Fix bugnumber references (especially CVE number). No other changes from previous sr.

- update to 3.0.21 (jsc#SLE-11896)
Feature Improvements
  * New stored procedure for allocating IPs with PostgreSQL
    Rates of 1500 IPs per second are now possible
    See raddb/mods-config/sql/ippool/postgresql/procedure.sql
  * Add SQL IP pool support for Microsoft SQL Server
    See raddb/mods-config/sql/ippool/mssql/
  * Added RCNTEC dictionary. Closes #3168.
  * Added Pica8 dictionary. Closes #3179.
  * Add TLS-Client-Cert-Valid-Since attribute holding not
    Before date Patch from Boris Lytochkin. Fixes #3157.
  * Generate attributes containing unknown OIDs See raddb/sites-available/tls
  * Update the WiMAX dictionary.
  * Added ability to rlm_python(Python2) show a stacktrace
    from errors. #2979.
  * Add WiFi Alliance Policy OIDs.
    See raddb/certs/xpextensions
  * radmin now shows coa stats, too.
  * Sample schema extensions for summarizing data in SQL
    See mods-config/sql/main/*/process-radacct.sql
  * Update dictionary.aerohive, dictionary.fortinet,
    dictionary.arista and dictionary.erx.
  * Added VAS Experts dictionary.
  * Many updates to RPM and jenkins builds from Matthew Newton.
  * Added %C (time now in seconds) and %c (microsecond component of now)
    back-ported from the "master" branch.
  * Add reload capability to systemd unit file in Debian and RedHat.
  * Increase timestamp precision in postauth to maximum supported by each
    database and simplify (and make more consistent between drivers)
    the timestamps in SQL queries by using expansions.

  * Option to set dictionary path in raduat script.
Bug Fixes
  * Various fixes found by PVS-Studio.
  * Set permissions of certificates in bootstrap shell script Fixes #3132.
  * Increase the 'nasportid' SQL field for 'varchar(32)'. #3141.
  * Skip processing proxy reply if there are no home servers available.
  * Update SQLite IPPool queries. Fixes #3177
  * rlm_sql_unixodbc fixes. Fixes #2822.
  * Fixes when building with LibreSSL.
  * Fix the rlm_python3 build. Note that this module is experimental. #3183.
  * The rlm_python should append the 'python_path' paths in 'sys.path'.
    It fixes the expected behavior to use the existing Python modules
    Fixes #3180.
  * Fix rlm_python to print the script errors properly.
  * Bound total query time for PostgreSQL. Fixes #3253.
  * Many fixes to Oracle sqlippool. It now does 500 IPs per second
    without any tuning. Fixes #3270.
  * Reference sqlippool by it's correct name. Fixes #3272.
  * Revert 3.0.20 patch which caused crashes on duplicate clients.
  * Update WiMAX-MSK attribute. Fixes #3280.
  * Fix crash when trying to access non-existant regex capture group.
  * Use timestamps (request or server) rather than SQL NOW()
    in accounting queries so that these are stable when replayed
    from a file buffer.
- freeradius-python3_patches.patch: upstreamed

