File radsecproxy.changes of Package radsecproxy

Overview Repositories Revisions Requests Users Attributes Meta

File radsecproxy.changes of Package radsecproxy

-------------------------------------------------------------------
Mon Jun 12 07:24:44 UTC 2023 - Stefan Botter <obs@botter.cc>   1.10.0

- 1.10.0
	New features:
	- Native dynamic discovery for NAPTR and SRV records (#2, #83)
	- Optionally log accounting requests when respoinding directly (#72)
	- SNI support for outgoing connections (#90)
	- Optionally specify server name for certificate name check (#106)
	- Manual MTU setting for DTLS on non-linux platforms

Misc:
	- Don't require server type to be set by dyndisc scripts
	- Improve locating openssl lib using pkg-config

Bug Fixes:
	- Fix radius message length handling

- 1.9.3
	Bug Fixes:
	- Fix shutdown TLS connection on malformed radius message (#122)
	- Fix handling of lost requests in DTLS
	- Fix flush requests when dyndisc fails

-------------------------------------------------------------------
Fri Feb 17 06:14:11 UTC 2023 - Stefan Botter <obs@botter.cc>    1.9.2

- 1.9.2
	Bug Fixes:
	- Fix potential segfault in tcp log message
	- Fix DTLS over IPv6
	- Fix SSL shutdown/EOF for openssl 3.x (#108)

-------------------------------------------------------------------
Sat Nov 20 07:19:02 UTC 2021 - Stefan Botter <obs@botter.cc>    1.9.1

- 1.9.1 
	Misc:
	- OpenSSL 3.0 compatibility (#70)
	Bug Fixes:
	- Fix refused startup with openssl <1.1 (#82)
	- Fix compiler issue for Fedora 33 on s390x (#84)
	- Fix small memory leak in config parser
	- Fix lazy certificate check when connecting to TLS servers
	- Fix connect is aborted if first host in list has invalid certificate
	- Fix setstacksize for glibc 2.34 (#91)
	- Fix system defaults/settings for TLS version not honored (#92)

- remove patch to fix setstacksize for glibc 2.34 (fix #91) from package

-------------------------------------------------------------------
Tue Oct  5 08:21:07 UTC 2021 - Stefan Botter <obs@botter.cc>

- add upstream patch to fix setstacksize for glibc 2.34 (fix #91) 
  radsecproxy-1.9.0_fix-glibc-2.34-setstacksize.diff
  + will not be needed abter next release

-------------------------------------------------------------------
Fri Jun 11 10:49:52 UTC 2021 - Stefan Botter <obs@botter.cc>    1.9.0

-  1.9.0
         New features:
         - Accept multiple source* configs for IPv4/v6
         - Specify source per server
         - User configurable cipher-list and ciphersuites
         - User configurable TLS versions
         - Config option for DH-file
         - Add rID and otherName options to certifcateAttributeCheck
         - Allow multiple matchCertificateAttribute
         - Option to start dynamic server in blocking mode
         Misc:
         - Move radsecproxy manpage to section 8
         - Log CUI and operator-name if present
         - Log CN for incomming TLS connections
         Bug Fixes:
         - Fix overlapping log lines
         - Fix memory leak in logging
         - Fix dynidsc example scripts input validation (CVE-2021-32642)

-------------------------------------------------------------------
Mon Mar 22 13:23:47 UTC 2021 - Stefan Botter <obs@botter.cc>    1.8.2

- 1.8.2
	Bug fixes:
	- Fix wrong config-unhexing if %25 (%) occurs
	- Fix compatibility with GCC 10 (#63)
	- Fix spelling in manpage
	- Fix modifyVendorAttribute not applied (#62)
	- Fix unncessary status-server when in minimal mode (#61)
- remove unneeded patch
  radsecproxy-declare_pthread_attr_as_extern_in_header.diff

-------------------------------------------------------------------
Sun Jun 14 09:17:28 UTC 2020 - Stefan Botter <obs@botter.cc>

- add upstream patch to fix GCC 10 incompatibility
  radsecproxy-declare_pthread_attr_as_extern_in_header.diff
  + will not bee needed after next release

-------------------------------------------------------------------
Tue Nov  5 13:34:05 UTC 2019 - Stefan Botter <obs@botter.cc>

- 1.8.1
	Bug fixes:
	- Handle Tunnel-Password attribute correctly
	- Fix BSD platform issues
	- Fix spelling in log messages and manpages
	- Fix compile issues for unit tests

-------------------------------------------------------------------
Thu Jul  4 09:45:56 UTC 2019 - Stefan Botter <obs@botter.cc>

- 1.8.0
	New features:
	- Rewrite: supplement attribute (add attribute if not present) (#19)
	- Rewrite: modify vendor attribute
	- Rewrite whitelist mode
	- Autodetect status-server capability of servers
	- Minimalistic status-server
	- Explicit SubjectAltName:DNS and :IP match on certificates

