From 44d1db1d6ed9843e48ec2e0c375d661e5d5ee9f1915cfb0eb1470cab3bf503bf Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Tue, 30 May 2017 09:15:48 +0000 Subject: [PATCH] Accepting request 499628 from home:adamm:branches:network - update to 3.0.14 (still FATE#322416) Feature improvements * Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148 (bnc#1041445) * Updated dictionary.cisco.vpn3000, dictionary.patton * Added dictionary.dellemc * Lowered the log output for failed PEAP sessions. * ALlow utc in rlm_date. * The internal OpenSSL session cache has been disabled. Please see mods-available/eap * Update detail reader documentation. * Make outgoing RadSec connections non-blocking. * Add SQL backing to Moonshot-*-TargetedId generation. Bug Fixes * radtest uses Cleartext-Password for EAP, not User-Password. * Update documentation for mods-enabled/ linking. * Enhanced checks for moonshot salt. * Allow session resumption for RadSec connections. * Update "huntgroups" file to note that port ranges are not supported * Fix OpenSSL permissions issues on default key files. * Certificates are not required when PSK is used. * Allow SubjectAltName as first extension in cert. * Fixed talloc issue with TLS session resumption. * "&Attr-26 := 0x01" now produces useful error messages. * Handle connection error in rlm_ldap_cacheable_groupobj. * Fix endian issues in DHCP. * Multiple minor fixes for Coverity complaints. * Handle unexpected regex. * Fix minor issues in dictionaries. * Fix typos and grammar. Patches from Alan Buxey. * Fix erroneous VP creation in rlm_preproces. * Fix MIB. Patch from Jeff Gehlbach. * Trust router updates from Alejandro Perez. * Allow build with LibreSSL. * Use correct packet for channel bindings. * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more info. * Fix incorrect length check in EAP-PWD. This may be exploitable. * Stop rotating session database files (radutmp, radwtmp) since these are not logfiles. - freeradius-server-radiusd-logrotate.patch: updated OBS-URL: https://build.opensuse.org/request/show/499628 OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=98 --- freeradius-server-3.0.13.tar.bz2 | 3 -- freeradius-server-3.0.13.tar.bz2.sig | Bin 543 -> 0 bytes freeradius-server-3.0.14.tar.bz2 | 3 ++ freeradius-server-3.0.14.tar.bz2.sig | Bin 0 -> 543 bytes freeradius-server-radiusd-logrotate.patch | 20 ++++----- freeradius-server.changes | 48 ++++++++++++++++++++++ freeradius-server.spec | 5 ++- 7 files changed, 62 insertions(+), 17 deletions(-) delete mode 100644 freeradius-server-3.0.13.tar.bz2 delete mode 100644 freeradius-server-3.0.13.tar.bz2.sig create mode 100644 freeradius-server-3.0.14.tar.bz2 create mode 100644 freeradius-server-3.0.14.tar.bz2.sig diff --git a/freeradius-server-3.0.13.tar.bz2 b/freeradius-server-3.0.13.tar.bz2 deleted file mode 100644 index c31d9b1..0000000 --- a/freeradius-server-3.0.13.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b3be0d8849878c31af0a5375d20b7b20c9d1c1572e89dc3f22992824cefffb84 -size 3031744 diff --git a/freeradius-server-3.0.13.tar.bz2.sig b/freeradius-server-3.0.13.tar.bz2.sig deleted file mode 100644 index ef87f53bf3b0c3f9059affb445056a22fd29a6414dfd0a8cac0cf10062355efc..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p-*Tr9%J;2@oLTd?lG%PlcVW5C3uyPqujALaCpZfM_gZ z4#dQTjN6wRCZ#^sQDbLfwugTZ(*>wFE??LDr!cY2xcLzh*7HS+b%Tk0uGjI!P63B6%hHH?i_yYB0FZKQ! z{~U0)z=cAN|WldW<*rzNe@X=zOq`I%pGkRIkOVnvm!ARo&&Pcn{GX4D z0SGhSl%O!bj%nQU=UME)lv_J-7Hnc?k2@!s4nsj~e)F09U&2itfn3*E{w;1XCg;6v z7N&r*4=h|w-lk>k!{kkzhe`sOD>c5;dPJ0HZzxNe!1jB!L( zJ32I#T#oA64iD8#oqsO*hCk14_#U(0 z!VwjvlhZ{y8lGKZp6!Lhbz3`k*e+*k*MpLbes;#WLoLj9i*iT1ZSGoGX zb}JDaqj63F0dba$|Evo#G7?L>cc!>EEasQxSJ0XIw$3jmRPFl6 zNbCm(5$+EPXq28#vTfcg4md}Zx2wb;@|1tAV}{Xeh`*OKbsx@leYD2*XQdtMf+3EJ zV+vEa%Brr5as}oKV50VD3gVbu6c968Fb4mDIZ00!i`~nYg1(KrK(*0?_1^ZNbg-+i z%LWmk|6gQ_e<|#Yh}0^~fh2iaS?dghnh~-!%ZJkdU)pGSc=Mw1w~gTyey3dIHdr^D zd&saLX7^=62a;Z6@FET@6CxdMo9iW><4>SZKP^TTxkWilJik9n@X>smb@fJix92ww zFYRS06x>0Am%g~W%GE{&dxj?