- update to 3.0.20 (bsc#1146848)
Feature Improvements
  * Added Force10 dictionary.
  * Update dictionary.hp with new attributes. #2690.
  * Update dictionary.aruba with new attributes. #2696.
  * Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456)
  * Relax OpenSSL version checks, now that their API is both public, and stable.
  * Note that tls_min_version/tls_max_version also support "1.3"
    Since there is no standard yet for EAP with TLS 1.3, it will not work.
  * Added tripplite dictionary from #2760.
  * Switch to the async interface for rlm_sql_postgresql so that
    we can enforce query_timeout.
  * Added new LDAP option 'allow_dangling_group_ref'.
  * Updated documentation and functionality for EAP session caching
    See "cache" section of mods-available/eap.
  * Tighten systemd unit file security. Fixes #2637.
  * Disable TLS 1.0 and TLS 1.1 support in the default configuration
    We STRONGLY recommend doing this for all installations.
  * Add expansions for *outgoing* Radsec connections
    "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and
    TLS-Cert-* attributes. Fixes #2839.
  * Add %{listen:tls} which returns "yes" or "no" for
    TLS or non-TLS connections.
  * Update dictionary.lancom with new attributes. #2847.
  * Added rlm_sql_mongo. See raddb/mods-available/sql.
    Note that this module is experimental.
  * Added more documentation in sites-available/robust-proxy-accounting.
  * sqlippool now re-allocates unexpired leases, to prevent IP pool
    exhaustion when clients perform multiple reauthentication attempts
  * Add support to radmin keep the history in ~/.radmin_history.
  * Add support for ENV and LD_PRELOAD in radiusd.conf.
    See the new ENV sub-section of radiusd.conf.
  * Update dictionary.aptilo. #3002.
  * Update dictionary.airespace. #3039.
  * Add sites-available/coa-relay, which makes CoA easier #3045.
  * Add example stored procedure for IP Pools in MySQL
    See mods-config/sql/ippool/mysql/procedure.sql
  * Update dictionary.dhcp dictionary with the recent hardware types.
  * Add experimental rlm_python3. This should largely work
    the same as rlm_python, which was Python2 only.
  * Add Dockerfiles for Debian10 and CentOS8.
  * Add RPM spec file compatibility for RHEL/CentOS 8.
  * Notes on certificate constraints. See raddb/certs/server.cnf.
  * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585.
Bug Fixes
  * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627
  * ERX-Acct-Request-Reason is "integer". Closes #2635.
  * Fix a slow memory leak in the file management code.
  * Try to fix file permissions if they get modified while
    the server is running
  * Fix slow memory leak with clients.
  * Fix request and connection timeouts in rlm_rest.
  * Fix systemd issues.
  * Fixes from clang analyzer.
  * Fix missing include for the dictionaries:
    alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn,
    audiocodes,avaya,bristol, columbia_university,freedhcp,garderos,
    infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus.
  * Fix internal sanity check when running with "-Xx".
  * Allow "inner-tunnel" virtual servers to work better
    with "accept" and "reject" policies.
  * Fix dictionary.huawei data types for
    Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address.
  * Framed-Interface-ID in postgresql/queries.conf is string,
    not inet Fixes #2817.
  * Fix rlm_cache to complain on unknown attributes in the "update"
    section of its configuration.
  * Add configure checks for -latomic. This helps on armel,
    mips and mipsel. Fixes #2828.
  * Add support to Oracle 19 and 18. Via #2857.
  * Add support for decoding tags in rlm_rest. Fixes #2848.
  * Use correct passwords when updating CRLs in raddb/certs/.
  * Properly separate "originate-coa" packets when accounting
    packets are read from the detail file reader.
  * Use the correct virtual server for pre/post-proxy.
  * radsqlrelay fixes backported from "master" branch
  * Fix DoS issues due to multithreaded BN_CTX access
    (bsc#1166847, CVE-2019-17185)
- disable python2 for SLE15 and Factory
- freeradius-server-enable-python3.patch: enable Python3 module
- freeradius-python3_patches.patch: backport python3 fixes from upstream
- freeradius-server-opensslversion.patch: updated

- Enable memcached driver on SLE15

- Add missing BuildRequire on samba-core-devel required for windbind
  support in rlm_mschap.

- update to 3.0.19 (jira#SLE-5890)
Feature improvements
  * Update dictionary.cisco
  * Update sqlippool to allow for stored procedures with
    PostgreSQL.  This increases performance substantially.
    Patch from Nathan Ward.  Fixes #2540.
  * Re-added "show client config" command to radmin.
  * Cleaned up mods-available/sql example so that it is
    easier to understand.
  * Added pfSense dictionary. Closes #2581
  * Update dictionary.h3c Closes #2592
  * Update elasticsearch/logstash config for v6.7.0.
  * EAP-PWD security fixes from Mathy Vanhoef. See
    http://freeradius.org/security/
    (CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664)
Bug fixes
  * Update dynamic_client module and server core so that
    the functionality works.  This has been broken since
    at least v2.
  * Fix crash in sqlippool due to escaping changes.
    Patch from Nathan Ward.  Fixes #2532, #2533.
  * Fix systemd notify, watchdog and unit files.
    Fixes #2541, #2499.
  * Fix erroneous length check in EAP-FAST.
  * Update documentation to remove old "ignore_null"
    configuration. Fixes #2578.
  * Fix default POD port. Should be 3799.  Fixes #2591
  * Correctly encode vendor-specific "encrypted" attributes.
    Fixes #2600

