Revisions of freeradius-server
Gustavo Yokoyama Ribeiro (gyribeiro)
committed
(revision 2)
Fix bugnumber references (especially CVE number). No other changes from previous sr.
- update to 3.0.21 (jsc#SLE-11896)
Feature Improvements
* New stored procedure for allocating IPs with PostgreSQL
Rates of 1500 IPs per second are now possible
See raddb/mods-config/sql/ippool/postgresql/procedure.sql
* Add SQL IP pool support for Microsoft SQL Server
See raddb/mods-config/sql/ippool/mssql/
* Added RCNTEC dictionary. Closes #3168.
* Added Pica8 dictionary. Closes #3179.
* Add TLS-Client-Cert-Valid-Since attribute holding not
Before date Patch from Boris Lytochkin. Fixes #3157.
* Generate attributes containing unknown OIDs See raddb/sites-available/tls
* Update the WiMAX dictionary.
* Added ability to rlm_python(Python2) show a stacktrace
from errors. #2979.
* Add WiFi Alliance Policy OIDs.
See raddb/certs/xpextensions
* radmin now shows coa stats, too.
* Sample schema extensions for summarizing data in SQL
See mods-config/sql/main/*/process-radacct.sql
* Update dictionary.aerohive, dictionary.fortinet,
dictionary.arista and dictionary.erx.
* Added VAS Experts dictionary.
* Many updates to RPM and jenkins builds from Matthew Newton.
* Added %C (time now in seconds) and %c (microsecond component of now)
back-ported from the "master" branch.
* Add reload capability to systemd unit file in Debian and RedHat.
* Increase timestamp precision in postauth to maximum supported by each
database and simplify (and make more consistent between drivers)
the timestamps in SQL queries by using expansions.
* Option to set dictionary path in raduat script.
Bug Fixes
* Various fixes found by PVS-Studio.
* Set permissions of certificates in bootstrap shell script Fixes #3132.
* Increase the 'nasportid' SQL field for 'varchar(32)'. #3141.
* Skip processing proxy reply if there are no home servers available.
* Update SQLite IPPool queries. Fixes #3177
* rlm_sql_unixodbc fixes. Fixes #2822.
* Fixes when building with LibreSSL.
* Fix the rlm_python3 build. Note that this module is experimental. #3183.
* The rlm_python should append the 'python_path' paths in 'sys.path'.
It fixes the expected behavior to use the existing Python modules
Fixes #3180.
* Fix rlm_python to print the script errors properly.
* Bound total query time for PostgreSQL. Fixes #3253.
* Many fixes to Oracle sqlippool. It now does 500 IPs per second
without any tuning. Fixes #3270.
* Reference sqlippool by it's correct name. Fixes #3272.
* Revert 3.0.20 patch which caused crashes on duplicate clients.
* Update WiMAX-MSK attribute. Fixes #3280.
* Fix crash when trying to access non-existant regex capture group.
* Use timestamps (request or server) rather than SQL NOW()
in accounting queries so that these are stable when replayed
from a file buffer.
- freeradius-python3_patches.patch: upstreamed
- update to 3.0.20 (bsc#1146848)
Feature Improvements
* Added Force10 dictionary.
* Update dictionary.hp with new attributes. #2690.
* Update dictionary.aruba with new attributes. #2696.
* Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456)
* Relax OpenSSL version checks, now that their API is both public, and stable.
* Note that tls_min_version/tls_max_version also support "1.3"
Since there is no standard yet for EAP with TLS 1.3, it will not work.
* Added tripplite dictionary from #2760.
* Switch to the async interface for rlm_sql_postgresql so that
we can enforce query_timeout.
* Added new LDAP option 'allow_dangling_group_ref'.
* Updated documentation and functionality for EAP session caching
See "cache" section of mods-available/eap.
* Tighten systemd unit file security. Fixes #2637.
* Disable TLS 1.0 and TLS 1.1 support in the default configuration
We STRONGLY recommend doing this for all installations.
* Add expansions for *outgoing* Radsec connections
"%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and
TLS-Cert-* attributes. Fixes #2839.
* Add %{listen:tls} which returns "yes" or "no" for
TLS or non-TLS connections.
