1
0

- reformat changelog mostly by wrapping lines

- add missing bug numbers for security fixes

OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=113
This commit is contained in:
Adam Majer 2019-02-27 11:50:42 +00:00 committed by Git OBS Bridge
parent 35096a5f1d
commit ff04302a52
2 changed files with 95 additions and 50 deletions

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Wed Feb 27 11:37:53 UTC 2019 - adam.majer@suse.de
- reformat changelog mostly by wrapping lines
- add missing bug numbers for security fixes
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 26 21:17:00 UTC 2019 - Michael Ströder <michael@stroeder.com> Tue Feb 26 21:17:00 UTC 2019 - Michael Ströder <michael@stroeder.com>
@ -6,75 +12,104 @@ Tue Feb 26 21:17:00 UTC 2019 - Michael Ströder <michael@stroeder.com>
* cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss.
* Do-Not-Respond policies can now be set in the "post-auth" section. * Do-Not-Respond policies can now be set in the "post-auth" section.
* Encode / Decode ADSL Forum DHCP options. * Encode / Decode ADSL Forum DHCP options.
* Fix module ordering issues. e.g. when "sqlippool" needs "sql". See the "instantiate" section of radiusd.conf. * Fix module ordering issues. e.g. when "sqlippool" needs "sql".
See the "instantiate" section of radiusd.conf.
* Add Big Switch dictionary. Fixes #2252. * Add Big Switch dictionary. Fixes #2252.
* Add sql_session_start policy (raddb/policy.d/accounting) This minimizes race conditions when using Simultaneous-Use Patch from Philippe Wooding (#2257). * Add sql_session_start policy (raddb/policy.d/accounting)
* For rlm_perl, all variables are now tainted by default. See raddb/mods-available/perl, and the "perl_flags" configuration item. This change should only affect people who are using variables in insecure ways. This minimizes race conditions when using Simultaneous-Use (#2257).
* For rlm_perl, all variables are now tainted by default.
See raddb/mods-available/perl, and the "perl_flags" configuration item.
This change should only affect people who are using variables in
insecure ways.
* Allow "sqlcounter" module to be listed in "post-auth". * Allow "sqlcounter" module to be listed in "post-auth".
* Add support for IPv6 attributes in SQL. Fixes #2280 Patches from Michael Ducharme. * Add support for IPv6 attributes in SQL. Fixes #2280
* The server is better at handling fail-over for outbound RadSec and TCP connections. Fixes #2284. * The server is better at handling fail-over for outbound RadSec and
* The server is now more aggressive about retrying failed outbound RadSec and TCP connections. Fixes #2284. TCP connections. Fixes #2284.
* The server is now more aggressive about retrying failed outbound
RadSec and TCP connections. Fixes #2284.
* Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list.
* Add expansion for Radsec connections. "%{listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. * Add expansion for Radsec connections. "%{listen:TLS-...}" for
TLS-Client-Cert-* and TLS-Cert-* attributes.
* Add notes on running "ldapsearch" using the parameters from the LDAP module. * Add notes on running "ldapsearch" using the parameters from the LDAP module.
* "ipaddr" attributes can now be cast to "integer" type attributes in an "update" section. * "ipaddr" attributes can now be cast to "integer" type attributes
* Move main thread queue to using atomic queues. This should help with contention in high load scenarios. in an "update" section.
* Add "recv_buff" setting to listeners. For more details, see sites-available/default. * Move main thread queue to using atomic queues. This should help
* The sqlippool module can now use attributes other than "Pool-Name" to assign IP pools. The "Pool-Name" attribute is still the default. with contention in high load scenarios.
* The "unpack" expansion can now unpack substrings. See mods-available/unpack for documentation and examples. * Add "recv_buff" setting to listeners. For more details,
* The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. see sites-available/default.
* The sqlippool module can now use attributes other than "Pool-Name"
to assign IP pools. The "Pool-Name" attribute is still the default.
* The "unpack" expansion can now unpack substrings.
See mods-available/unpack for documentation and examples.
* The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair
Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE.
* Allow for <instance>-LDAP-UserDN. See mods-available/ldap for more information. * Allow for <instance>-LDAP-UserDN. See mods-available/ldap for more information.
* Add sanitizing of control list for moonshot. Fixes #2318. * Add sanitizing of control list for moonshot. Fixes #2318.
* Update rlm_sql_mysql to be compatible with MySQL 8 Fixes https://bugs.launchpad.net/bugs/1795310. * Update rlm_sql_mysql to be compatible with MySQL 8
* Allow logging of only Access-Accept or Access-Reject messages See radiusd.conf, "auth_accept" and "auth_reject". Fixes https://bugs.launchpad.net/bugs/1795310.