- reformat changelog mostly by wrapping lines
- add missing bug numbers for security fixes

- update to 3.0.18
* cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss.
* Do-Not-Respond policies can now be set in the "post-auth" section.
* Encode / Decode ADSL Forum DHCP options.
* Fix module ordering issues. e.g. when "sqlippool" needs "sql".
  See the "instantiate" section of radiusd.conf.
* Add Big Switch dictionary. Fixes #2252.
* Add sql_session_start policy (raddb/policy.d/accounting)
  This minimizes race conditions when using Simultaneous-Use (#2257).
* For rlm_perl, all variables are now tainted by default.
  See raddb/mods-available/perl, and the "perl_flags" configuration item.
  This change should only affect people who are using variables in
  insecure ways.
* Allow "sqlcounter" module to be listed in "post-auth".
* Add support for IPv6 attributes in SQL. Fixes #2280
* The server is better at handling fail-over for outbound RadSec and
  TCP connections. Fixes #2284.
* The server is now more aggressive about retrying failed outbound
  RadSec and TCP connections. Fixes #2284.
* Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list.
* Add expansion for Radsec connections. "%{listen:TLS-...}" for
  TLS-Client-Cert-* and TLS-Cert-* attributes.
* Add notes on running "ldapsearch" using the parameters from the LDAP module.
* "ipaddr" attributes can now be cast to "integer" type attributes
  in an "update" section.
* Move main thread queue to using atomic queues. This should help
  with contention in high load scenarios.
* Add "recv_buff" setting to listeners. For more details,
  see sites-available/default.
* The sqlippool module can now use attributes other than "Pool-Name"
  to assign IP pools. The "Pool-Name" attribute is still the default.
* The "unpack" expansion can now unpack substrings.
  See mods-available/unpack for documentation and examples.
* The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair
  Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE.
* Allow for <instance>-LDAP-UserDN. See mods-available/ldap for more information.
* Add sanitizing of control list for moonshot. Fixes #2318.
* Update rlm_sql_mysql to be compatible with MySQL 8
  Fixes https://bugs.launchpad.net/bugs/1795310.
* Allow logging of only Access-Accept or Access-Reject messages
  See radiusd.conf, "auth_accept" and "auth_reject".
* Removed Connect-Rate comparison. It was unused and broken.
* Add dictionary.infinera.
* Use OpenSSL HMAC functions instead of local ones.
* Some SQL modules can now use "auto_escape" to escape unsafe strings
  See mods-config/sql/main/mysql/queries.conf.
* Add wispr2date conversion in mods-available/date.
* Implement dictionary-based handling in rlm_python.
  Fixes #2334 See mods-available/python for details.
* Add support for SKIP LOCKED in sqlippool. This can improve performance
  by an order of magnitude or more.
  See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383
* Allow PSK and certificates at the same time Except for TLS 1.3
  which does not support that.
* Update docker scripts. Fixes #2306 Patch from Matthew Newton.
* Add crypt xlat.
* MySQL connections can now skip verifying the server certificate.
  Fixes #2481. See mods-available/sql.
* Add better mechanism to detect MariaDB (Old MySQL).
* Add RFC 7532 "bang path" support for realms Fixes #2492.
* Update dictionary.ukerna documentation. Fixes #2493.
* Add support for systemd service and watchdogs Fixes #2499.
* Check for openss/rand.h, and allow building without OpenSSL engine.
  Patch from Eneas U de Queiroz Fixes #2517.
* The default PosgtreSQL queries now use "ON CONFLICT" to better
  deal with issues. This requires PostgreSQL 9.5 or later.
  Please use a recent version of PostgreSQL, or edit the default
  queries to remove "ON CONFLICT".
BUG FIXES
* The session-state list is no longer cleaned in the inner-tunnel.
  This lets the outer Access-Reject section access session-state.
* Fix typo in lock initialization for TLS sockets Found by Sergio NNX.
* Add check for crash when home server down Fixes #2233.
* Add username key for postauth table.
* Better libpcap checks, when the header files or libraries are missing. Fixes #2245.
* Allow building with old versions of OpenSSL Fixes #2247.
* Allow non-FreeRADIUS State attributes to be used with the
  "session-state" list. i.e. State length != 16.
* Be more aggressive about cleaning up zombie children when running in debug mode.
* Use LTDL_DEEPBIND, which fixes issues with Oracle libraries
  exporting LDAP API functions.
* unlock files when asked to unlock them.
* return error instead of asserting in map code.
* Don't write 0 bytes to SSL. Fixes #2270.
* Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262.
* Various dictionary cleanups and consistency checks Fixes #2281.
* rlm_python has stronger thread locking to prevent reported issues.
  Performance may be affected.
* Don't allow Message-Authenticator to overflow past the end of a large packet.
* Fix crash in sqlippool when SQL server goes away Fixes #2300.
* Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303.
* Fix crash with CoA packets/ Fixes #2304.
* Fix crash in rlm_exec with CoA. Fixes #2328.
* Print errors while parsing the log config, and don't quit when
  deprecated log settings are found.
* Fix DHCP encoder xlat so that it can be used with a list of attributes.
  It previously only encoded the first member of the list,
  and now encodes all members.
* The "expr" module now skips more whitespace.
* Remove internal FreeRADIUS-Response-Delay attributes from
  attr_filter Access-Reject.
* Don't send junk to redis when maximum args reached.
* Small updates to IPv6 for accounting schema Fixes #2364.
* Fix OpenDirectory integration in rlm_mschap.
* Fix slow memory leak with dynamic clients.
* Don't artificially truncate debug output for long strings.
* Fix memory leak in EAP-PWD.
* Fix crash in "hints" file with Fall-Through = yes.
* Fix crash / timer issues with many CoA packets.
* Fix attr_filter so that it does not treat vendor attributes of
  number 26 as Vendor-Specific.
* Fix reconnect correctly in rlm_sql_mysql.
* Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485.
* Fix rare occurance of bad xlat expansion.
* Check for rare race condition when a proxy reply arrives too late.
- also fix ownership of /var/log/radius in systemd unit