Misc:
	- No longer require docbook2x tools, but include plain manpages
	- Fail on startup if overlapping clients with different tls blocks

Compile fixes:
	- Fix compile issues on bsd

Bug fixes:
	- Handle %00 in config correctly (#31)
	- Fix server selection when udp were unreachable for long periods

-------------------------------------------------------------------
Wed Nov 21 17:07:51 UTC 2018 - obs@botter.cc

- add logrotate definition file

-------------------------------------------------------------------
Wed Sep  5 10:43:17 UTC 2018 - obs@botter.cc

- 1.7.2
	Misc:
	- Always copy proxy-state attributes in own responses
	- Authenticate own access-reject responses
	- Retry outstanding requests after connection reset

Compile fixes:
	- Fix compile issues on some platforms (#14)
	- Fix compile issue when dtls disabled (#16)
	- Fix compile issue on Cygwin (#18)
	- Fix radsecproxy.conf manpage not installed when docbook2x not available

Bug fixes:
	- Fix request might be dropped if udp client uses multiple source ports
	- Fix tls output might drop requests under high load
	- Check for IP literals in Certificate SubjectAltName:DNS records
	- Fix tls connection might hang during SSL_connect and SSL_accept

-------------------------------------------------------------------
Fri Jul 27 12:06:05 UTC 2018 - obs@botter.cc

- 1.7.1
        License and copyright changes:
	- Copyright SWITCH
	- 3-clause BSD license only, no GPL.

Enhancements:
	- Support the use of OpenSSL version 1.1 and 1.0 series
	(RADSECPROXY-66, RADSECPROXY-74).
	- Reload TLS certificate CRLs on SIGHUP (RADSECPROXY-78).
	- Make use of SO_KEEPALIVE for tcp sockets (RADSECPROXY-12).
	- Optionally include the thread-id in log messages
	- Allow hashing MAC addresses in the log (same as for F-Ticks)
	- Log certificate subject if rejected
	- Log own responses (RADSECPROXY-61)
	- Allow f-ticks prefix to be configured
	- radsecproxy-hash: allow MAC addresses to be passed on command line

Misc:
	- libnettle is now an unconditional dependency.
	- FTicks support is now on by default and not optional.
	- Experimental code for dynamic discovery has been removed.
	- Replace several server status bits with a single state enum.
	(RADSECPROXY-71)
	- Use poll instead of select to allow > 1000 concurrent connections.
	- Implement locking for all SSL objects (openssl states it is not thread-safe)
	- Rework DTLS code.

Bug fixes:
	- Detect the presence of docbook2x-man correctly.
	- Make clang less unhappy.
	- Don't use a smaller pthread stack size than what's allowed.
	- Avoid a deadlock situation with dynamic servers (RADSECPROXY-73).
	- Don't forget about good dynamically discovered (TLS) connections
	(RADSECPROXY-69).
	- Fix refcounting in error cases when loading configuration (RADSECPROXY-42)
	- Fix potential crash when rewriting malformed vendor attributes.
	- Properly cleanup expired requests from server output-queue.
        - Fix crash when dynamic discovered server doesn't resolve.

-------------------------------------------------------------------
Thu Jun 21 10:06:48 UTC 2018 - obs@botter.cc

- add Restart=always to service file

-------------------------------------------------------------------
Thu Dec  7 13:54:00 UTC 2017 - obs@botter.cc

- Changes between 1.6.8 and the master branch
    
    License and copyright changes:
    - Copyright UNINETT AS and NORDUnet A/S.
    - 3-clause BSD license only, no GPL.
  Enhancements:
    - Support the use of OpenSSL version 1.1 series (RADSECPROXY-66).
  Misc:
    - libnettle is now an unconditional dependency.
    - FTicks support is now on by default and not optional.
    - Experimental code for dynamic discovery has been removed. Be
      aware that use of the DynamicLookupCommand configuration option
      still enables code known to be buggy.
    - Use a listen(2) backlog of 128 (RADSECPROXY-72).
  Bug fixes:
    - Detect the presence of docbook2x-man correctly.
    - Make clang less unhappy.
    - Don't use a smaller pthread stack size than what's allowed.
    - Don't follow NULL the pointer at debug level 5 (RADSECPROXY-68).
    - Avoid a deadlock situation with dynamic servers (RADSECPROXY-73).
    - Completely reload CAs and CRLs with cacheExpiry (RADSECPROXY-50).
    - Tie Access-Request log lines to response log lines (RADSECPROXY-60).
    - Take lock on realm refcount before updating it (RADSECPROXY-77).
    - Fix a couple of memory leaks and NULL ptr derefs in error cases.

2016-09-21 1.6.8
  Bug fixes:
    - Stop waiting on writable when reading a TCP socket.
    - Stomp less on the memory of other threads (RADSECPROXY-64).
   
  2016-03-14 1.6.7
  Enhancements (security):
    - Negotiate TLS1.1, TLS1.2 and DTLS1.2 when possible, client and
      server side. Fixes RADSECPROXY-62.
  Enhancements:
    - Build HTML documentation properly.
   