* Allow logging of only Access-Accept or Access-Reject messages
See radiusd.conf, "auth_accept" and "auth_reject".
* Removed Connect-Rate comparison. It was unused and broken. * Removed Connect-Rate comparison. It was unused and broken.
* Add dictionary.infinera. * Add dictionary.infinera.
* RPMs can now change raddb location with rpmbuild parameter --define '_sysconfdir /etc'.
* OpenDirectory module now points to Apple documentation for help with build and configuration.
* Use OpenSSL HMAC functions instead of local ones. * Use OpenSSL HMAC functions instead of local ones.
* Some SQL modules can now use "auto_escape" to escape unsafe strings See mods-config/sql/main/mysql/queries.conf. * Some SQL modules can now use "auto_escape" to escape unsafe strings
See mods-config/sql/main/mysql/queries.conf.
* Add wispr2date conversion in mods-available/date. * Add wispr2date conversion in mods-available/date.
* Implement dictionary-based handling in rlm_python. Fixes #2334 See mods-available/python for details. * Implement dictionary-based handling in rlm_python.
* Add support for SKIP LOCKED in sqlippool. This can improve performance by an order of magnitude or more. See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383. Patch from Nathan Ward. Fixes #2334 See mods-available/python for details.
* Updated Debian packages to allow for libssl1.1 Fixes #2384. Patch from Alejandro Perez. * Add support for SKIP LOCKED in sqlippool. This can improve performance
* Allow PSK and certificates at the same time Except for TLS 1.3 which does not support that. by an order of magnitude or more.
* Update Debian packages for newer releases Fixes #2391. Patch from Matthew Newton. See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383
* Allow PSK and certificates at the same time Except for TLS 1.3
which does not support that.
* Update docker scripts. Fixes #2306 Patch from Matthew Newton. * Update docker scripts. Fixes #2306 Patch from Matthew Newton.
* Add crypt xlat. * Add crypt xlat.
* MySQL connections can now skip verifying the server certificate. Fixes #2481. See mods-available/sql. * MySQL connections can now skip verifying the server certificate.
Fixes #2481. See mods-available/sql.
* Add better mechanism to detect MariaDB (Old MySQL). * Add better mechanism to detect MariaDB (Old MySQL).
* Add RFC 7532 "bang path" support for realms Fixes #2492. * Add RFC 7532 "bang path" support for realms Fixes #2492.
* Update dictionary.ukerna documentation. Fixes #2493. * Update dictionary.ukerna documentation. Fixes #2493.
* Add support for systemd service and watchdogs Fixes #2499. * Add support for systemd service and watchdogs Fixes #2499.
* Check for openss/rand.h, and allow building without OpenSSL engine. Patch from Eneas U de Queiroz Fixes #2517. * Check for openss/rand.h, and allow building without OpenSSL engine.
* The default PosgtreSQL queries now use "ON CONFLICT" to better deal with issues. This requires PostgreSQL 9.5 or later. Please use a recent version of PostgreSQL, or edit the default queries to remove "ON CONFLICT". Patch from Eneas U de Queiroz Fixes #2517.
* The default PosgtreSQL queries now use "ON CONFLICT" to better
deal with issues. This requires PostgreSQL 9.5 or later.
Please use a recent version of PostgreSQL, or edit the default
queries to remove "ON CONFLICT".
BUG FIXES BUG FIXES
* The session-state list is no longer cleaned in the inner-tunnel. This lets the outer Access-Reject section access session-state. * The session-state list is no longer cleaned in the inner-tunnel.
This lets the outer Access-Reject section access session-state.
* Fix typo in lock initialization for TLS sockets Found by Sergio NNX. * Fix typo in lock initialization for TLS sockets Found by Sergio NNX.
* Add check for crash when home server down Fixes #2233. * Add check for crash when home server down Fixes #2233.
* Add username key for postauth table. * Add username key for postauth table.
* Better libpcap checks, when the header files or libraries are missing. Fixes #2245. * Better libpcap checks, when the header files or libraries are missing. Fixes #2245.
* Allow building with old versions of OpenSSL Fixes #2247. * Allow building with old versions of OpenSSL Fixes #2247.
* Allow non-FreeRADIUS State attributes to be used with the "session-state" list. i.e. State length != 16. * Allow non-FreeRADIUS State attributes to be used with the
"session-state" list. i.e. State length != 16.
* Be more aggressive about cleaning up zombie children when running in debug mode. * Be more aggressive about cleaning up zombie children when running in debug mode.