* Update dictionary.lancom with new attributes. #2847.
* Added rlm_sql_mongo. See raddb/mods-available/sql.
Note that this module is experimental.
* Added more documentation in sites-available/robust-proxy-accounting.
* sqlippool now re-allocates unexpired leases, to prevent IP pool
exhaustion when clients perform multiple reauthentication attempts
* Add support to radmin keep the history in ~/.radmin_history.
* Add support for ENV and LD_PRELOAD in radiusd.conf.
See the new ENV sub-section of radiusd.conf.
* Update dictionary.aptilo. #3002.
* Update dictionary.airespace. #3039.
* Add sites-available/coa-relay, which makes CoA easier #3045.
* Add example stored procedure for IP Pools in MySQL
See mods-config/sql/ippool/mysql/procedure.sql
* Update dictionary.dhcp dictionary with the recent hardware types.
* Add experimental rlm_python3. This should largely work
the same as rlm_python, which was Python2 only.
* Add Dockerfiles for Debian10 and CentOS8.
* Add RPM spec file compatibility for RHEL/CentOS 8.
* Notes on certificate constraints. See raddb/certs/server.cnf.
* Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585.
Bug Fixes
* Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627
* ERX-Acct-Request-Reason is "integer". Closes #2635.
* Fix a slow memory leak in the file management code.
* Try to fix file permissions if they get modified while
the server is running
* Fix slow memory leak with clients.
* Fix request and connection timeouts in rlm_rest.
* Fix systemd issues.
* Fixes from clang analyzer.
* Fix missing include for the dictionaries:
alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn,
audiocodes,avaya,bristol, columbia_university,freedhcp,garderos,
infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus.
* Fix internal sanity check when running with "-Xx".
* Allow "inner-tunnel" virtual servers to work better
with "accept" and "reject" policies.
* Fix dictionary.huawei data types for
Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address.
* Framed-Interface-ID in postgresql/queries.conf is string,
not inet Fixes #2817.
* Fix rlm_cache to complain on unknown attributes in the "update"
section of its configuration.
* Add configure checks for -latomic. This helps on armel,
mips and mipsel. Fixes #2828.
* Add support to Oracle 19 and 18. Via #2857.
* Add support for decoding tags in rlm_rest. Fixes #2848.
* Use correct passwords when updating CRLs in raddb/certs/.
* Properly separate "originate-coa" packets when accounting
packets are read from the detail file reader.
* Use the correct virtual server for pre/post-proxy.
* radsqlrelay fixes backported from "master" branch
* Fix DoS issues due to multithreaded BN_CTX access
(bsc#1166847, CVE-2019-17185)
- disable python2 for SLE15 and Factory
- freeradius-server-enable-python3.patch: enable Python3 module
- freeradius-python3_patches.patch: backport python3 fixes from upstream
- freeradius-server-opensslversion.patch: updated
- Enable memcached driver on SLE15
- Add missing BuildRequire on samba-core-devel required for windbind
support in rlm_mschap.
- update to 3.0.19 (jira#SLE-5890)
Feature improvements
* Update dictionary.cisco
* Update sqlippool to allow for stored procedures with
PostgreSQL. This increases performance substantially.
Patch from Nathan Ward. Fixes #2540.
* Re-added "show client config" command to radmin.
* Cleaned up mods-available/sql example so that it is
easier to understand.
* Added pfSense dictionary. Closes #2581
* Update dictionary.h3c Closes #2592
* Update elasticsearch/logstash config for v6.7.0.
* EAP-PWD security fixes from Mathy Vanhoef. See
http://freeradius.org/security/
(CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664)
Bug fixes
* Update dynamic_client module and server core so that
the functionality works. This has been broken since
at least v2.
* Fix crash in sqlippool due to escaping changes.
Patch from Nathan Ward. Fixes #2532, #2533.
* Fix systemd notify, watchdog and unit files.
Fixes #2541, #2499.
* Fix erroneous length check in EAP-FAST.
* Update documentation to remove old "ignore_null"
configuration. Fixes #2578.
* Fix default POD port. Should be 3799. Fixes #2591
* Correctly encode vendor-specific "encrypted" attributes.
