- reformat changelog mostly by wrapping lines
- add missing bug numbers for security fixes
- update to 3.0.18
* cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss.
* Do-Not-Respond policies can now be set in the "post-auth" section.
* Encode / Decode ADSL Forum DHCP options.
* Fix module ordering issues. e.g. when "sqlippool" needs "sql".
See the "instantiate" section of radiusd.conf.
* Add Big Switch dictionary. Fixes#2252.
* Add sql_session_start policy (raddb/policy.d/accounting)
This minimizes race conditions when using Simultaneous-Use (#2257).
* For rlm_perl, all variables are now tainted by default.
See raddb/mods-available/perl, and the "perl_flags" configuration item.
This change should only affect people who are using variables in
insecure ways.
* Allow "sqlcounter" module to be listed in "post-auth".
* Add support for IPv6 attributes in SQL. Fixes#2280
* The server is better at handling fail-over for outbound RadSec and
TCP connections. Fixes#2284.
* The server is now more aggressive about retrying failed outbound
RadSec and TCP connections. Fixes#2284.
* Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list.
* Add expansion for Radsec connections. "%{listen:TLS-...}" for
TLS-Client-Cert-* and TLS-Cert-* attributes.
* Add notes on running "ldapsearch" using the parameters from the LDAP module.
* "ipaddr" attributes can now be cast to "integer" type attributes
in an "update" section.
* Move main thread queue to using atomic queues. This should help
with contention in high load scenarios.
OBS-URL: https://build.opensuse.org/request/show/679792
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/freeradius-server?expand=0&rev=75
- update to 3.0.14 (still FATE#322416)
Feature improvements
* Enforce TLS client certificate expiration on session resumption,
and Session-Timeout. See CVE-2017-9148 (bnc#1041445)
* Updated dictionary.cisco.vpn3000, dictionary.patton
* Added dictionary.dellemc
* Lowered the log output for failed PEAP sessions.
* ALlow utc in rlm_date.
* The internal OpenSSL session cache has been disabled.
Please see mods-available/eap
* Update detail reader documentation.
* Make outgoing RadSec connections non-blocking.
* Add SQL backing to Moonshot-*-TargetedId generation.
Bug Fixes
* radtest uses Cleartext-Password for EAP, not User-Password.
* Update documentation for mods-enabled/ linking.
* Enhanced checks for moonshot salt.
* Allow session resumption for RadSec connections.
* Update "huntgroups" file to note that port ranges are not supported
* Fix OpenSSL permissions issues on default key files.
* Certificates are not required when PSK is used.
* Allow SubjectAltName as first extension in cert.
* Fixed talloc issue with TLS session resumption.
* "&Attr-26 := 0x01" now produces useful error messages.
* Handle connection error in rlm_ldap_cacheable_groupobj.
* Fix endian issues in DHCP.
* Multiple minor fixes for Coverity complaints.
* Handle unexpected regex.
* Fix minor issues in dictionaries.
* Fix typos and grammar. Patches from Alan Buxey.
* Fix erroneous VP creation in rlm_preproces.
* Fix MIB. Patch from Jeff Gehlbach.
* Trust router updates from Alejandro Perez.
* Allow build with LibreSSL.
* Use correct packet for channel bindings.
* Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us
a test license. Please see the git commit history for more info.
* Fix incorrect length check in EAP-PWD. This may be exploitable.
* Stop rotating session database files (radutmp, radwtmp) since
these are not logfiles.
- freeradius-server-radiusd-logrotate.patch: updated
OBS-URL: https://build.opensuse.org/request/show/499628
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=98
- Merge changes from SLE to openSUSE (FATE#322416):
* freeradius-server-radclient-init-error-buffer.patch - make sure
we initialize error buffer. bsc#911886: radclient error free()
invalid pointer
* freeradius-server-opensslversion.patch: remove OpenSSL version
check and assume we know what we are doing. (bnc#1013311)
* merge .changes file, mostly.
- do not attempt to detect "vulnerable" OpenSSL versions. SUSE
security fixes do not necessarily bump version numbers as
does upstream OpenSSL (bnc#1021375)
- do not generate certificates in %post. End-user needs to do this
manually.
- keep FreeTDS disabled on SLE12 - we never shipped it enabled
- require OpenSSL 1.0+
- use pkgconfig(systemd) instead of plain systemd as BuildRequires
- don't list manual pages as %doc
- Add upstream keyring
- 2 new modules: rlm_sql_freetds and rlm_eap_fast
OBS-URL: https://build.opensuse.org/request/show/455207
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/freeradius-server?expand=0&rev=64
- Merge changes from SLE to OpenSUSE (FATE#322416):
* freeradius-server-radclient-init-error-buffer.patch - make sure
we initialize error buffer. bsc#911886: radclient error free()
invalid pointer
* freeradius-server-opensslversion.patch: remove OpenSSL version
check and assume we know what we are doing. (bnc#1013311)
* merge .changes file, mostly.
