- reformat changelog mostly by wrapping lines
- add missing bug numbers for security fixes
- update to 3.0.18
* cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss.
* Do-Not-Respond policies can now be set in the "post-auth" section.
* Encode / Decode ADSL Forum DHCP options.
* Fix module ordering issues. e.g. when "sqlippool" needs "sql".
See the "instantiate" section of radiusd.conf.
* Add Big Switch dictionary. Fixes#2252.
* Add sql_session_start policy (raddb/policy.d/accounting)
This minimizes race conditions when using Simultaneous-Use (#2257).
* For rlm_perl, all variables are now tainted by default.
See raddb/mods-available/perl, and the "perl_flags" configuration item.
This change should only affect people who are using variables in
insecure ways.
* Allow "sqlcounter" module to be listed in "post-auth".
* Add support for IPv6 attributes in SQL. Fixes#2280
* The server is better at handling fail-over for outbound RadSec and
TCP connections. Fixes#2284.
* The server is now more aggressive about retrying failed outbound
RadSec and TCP connections. Fixes#2284.
* Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list.
* Add expansion for Radsec connections. "%{listen:TLS-...}" for
TLS-Client-Cert-* and TLS-Cert-* attributes.
* Add notes on running "ldapsearch" using the parameters from the LDAP module.
* "ipaddr" attributes can now be cast to "integer" type attributes
in an "update" section.
* Move main thread queue to using atomic queues. This should help
with contention in high load scenarios.
OBS-URL: https://build.opensuse.org/request/show/679792
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/freeradius-server?expand=0&rev=75
- update to 3.0.14 (still FATE#322416)
Feature improvements
* Enforce TLS client certificate expiration on session resumption,
and Session-Timeout. See CVE-2017-9148 (bnc#1041445)
* Updated dictionary.cisco.vpn3000, dictionary.patton
* Added dictionary.dellemc
* Lowered the log output for failed PEAP sessions.
* ALlow utc in rlm_date.
* The internal OpenSSL session cache has been disabled.
Please see mods-available/eap
* Update detail reader documentation.
* Make outgoing RadSec connections non-blocking.
* Add SQL backing to Moonshot-*-TargetedId generation.
Bug Fixes
* radtest uses Cleartext-Password for EAP, not User-Password.
* Update documentation for mods-enabled/ linking.
* Enhanced checks for moonshot salt.
* Allow session resumption for RadSec connections.
* Update "huntgroups" file to note that port ranges are not supported
* Fix OpenSSL permissions issues on default key files.
* Certificates are not required when PSK is used.
* Allow SubjectAltName as first extension in cert.
* Fixed talloc issue with TLS session resumption.
* "&Attr-26 := 0x01" now produces useful error messages.
* Handle connection error in rlm_ldap_cacheable_groupobj.
* Fix endian issues in DHCP.
* Multiple minor fixes for Coverity complaints.
* Handle unexpected regex.
* Fix minor issues in dictionaries.
* Fix typos and grammar. Patches from Alan Buxey.
* Fix erroneous VP creation in rlm_preproces.
* Fix MIB. Patch from Jeff Gehlbach.
* Trust router updates from Alejandro Perez.
* Allow build with LibreSSL.
* Use correct packet for channel bindings.
* Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us
a test license. Please see the git commit history for more info.
* Fix incorrect length check in EAP-PWD. This may be exploitable.
* Stop rotating session database files (radutmp, radwtmp) since
these are not logfiles.
- freeradius-server-radiusd-logrotate.patch: updated
OBS-URL: https://build.opensuse.org/request/show/499628
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=98
- Merge changes from SLE to openSUSE (FATE#322416):
* freeradius-server-radclient-init-error-buffer.patch - make sure
we initialize error buffer. bsc#911886: radclient error free()
invalid pointer
* freeradius-server-opensslversion.patch: remove OpenSSL version
check and assume we know what we are doing. (bnc#1013311)
* merge .changes file, mostly.
- do not attempt to detect "vulnerable" OpenSSL versions. SUSE
security fixes do not necessarily bump version numbers as
does upstream OpenSSL (bnc#1021375)
- do not generate certificates in %post. End-user needs to do this
manually.
- keep FreeTDS disabled on SLE12 - we never shipped it enabled
- require OpenSSL 1.0+
- use pkgconfig(systemd) instead of plain systemd as BuildRequires
- don't list manual pages as %doc
- Add upstream keyring
- 2 new modules: rlm_sql_freetds and rlm_eap_fast
OBS-URL: https://build.opensuse.org/request/show/455207
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/freeradius-server?expand=0&rev=64
- Merge changes from SLE to OpenSUSE (FATE#322416):
* freeradius-server-radclient-init-error-buffer.patch - make sure
we initialize error buffer. bsc#911886: radclient error free()
invalid pointer
* freeradius-server-opensslversion.patch: remove OpenSSL version
check and assume we know what we are doing. (bnc#1013311)
* merge .changes file, mostly.
- do not attempt to detect "vulnerable" OpenSSL versions. SUSE
security fixes do not necessarily bump version numbers as
does upstream OpenSSL (bnc#1021375)
- do not generate certificates in %post. End-user needs to do this
manually.
- keep FreeTDS disabled on SLE12 - we never shipped it enabled
- require OpenSSL 1.0+
- use pkgconfig(systemd) instead of plain systemd as BuildRequires
- don't list manual pages as %doc
- Add upstream keyring
- 2 new modules: rlm_sql_freetds and rlm_eap_fast
OBS-URL: https://build.opensuse.org/request/show/453646
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=89