* Use LTDL_DEEPBIND, which fixes issues with Oracle libraries exporting LDAP API functions. * Use LTDL_DEEPBIND, which fixes issues with Oracle libraries
exporting LDAP API functions.
* unlock files when asked to unlock them. * unlock files when asked to unlock them.
* return error instead of asserting in map code. * return error instead of asserting in map code.
* Don't write 0 bytes to SSL. Fixes #2270. * Don't write 0 bytes to SSL. Fixes #2270.
* Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. * Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262.
* Various dictionary cleanups and consistency checks Fixes #2281. Patches from Peter Lemenkov. * Various dictionary cleanups and consistency checks Fixes #2281.
* rlm_python has stronger thread locking to prevent reported issues. Performance may be affected. * rlm_python has stronger thread locking to prevent reported issues.
Performance may be affected.
* Don't allow Message-Authenticator to overflow past the end of a large packet. * Don't allow Message-Authenticator to overflow past the end of a large packet.
* Fix crash in sqlippool when SQL server goes away Fixes #2300. * Fix crash in sqlippool when SQL server goes away Fixes #2300.
* Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303. * Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303.
* Check for correct OpenSSL version in vulnerability list. Patch from Christian Hesse.
* Fix crash with CoA packets/ Fixes #2304. * Fix crash with CoA packets/ Fixes #2304.
* Fix crash in rlm_exec with CoA. Fixes #2328. * Fix crash in rlm_exec with CoA. Fixes #2328.
* Print errors while parsing the log config, and don't quit when deprecated log settings are found. * Print errors while parsing the log config, and don't quit when
* Fix DHCP encoder xlat so that it can be used with a list of attributes. It previously only encoded the first member of the list, and now encodes all members. deprecated log settings are found.
* Fix DHCP encoder xlat so that it can be used with a list of attributes.
It previously only encoded the first member of the list,
and now encodes all members.
* The "expr" module now skips more whitespace. * The "expr" module now skips more whitespace.
* Remove internal FreeRADIUS-Response-Delay attributes from attr_filter Access-Reject. * Remove internal FreeRADIUS-Response-Delay attributes from
attr_filter Access-Reject.
* Don't send junk to redis when maximum args reached. * Don't send junk to redis when maximum args reached.
* Small updates to IPv6 for accounting schema Fixes #2364. * Small updates to IPv6 for accounting schema Fixes #2364.
* Fix OpenDirectory integration in rlm_mschap. * Fix OpenDirectory integration in rlm_mschap.
@ -83,7 +118,8 @@ BUG FIXES
* Fix memory leak in EAP-PWD. * Fix memory leak in EAP-PWD.
* Fix crash in "hints" file with Fall-Through = yes. * Fix crash in "hints" file with Fall-Through = yes.
* Fix crash / timer issues with many CoA packets. * Fix crash / timer issues with many CoA packets.
* Fix attr_filter so that it does not treat vendor attributes of number 26 as Vendor-Specific. * Fix attr_filter so that it does not treat vendor attributes of
number 26 as Vendor-Specific.
* Fix reconnect correctly in rlm_sql_mysql. * Fix reconnect correctly in rlm_sql_mysql.
* Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485. * Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485.
* Fix rare occurance of bad xlat expansion. * Fix rare occurance of bad xlat expansion.
@ -101,25 +137,32 @@ Tue Apr 17 22:00:15 UTC 2018 - michael@stroeder.com
Feature Improvements Feature Improvements
* Add CURLOPT_CAINFO. Patch from Nicolas C #2167. * Add CURLOPT_CAINFO. Patch from Nicolas C #2167.
* "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169. * "stats home server" now supports "src IPADDR", to specify home
server also by source IP. Fixes #2169.
* Add Dockerfiles for a selection of common systems. * Add Dockerfiles for a selection of common systems.
* Increase number of permitted file descriptors, for systems with many home servers. * Increase number of permitted file descriptors, for systems with many
* Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205. home servers.
* Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs
Patch from Isaac Boukris. Fixes #2205.
* Update main READMEs. Patches from Matthew Newton. * Update main READMEs. Patches from Matthew Newton.
* Added dictionary.mimosa. * Added dictionary.mimosa.
Bug Fixes Bug Fixes
* Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. * Don't call post-proxy twice when proxying to a virtual server.
* Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168. Matthew Newton, #2161.
* Use "raw" string value for shared secrets and dynamic clients
It now parses strings with backslashes and "special characters"
correctly. Fixes #2168.
* Fix RuntimeDirectory for RedHat, from Alan Buxey. * Fix RuntimeDirectory for RedHat, from Alan Buxey.
* Relax checks in 'if' parser from Isaac Bourkis. * Relax checks in 'if' parser from Isaac Bourkis.