Fixes #2600
- reformat changelog mostly by wrapping lines
- add missing bug numbers for security fixes
- update to 3.0.18
* cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss.
* Do-Not-Respond policies can now be set in the "post-auth" section.
* Encode / Decode ADSL Forum DHCP options.
* Fix module ordering issues. e.g. when "sqlippool" needs "sql".
See the "instantiate" section of radiusd.conf.
* Add Big Switch dictionary. Fixes #2252.
* Add sql_session_start policy (raddb/policy.d/accounting)
This minimizes race conditions when using Simultaneous-Use (#2257).
* For rlm_perl, all variables are now tainted by default.
See raddb/mods-available/perl, and the "perl_flags" configuration item.
This change should only affect people who are using variables in
insecure ways.
* Allow "sqlcounter" module to be listed in "post-auth".
* Add support for IPv6 attributes in SQL. Fixes #2280
* The server is better at handling fail-over for outbound RadSec and
TCP connections. Fixes #2284.
* The server is now more aggressive about retrying failed outbound
RadSec and TCP connections. Fixes #2284.
* Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list.
* Add expansion for Radsec connections. "%{listen:TLS-...}" for
TLS-Client-Cert-* and TLS-Cert-* attributes.
* Add notes on running "ldapsearch" using the parameters from the LDAP module.
* "ipaddr" attributes can now be cast to "integer" type attributes
in an "update" section.
* Move main thread queue to using atomic queues. This should help
with contention in high load scenarios.
* Add "recv_buff" setting to listeners. For more details,
see sites-available/default.
* The sqlippool module can now use attributes other than "Pool-Name"
to assign IP pools. The "Pool-Name" attribute is still the default.
* The "unpack" expansion can now unpack substrings.
See mods-available/unpack for documentation and examples.
* The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair
Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE.
* Allow for <instance>-LDAP-UserDN. See mods-available/ldap for more information.
* Add sanitizing of control list for moonshot. Fixes #2318.
* Update rlm_sql_mysql to be compatible with MySQL 8
Fixes https://bugs.launchpad.net/bugs/1795310.
* Allow logging of only Access-Accept or Access-Reject messages
See radiusd.conf, "auth_accept" and "auth_reject".
* Removed Connect-Rate comparison. It was unused and broken.
* Add dictionary.infinera.
* Use OpenSSL HMAC functions instead of local ones.
* Some SQL modules can now use "auto_escape" to escape unsafe strings
See mods-config/sql/main/mysql/queries.conf.
* Add wispr2date conversion in mods-available/date.
* Implement dictionary-based handling in rlm_python.
Fixes #2334 See mods-available/python for details.
* Add support for SKIP LOCKED in sqlippool. This can improve performance
by an order of magnitude or more.
See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383
* Allow PSK and certificates at the same time Except for TLS 1.3
which does not support that.
* Update docker scripts. Fixes #2306 Patch from Matthew Newton.
* Add crypt xlat.
* MySQL connections can now skip verifying the server certificate.
Fixes #2481. See mods-available/sql.
* Add better mechanism to detect MariaDB (Old MySQL).
* Add RFC 7532 "bang path" support for realms Fixes #2492.
* Update dictionary.ukerna documentation. Fixes #2493.
* Add support for systemd service and watchdogs Fixes #2499.
* Check for openss/rand.h, and allow building without OpenSSL engine.
Patch from Eneas U de Queiroz Fixes #2517.
* The default PosgtreSQL queries now use "ON CONFLICT" to better
deal with issues. This requires PostgreSQL 9.5 or later.
Please use a recent version of PostgreSQL, or edit the default
queries to remove "ON CONFLICT".
BUG FIXES
* The session-state list is no longer cleaned in the inner-tunnel.
This lets the outer Access-Reject section access session-state.
* Fix typo in lock initialization for TLS sockets Found by Sergio NNX.
* Add check for crash when home server down Fixes #2233.
* Add username key for postauth table.
* Better libpcap checks, when the header files or libraries are missing. Fixes #2245.
* Allow building with old versions of OpenSSL Fixes #2247.
* Allow non-FreeRADIUS State attributes to be used with the
"session-state" list. i.e. State length != 16.
* Be more aggressive about cleaning up zombie children when running in debug mode.