- update to 3.0.17
Feature Improvements
* Add CURLOPT_CAINFO. Patch from Nicolas C #2167.
* "stats home server" now supports "src IPADDR", to specify home
  server also by source IP. Fixes #2169.
* Add Dockerfiles for a selection of common systems.
* Increase number of permitted file descriptors, for systems with many
  home servers.
* Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs
  Patch from Isaac Boukris. Fixes #2205.
* Update main READMEs. Patches from Matthew Newton.
* Added dictionary.mimosa.
Bug Fixes
* Don't call post-proxy twice when proxying to a virtual server.
  Matthew Newton, #2161.
* Use "raw" string value for shared secrets and dynamic clients
  It now parses strings with backslashes and "special characters"
  correctly. Fixes #2168.
* Fix RuntimeDirectory for RedHat, from Alan Buxey.
* Relax checks in 'if' parser from Isaac Bourkis.
* Minor cleanups for %{debug_attr:&request} from Isaac Boukris.
* Be more aggressive about cleaning up cached certificate attributes,
  due to deficiencies in OpenSSL. Reported by Nicolas Reich.
* Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall.
* Fix double free in rlm_sql. Fixes #2180.
* rlm_detail now writes empty Access-Accept packets.
* rlm_python can now create tagged attributes.
* Don't crash on duplicate realm + authhost / accthost
* Allow partial certificate chain to trusted CA. Fixes #2162.
* Treat SSL_read() returning zero as error. Fixes #2164.
* detail writer now checks if the file was renamed or deleted.
* Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name.
* RedHat Systemd updates. Fixes #2184.
* Use correct API for State variable in rlm_securid.
* Remove broken radclient option "-i".
* Fix "users" file (and hints, etc). So that it does not get confused
  about entry ordering with multiple $INCLUDEs.
* Fix rlm_sql to expand the un-escaped string, not the raw string.
* Link default and inner-tunnel only if they exist. Fixes #2206.
* Don't use both IP_PKTINFO and IP_SENDSRCADDR.
* Always install signal handler for SIGINT (needed by Docker).
* Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs
  which are not self-signed will now be checked.
* sqlippool now returns "fail" if it fails IP allocation.
* Fix rlm_yubikey to look for correct attribute in replay attack check.

* Don't do debug logging of bad passwords.  Fixes #2064. (bsc#1099802)
- update to 3.0.15 with security fixes for
  issues found via fuzzing by Guido Vranken (bsc#1049086)

• Files Changed
• Browse Source