|
* MS-CHAP and MS-CHAPv2 MPPE support,
|
|
* EAP/MD5 and experimental EAP/TLS,
|
|
* Experimental PHP web administration interface,
|
|
* Fixes for *BSD,
|
|
* Configurable database queries, executed per packet
|
|
(e.g. %{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u}),
|
|
* Fix logic bug which would cause occasional server crashes,
|
|
* Server-side quenching of DoS attacks,
|
|
* Experimental Python module,
|
|
* Aptis, Quintum, and Foundry dictionaries,
|
|
* Limited support for IPv6.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 25 16:19:26 CET 2002 - stark@suse.de
|
|
|
|
- moved *.la back to main-package as it is needed for
|
|
dynamic loading of modules
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 25 07:44:11 CET 2002 - stark@suse.de
|
|
|
|
- added patch to work with heimdal-krb5
|
|
- moved *.so to -devel package
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 8 14:24:51 CET 2002 - stark@suse.de
|
|
|
|
- deactivated kerberos support
|
|
(seems to be not compatible with heimdal :-()
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 7 13:27:47 CET 2002 - stark@suse.de
|
|
|
|
- changed heimdal libdir
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 13 07:33:45 CET 2001 - stark@suse.de
|
|
|
|
- update to 0.4
|
|
- better use of fillup_and_insserv
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 3 11:42:15 CET 2001 - stark@suse.de
|
|
|
|
- don't use START_RADIUSD anymore
|
|
- make use of new fillup_and_insserv macro
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 12 07:03:07 CEST 2001 - stark@suse.de
|
|
|
|
- update to version 0.3
|
|
- packed source-archive as bz2
|
|
- branched package -> devel
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 3 07:53:54 CEST 2001 - stark@suse.de
|
|
|
|
- removed use of watcher-script
|
|
- removed config-check (-C) in init script
|
|
(it's not supported in freeradius)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 2 12:22:00 CEST 2001 - stark@suse.de
|
|
|
|
- status fix in init script
|
|
- renamed pam-configfile: radius -> radiusd
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 1 09:57:53 CEST 2001 - stark@suse.de
|
|
|
|
- updated to 0.2
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 26 10:06:01 CEST 2001 - kukuk@suse.de
|
|
|
|
- Fix needed for build
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 10 15:05:52 CEST 2001 - stark@suse.de
|
|
|
|
- added %{suse_update_config}
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jun 23 20:52:07 CEST 2001 - schwab@suse.de
|
|
|
|
- Fix preprocessor directives inside macro arguments.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 18 07:58:08 CEST 2001 - stark@suse.de
|
|
|
|
- removed absolute paths from pam-config
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 23 13:32:20 CEST 2001 - stark@suse.de
|
|
|
|
- first official beta-version 0.1
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 21 13:11:34 CET 2001 - stark@suse.de
|
|
|
|
- new snapshot 20010321 (pre-BETA)
|
|
- replaced start- and killproc to avoid problems with Kernel 2.4
|
|
using the radwatch shell-script
|
|
- added built of LDAP and MySQL modules
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 29 09:58:23 CET 2001 - stark@suse.de
|
|
|
|
- %files: /etc/raddb/bay.vendor -> /etc/raddb/dictionary.bay
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 15 10:52:42 CET 2001 - stark@suse.de
|
|
|
|
- new snapshot 20010115
|
|
- initial BETA package (sources are ALPHA!)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 4 13:32:26 CET 2001 - stark@suse.de
|
|
|
|
- CVS snapshot 20010104
|
|
|