* Use LTDL_DEEPBIND, which fixes issues with Oracle libraries
exporting LDAP API functions.
* unlock files when asked to unlock them.
* return error instead of asserting in map code.
* Don't write 0 bytes to SSL. Fixes #2270.
* Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262.
* Various dictionary cleanups and consistency checks Fixes #2281.
* rlm_python has stronger thread locking to prevent reported issues.
Performance may be affected.
* Don't allow Message-Authenticator to overflow past the end of a large packet.
* Fix crash in sqlippool when SQL server goes away Fixes #2300.
* Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303.
* Fix crash with CoA packets/ Fixes #2304.
* Fix crash in rlm_exec with CoA. Fixes #2328.
* Print errors while parsing the log config, and don't quit when
deprecated log settings are found.
* Fix DHCP encoder xlat so that it can be used with a list of attributes.
It previously only encoded the first member of the list,
and now encodes all members.
* The "expr" module now skips more whitespace.
* Remove internal FreeRADIUS-Response-Delay attributes from
attr_filter Access-Reject.
* Don't send junk to redis when maximum args reached.
* Small updates to IPv6 for accounting schema Fixes #2364.
* Fix OpenDirectory integration in rlm_mschap.
* Fix slow memory leak with dynamic clients.
* Don't artificially truncate debug output for long strings.
* Fix memory leak in EAP-PWD.
* Fix crash in "hints" file with Fall-Through = yes.
* Fix crash / timer issues with many CoA packets.
* Fix attr_filter so that it does not treat vendor attributes of
number 26 as Vendor-Specific.
* Fix reconnect correctly in rlm_sql_mysql.
* Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485.
* Fix rare occurance of bad xlat expansion.
* Check for rare race condition when a proxy reply arrives too late.
- also fix ownership of /var/log/radius in systemd unit
- update to 3.0.17
Feature Improvements
* Add CURLOPT_CAINFO. Patch from Nicolas C #2167.
* "stats home server" now supports "src IPADDR", to specify home
server also by source IP. Fixes #2169.
* Add Dockerfiles for a selection of common systems.
* Increase number of permitted file descriptors, for systems with many
home servers.
* Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs
Patch from Isaac Boukris. Fixes #2205.
* Update main READMEs. Patches from Matthew Newton.
* Added dictionary.mimosa.
Bug Fixes
* Don't call post-proxy twice when proxying to a virtual server.
Matthew Newton, #2161.
* Use "raw" string value for shared secrets and dynamic clients
It now parses strings with backslashes and "special characters"
correctly. Fixes #2168.
* Fix RuntimeDirectory for RedHat, from Alan Buxey.
* Relax checks in 'if' parser from Isaac Bourkis.
* Minor cleanups for %{debug_attr:&request} from Isaac Boukris.
* Be more aggressive about cleaning up cached certificate attributes,
due to deficiencies in OpenSSL. Reported by Nicolas Reich.
* Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall.
* Fix double free in rlm_sql. Fixes #2180.
* rlm_detail now writes empty Access-Accept packets.
* rlm_python can now create tagged attributes.
* Don't crash on duplicate realm + authhost / accthost
* Allow partial certificate chain to trusted CA. Fixes #2162.
* Treat SSL_read() returning zero as error. Fixes #2164.
* detail writer now checks if the file was renamed or deleted.
* Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name.
* RedHat Systemd updates. Fixes #2184.
* Use correct API for State variable in rlm_securid.
* Remove broken radclient option "-i".
* Fix "users" file (and hints, etc). So that it does not get confused
about entry ordering with multiple $INCLUDEs.
* Fix rlm_sql to expand the un-escaped string, not the raw string.
* Link default and inner-tunnel only if they exist. Fixes #2206.
* Don't use both IP_PKTINFO and IP_SENDSRCADDR.
* Always install signal handler for SIGINT (needed by Docker).
* Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs
which are not self-signed will now be checked.
* sqlippool now returns "fail" if it fails IP allocation.
* Fix rlm_yubikey to look for correct attribute in replay attack check.
* Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802)
- update to 3.0.15 with security fixes for
issues found via fuzzing by Guido Vranken (bsc#1049086)
Displaying all 2 revisions