* Minor cleanups for %{debug_attr:&request} from Isaac Boukris. * Minor cleanups for %{debug_attr:&request} from Isaac Boukris.
* Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich. * Be more aggressive about cleaning up cached certificate attributes,
due to deficiencies in OpenSSL. Reported by Nicolas Reich.
* Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall.
* Fix double free in rlm_sql. Fixes #2180. * Fix double free in rlm_sql. Fixes #2180.
* rlm_detail now writes empty Access-Accept packets. * rlm_detail now writes empty Access-Accept packets.
* rlm_python can now create tagged attributes. * rlm_python can now create tagged attributes.
* Don't crash on duplicate realm + authhost / accthost Bug found by Richard Palmer. * Don't crash on duplicate realm + authhost / accthost
* Allow partial certificate chain to trusted CA. Fixes #2162. * Allow partial certificate chain to trusted CA. Fixes #2162.
* Treat SSL_read() returning zero as error. Fixes #2164. * Treat SSL_read() returning zero as error. Fixes #2164.
* detail writer now checks if the file was renamed or deleted. * detail writer now checks if the file was renamed or deleted.
@ -127,12 +170,14 @@ Bug Fixes
* RedHat Systemd updates. Fixes #2184. * RedHat Systemd updates. Fixes #2184.
* Use correct API for State variable in rlm_securid. * Use correct API for State variable in rlm_securid.
* Remove broken radclient option "-i". * Remove broken radclient option "-i".
* Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs. * Fix "users" file (and hints, etc). So that it does not get confused
about entry ordering with multiple $INCLUDEs.
* Fix rlm_sql to expand the un-escaped string, not the raw string. * Fix rlm_sql to expand the un-escaped string, not the raw string.
* Link default and inner-tunnel only if they exist. Fixes #2206. * Link default and inner-tunnel only if they exist. Fixes #2206.
* Don't use both IP_PKTINFO and IP_SENDSRCADDR. * Don't use both IP_PKTINFO and IP_SENDSRCADDR.
* Always install signal handler for SIGINT (needed by Docker). * Always install signal handler for SIGINT (needed by Docker).
* Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked. * Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs
which are not self-signed will now be checked.
* sqlippool now returns "fail" if it fails IP allocation. * sqlippool now returns "fail" if it fails IP allocation.
* Fix rlm_yubikey to look for correct attribute in replay attack check. * Fix rlm_yubikey to look for correct attribute in replay attack check.
@ -206,7 +251,7 @@ Bug fixes
* Fix memory allocation in rlm_rest. Fixes #2051. * Fix memory allocation in rlm_rest. Fixes #2051.
* Update trustrouter for new API. Fixes #2059. * Update trustrouter for new API. Fixes #2059.
* Fix SQLite issues on FreeBSD. Fixes #2060 * Fix SQLite issues on FreeBSD. Fixes #2060
* Don't do debug logging of bad passwords. Fixes #2064. * Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802)
* More graceful handling of "die" in rlm_perl. Fixes #2073. * More graceful handling of "die" in rlm_perl. Fixes #2073.
* Fix occasional crash when using * Fix occasional crash when using
cisco_accounting_username_bug = yes cisco_accounting_username_bug = yes
@ -240,7 +285,7 @@ Fri Aug 25 11:32:56 UTC 2017 - varkoly@suse.com
Mon Jul 17 13:46:41 UTC 2017 - michael@stroeder.com Mon Jul 17 13:46:41 UTC 2017 - michael@stroeder.com
- update to 3.0.15 with security fixes for - update to 3.0.15 with security fixes for
issues found via fuzzing by Guido Vranken issues found via fuzzing by Guido Vranken (bsc#1049086)
https://freeradius.org/security/fuzzer-2017.html https://freeradius.org/security/fuzzer-2017.html
* CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret() * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret()
* CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63

View File

@ -1,7 +1,7 @@
# #
# spec file for package freeradius-server # spec file for package freeradius-server
# #
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9) # license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative. # published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Please submit bugfixes or comments via https://bugs.opensuse.org/
# #
@ -47,7 +47,7 @@ Release: 0
%endif %endif
Summary: RADIUS Server Summary: RADIUS Server
License: GPL-2.0 and LGPL-2.1 License: GPL-2.0-only AND LGPL-2.1-only
Group: Productivity/Networking/Radius/Servers Group: Productivity/Networking/Radius/Servers
Url: http://www.freeradius.org/ Url: http://www.freeradius.org/
Source: ftp://ftp.freeradius.org/pub/freeradius/%{name}-%{version}.tar.bz2 Source: ftp://ftp.freeradius.org/pub/freeradius/%{name}-%{version}.tar.bz2