  2015-01-19 1.6.6
  Bug fixes (security):
    - Fix two use-after-free, a null pointer dereference and three
      heap overflows. Patches by Stephen Röttger.
  Bug fixes:
    - Have rewriteIn for servers use the correct config section. We
      used to apply rewriteIn using the rewrite block of the client
      rather than the server. Patch by Fabian Mauchle. Fixes
      RADSECPROXY-59.
    - Handle CHAP authentication properly when there is no
      CHAP-Challenge. Fixes RADSECPROXY-58.
    - Install radsecproxy.conf.5 unconditionally. Keep regeneration of
      it dependent on configure finding docbook2x-man(1).
-------------------------------------------------------------------
Thu Aug  7 10:51:05 UTC 2014 - obs@botter.cc

- 1.6.5
  Bug fixes:
  + Fix a crash bug introduced in 1.6.4. Fixes RADSECPROXY-53
- 1.6.4
  Bug fixes:
  + Keeping Proxy-State attributes in all replies to clients
    (RADSECPROXY-52).
- 1.6.3
  Enhancements:
  + Threads are allocated with a 32 KB stack rather than what happens
    to be the default.
  + On systems with mallopt(3), freed memory is returned to the system
    more aggressively. Patch by Fabian Mauchle.
  Bug fixes:
  + radsecproxy-hash(1) no longer prints the hash four times.
  + Escaped slashes in regular expressions now works. (RADSECPROXY-51)
  + The duplication cache is purged properly.
  + Stop freeing a shared piece of memory manifesting itself as a crash
    when using dynamic discovery.
  + Closing and freeing TLS clients properly.
  + Timing out on TLS clients not closing the connection properly.
- 1.6.2
  Bug fixes (security):
  + Fix the issue with verification of clients when using multiple
    'tls' config blocks (RADSECPROXY-43) for DTLS too. Fixes
    CVE-2012-4566 (CVE id corrected 2012-11-01, after the release of
    1.6.2).
- 1.6.1
  Bug fixes (security):
  + When verifying clients, don't consider config blocks with CA
    settings ('tls') which differ from the one used for verifying the
    certificate chain. (RADSECPROXY-43, CVE-2012-4523).
  Bug fixes:
  + Make naptr-eduroam.sh check NAPTR type case insensitively.

-------------------------------------------------------------------
Fri Jun 22 2012 Sven Uebelacker <sven@uebelacker.net> 1.6

- correcting license to GPL-2+ due to rpmlint "invalid-license Artistic License"

-------------------------------------------------------------------
Mon May 16 2012 Sven Uebelacker <sven@uebelacker.net> 1.6

- adding post-install warning about new default secret
  (RADSECPROXY-19 / draft-ietf-radext-radsec-08)
- removing "restart_on_update" feature because of the above
- explicitly naming config file in sysV script
- update to version 1.6
  + The default shared secret for TLS and DTLS connections change from "mysecret" to "radsec"
  + Preliminary support for DynamicLookupCommand
  + Improved F-Ticks logging
  + Stop the autoconfery from warning
  + Address family (IPv4 or IPv6) can now be specified
  + Don't crash on failing DynamicLookupCommand scripts

-------------------------------------------------------------------

Thu Jan 12 2012 Sven Uebelacker <sven@uebelacker.net> 1.5

- adding systemd service for openSUSE 12.1

-------------------------------------------------------------------
Tue Dec 21 2011 Sven Uebelacker <sven@uebelacker.net> 1.5

- adding radsecproxy-stats.sh

-------------------------------------------------------------------
Mon Oct 17 2011 Sven Uebelacker <sven@uebelacker.net> 1.5

- update to version 1.5
  + Support for F-Ticks logging
  + New binary radsecproxy-hash (but not yet compiling)
  + catgconf renamed to radsecproxy-conf
  + new scripts: naptr-eduroam.sh and radsec-dynsrv.sh

-------------------------------------------------------------------
Mon Aug 19 2011 Sven Uebelacker <sven@uebelacker.net> 1.4.3

- Bug fixes: Debug printout issue

-------------------------------------------------------------------
Mon Apr 18 2011 Sven Uebelacker <sven@uebelacker.net> 1.4.2

- adding SysV init script plus symlink and config example file

-------------------------------------------------------------------
Thu Dec 02 2010 Sven Uebelacker <sven@uebelacker.net> 1.4.2

- Update to 1.4.2 release

-------------------------------------------------------------------
Wed Jun 23 2010 Sven Uebelacker <sven@uebelacker.net> 1.4

- Update to 1.4 release

-------------------------------------------------------------------
Fri Sep 21 2007 Peter Nixon

- Update to 1.0 release

-------------------------------------------------------------------
Wed Jul 25 2007 Peter Nixon

- Initial rpm package

Places

File radsecproxy.changes of Package radsecproxy

Places