$-B&*tb+;O8_W>PRELq-J1fYp{xeyIu9;DwU*+y*6 h)IVsTPVhA1N;uwmzAhNjTvk`-z(^s9;#-Nsho(*%1X%z8 literal 0 HcmV?d00001 diff --git a/freeradius-server-radiusd-logrotate.patch b/freeradius-server-radiusd-logrotate.patch index 130d8d2..1b20e40 100644 --- a/freeradius-server-radiusd-logrotate.patch +++ b/freeradius-server-radiusd-logrotate.patch @@ -1,6 +1,8 @@ ---- freeradius-server-3.0.8.orig/suse/radiusd-logrotate 2015-04-22 19:21:34.000000000 +0200 -+++ freeradius-server-3.0.8.suse/suse/radiusd-logrotate 2015-04-23 10:15:52.847179845 +0200 -@@ -16,13 +16,18 @@ +Index: freeradius-server-3.0.14/suse/radiusd-logrotate +=================================================================== +--- freeradius-server-3.0.14.orig/suse/radiusd-logrotate ++++ freeradius-server-3.0.14/suse/radiusd-logrotate +@@ -16,13 +16,18 @@ notifempty # The main server log # /var/log/radius/radius.log { @@ -19,15 +21,7 @@ nocreate size=+1024k } -@@ -31,6 +36,7 @@ - # Session database modules - # - /var/log/radius/radutmp /var/log/radius/radwtmp { -+ su radiusd radiusd - nocreate - size=+2048k - } -@@ -39,6 +45,7 @@ +@@ -31,6 +36,7 @@ notifempty # SQL log files # /var/log/radius/sqllog.sql { @@ -35,7 +29,7 @@ nocreate size=+2048k } -@@ -51,6 +58,7 @@ +@@ -43,6 +49,7 @@ notifempty # second technique, you will need another cron job that removes old # detail files. You do not need to comment out the below for method #2. /var/log/radius/radacct/*/detail { diff --git a/freeradius-server.changes b/freeradius-server.changes index 52bcad9..85e7f21 100644 --- a/freeradius-server.changes +++ b/freeradius-server.changes @@ -1,3 +1,51 @@ +------------------------------------------------------------------- +Mon May 29 12:40:52 UTC 2017 - adam.majer@suse.de + +- update to 3.0.14 (still FATE#322416) + + Feature improvements + * Enforce TLS client certificate expiration on session resumption, + and Session-Timeout. See CVE-2017-9148 (bnc#1041445) + * Updated dictionary.cisco.vpn3000, dictionary.patton + * Added dictionary.dellemc + * Lowered the log output for failed PEAP sessions. + * ALlow utc in rlm_date. + * The internal OpenSSL session cache has been disabled. + Please see mods-available/eap + * Update detail reader documentation. + * Make outgoing RadSec connections non-blocking. + * Add SQL backing to Moonshot-*-TargetedId generation. + + Bug Fixes + * radtest uses Cleartext-Password for EAP, not User-Password. + * Update documentation for mods-enabled/ linking. + * Enhanced checks for moonshot salt. + * Allow session resumption for RadSec connections. + * Update "huntgroups" file to note that port ranges are not supported + * Fix OpenSSL permissions issues on default key files. + * Certificates are not required when PSK is used. + * Allow SubjectAltName as first extension in cert. + * Fixed talloc issue with TLS session resumption. + * "&Attr-26 := 0x01" now produces useful error messages. + * Handle connection error in rlm_ldap_cacheable_groupobj. + * Fix endian issues in DHCP. + * Multiple minor fixes for Coverity complaints. + * Handle unexpected regex. + * Fix minor issues in dictionaries. + * Fix typos and grammar. Patches from Alan Buxey. + * Fix erroneous VP creation in rlm_preproces. + * Fix MIB. Patch from Jeff Gehlbach. + * Trust router updates from Alejandro Perez. + * Allow build with LibreSSL. + * Use correct packet for channel bindings. + * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us + a test license. Please see the git commit history for more info. + * Fix incorrect length check in EAP-PWD. This may be exploitable. + * Stop rotating session database files (radutmp, radwtmp) since + these are not logfiles. + +- freeradius-server-radiusd-logrotate.patch: updated + ------------------------------------------------------------------- Mon Mar 6 23:07:21 UTC 2017 - michael@stroeder.com diff --git a/freeradius-server.spec b/freeradius-server.spec index 5178397..87ad884 100644 --- a/freeradius-server.spec +++ b/freeradius-server.spec @@ -20,7 +20,7 @@ %define apxs2 apxs2-prefork %define apache2_sysconfdir %(%{_sbindir}/%{apxs2} -q SYSCONFDIR) Name: freeradius-server -Version: 3.0.13 +Version: 3.0.14 Release: 0 %if 0%{?suse_version} > 1140 @@ -431,6 +431,8 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf %dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/files %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/files/* %dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/preprocess +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/moonshot-targeted-ids/* +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/moonshot-targeted-ids %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/preprocess/* %dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/python %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/python/radiusd.py @@ -515,6 +517,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/logintime %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/mac2ip %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/mac2vlan +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/moonshot-targeted-ids %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/mschap %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/ntlm_auth %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/opendirectory