- do not attempt to detect "vulnerable" OpenSSL versions. SUSE
security fixes do not necessarily bump version numbers as
does upstream OpenSSL (bnc#1021375)
- do not generate certificates in %post. End-user needs to do this
manually.
- keep FreeTDS disabled on SLE12 - we never shipped it enabled
- require OpenSSL 1.0+
- use pkgconfig(systemd) instead of plain systemd as BuildRequires
- don't list manual pages as %doc
- Add upstream keyring
- 2 new modules: rlm_sql_freetds and rlm_eap_fast
OBS-URL: https://build.opensuse.org/request/show/453646
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=89
- minor adjustments/cleanup of spec and changes
- update to 3.0.8
* for a detailed list of changes look at:
/usr/share/doc/packages/freeradius-server/ChangeLog
- new set of consolidated patch files:
deleted:
* freeradius-server-2.1.1-logrotate_su.patch
* freeradius-server-2.1.6-rcradiusd.patch
* freeradius-server-initscript-pidfile.patch
* freeradius-server-radius-reload-logrotate.patch
* freeradius-server-var_run.patch
added:
* freeradius-server-radiusd-logrotate.patch
* freeradius-server-rcradiusd.patch
* freeradius-server-tmpfiles.patch
OBS-URL: https://build.opensuse.org/request/show/298810
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=72
- Do not disable as-needed build
- Remove the with_sysconfig switch and just stick with versions
- update to 3.0.6
- fixes a segmentation fault in PEAP module (bnc#912588)
Feature improvements:
* radmin / raddebug conditional errors are printed to the output, instead of being discarded.
* raddebug will exit if condition set with -c was invalid.
* radmin auto-reconnects if the connection to the server has gone away.
* rlm_cache now has submodule support. See raddb/mods-available/cache
* New memcached driver for rlm_cache. See raddb/mods-available/cache
* Add support for &Attribute-Name[*] in conditions. See "man unlang" for details.
* Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n].
* Allow for redundant string expansions. See the "instantiate" section of radiusd.conf.
* When checking IP addresses in conditions, make the right side be parsed as an IP prefix.
* Support JIT compilation of compiled regular expressions when built with libpcre.
* Support named capture groups with "%{regex:<name>}" when built with libpcre.
* Increase regular expression capture groups from 8 to 32.
* Emit error markers for badly formed regular expressions.
* Allow 'm' flag to enable multiline mode in regular expressions.
* Support limited implicit attribute conversion in update sections.
* Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).
OBS-URL: https://build.opensuse.org/request/show/281294
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/freeradius-server?expand=0&rev=55
- update to 3.0.6
- fixes a segmentation fault in PEAP module (bnc#912588)
Feature improvements:
* radmin / raddebug conditional errors are printed to the output, instead of being discarded.
* raddebug will exit if condition set with -c was invalid.
* radmin auto-reconnects if the connection to the server has gone away.
* rlm_cache now has submodule support. See raddb/mods-available/cache
* New memcached driver for rlm_cache. See raddb/mods-available/cache
* Add support for &Attribute-Name[*] in conditions. See "man unlang" for details.
* Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n].
* Allow for redundant string expansions. See the "instantiate" section of radiusd.conf.
* When checking IP addresses in conditions, make the right side be parsed as an IP prefix.
* Support JIT compilation of compiled regular expressions when built with libpcre.
* Support named capture groups with "%{regex:<name>}" when built with libpcre.
* Increase regular expression capture groups from 8 to 32.
* Emit error markers for badly formed regular expressions.
* Allow 'm' flag to enable multiline mode in regular expressions.
* Support limited implicit attribute conversion in update sections.
* Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).
OBS-URL: https://build.opensuse.org/request/show/280999
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=68
- update to 3.0.5
Some of the new features:
* Allow LDAP to specify arbitrary attributes for dynamic
clients.
* Allow one level of backslashes (finally). See radiusd.conf,
"correct_escapes" setting.
* When supported by OpenSSL, allow TLS 1.1 and TLS 1.2
in EAP methods.
* Allow multiple new connections to be spawned simultaneously
in the connection pool, to cope with spikes in traffic.
* Use kqueue on systems which support it. This allows for
better scaling when using many sockets.
* Home server "response_window" can now take fractions of a
second. See proxy.conf.
* radmin now supports "show module status", as thee counterpart
to "set module status"
* "ipaddr" will now use v6 if no v4 address is present. You should
use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
* "client" sections will allow "ipaddr = 192.192.0/24". The old
"netmask" is still accepted, but the new format is preferred.
* Allow custom HTTP headers to be set for rlm_rest requests using
control:REST-HTTP-Header (attributes consumed after use).
* Extend format of %{rest:} expansion to allow HTTP method and POST
data to be specified
and urlquoting.
* Add support for aliases in rlm_ldap.
* Add support for connection pool sharing to all modules that use
the connection pool (pool = <instance>).
* "tls" sections now have a "psk_query" configuration item, for dynamic
queries to discover a key from a PSK identity.
OBS-URL: https://build.opensuse.org/request/show/264534
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=65
