1 FreeRADIUS 2.2.1 Tuesday 17 Sep 2013 12:00:00 CEST, urgency=medium
6 * Fix erroneous fall-through in "case" statements
7 * Fix priority handling in new module handling code
8 * Fix threading issue with Perl. Closes #436
9 * Fiex EAP-TLS check_cert_issuer when X509v2 extensions
10 existed. Patch from David Wood.
12 FreeRADIUS 2.2.1 Tuesday 17 Sep 2013 12:00:00 CEST, urgency=medium
14 * Updated dictionaries for alcatel, broadsoft, bskyb, dlink, meru,
15 telkom, trapeze, proxim, zeus, rfc6677, 6911, and rfc6930.
16 * Added %{randstr:..} support. Creates random strings in a
18 * Added operator support to rlm_python
19 * Added %{hex:...} for hex version of raw attribute data
20 * Added %{sha1:...} for SHA1 hashing of data
21 * Added %{base64:...} for raw attribute data (e.g. 32-bit IP addr),
22 and %{tobase64:...} for the printable string form (e.g. 1.2.3.4),
23 and %{base64tohex:...} to convert a base64 string to a hex string.
24 * rlm_expr is now responsible for registering many of the xlat
25 expansions. This is cleaner than bundling them all in the server
26 core. You should ensure 'expr' is listed in instantiate to ensure
27 correct operation of xlat expansions.
28 * Use correct terminology when printing errors regarding request/
29 response/message authenticators.
30 * Added keytab support to Heimdal Kerberos. Patch from Ryan Steinmetz.
31 * radsqlrelay does multiple INSERTs in one transaction.
32 Patch from Uwe Meyer-Gruhl.
33 * Run Post-Proxy-Type Reject {} if the upstream server rejected the
35 * On startup, the server checks if it was linked with the correct
36 OpenSSL libraries. If not, it errors out. This prevents later
37 crashes in OpenSSL, due to library incompatibilities.
38 * Added radmin command "hup main.log", to re-open the log files,
39 without HUPing any other part of the server.
40 * Added support for EAP-Key-Name. See raddb/sites-available/default,
41 and look for comments mentioning EAP-Key-Name. MacSec now works.
42 * Added support for hex numbers (0x...) to %{expr: ...}
43 * Backported TLS client certificate validation from 3.0.0.
44 * Run Post-Auth for EAP inner-tunnel methods.
46 * Added "show config <path>" to radmin. You can now examine any
47 configuration item in a running server.
48 * Added TLS-Client-Cert-X509v3-Extended-Key-Usage for TLS-based EAP
49 methods. It is set automatically from the fields in the certificate.
50 * Add CRLCP attribute in certificate creation script. Windows phones
51 require it. Patch from Alan Buxey.
54 * Skip OCSP if there's no host / port / url, with soft_fail
55 * Properly decode AT_IDENTITY in EAP-SIM. Patch from Iliya Peregoudov
56 * Thread max_queue_size has better bounds checking.
57 * Use correct variable for warning message if the user misconfigures
59 * radtest is more generous about parsing ppphint
60 * radeapclient now accepts -4 and -6, just like radclient.
61 Patch from John Dennis.
62 * Ignore ".rpmnew" and a bunch of other files when loading config
63 files from a directory.
64 * Wait for child threads before exiting. This prevents errors on
65 exit, but may increase exit time if databases are blocked!
66 Patch from Iliya Peregoudov.
67 * Wrap rbtree calls in mutexes in rlm_cache to prevent memory
68 corruption. Patch from Phil Mayers.
69 * Port fix for %{3GPP-*} expansion from master branch.
70 * Fix sample certificate scripts when multiple client certs are
72 * Track return code priorities across if/else/elsif in unlang.
74 * In debug mode, print out DHCP options when sending a DHCP packet.
75 * Fixes to the redis modules from Brian Candler
76 * Print better debug message for LDAP "operations error"
77 * Fix a number of minor issues as found by Coverity
78 * Frees module config in order to prevent occasional crash on exit
79 * Update DHCP debugging messages to make it clearer what's
81 * Print multiple DHCP options the correct number of times in
83 * On debug builds, don't dlclose() modules when '-m' is used.
84 This allows valgrind to show module symbols.
85 * Don't count Status-Server packets in Access-Request statistics
86 * Minor cleanups to debug output
87 * Be more careful handling module configurations to avoid crash
88 on otherwise clean exit.
89 * For raddebug, correctly set the group of the output file.
90 * renamed dhclient to dhcpclient. People who install it
91 shouldn't have their systems broken.
92 * for EAP-TLS methods, random_file is no longer required.
93 OpenSSL already reads /dev/urandom.
94 * Fix Suse and Redhat scripts. Patches from Fajar Nugraha.
95 * Minor bug fix for base64 decoding.
96 * Allow two consecutive WiMAX TLVs of the same number.
97 * Remove requirement that User-Name has to match MS-CHAP-User-Name.
98 I18n issues means that the character sets could be different.
99 * Don't use ephemeral thread states from PyGILState_Ensure(), use
100 our own, generated one per thread and stored in TLS.
101 * Port module processing fixes from v3. The code is simpler,
102 and one or two esoteric bugs are now gone.
103 * update code handling max_requests_per_server. It should now
105 * wrap ASCTIME_R for systems not supporting the standard API.
107 FreeRADIUS 2.2.0 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium
109 * 100% configuration file compatible with 2.1.x.
110 The only fix needed is to disallow "hashsize=0" for rlm_passwd
111 * Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware,
112 Redback, and Mikrotik dictionaries
113 * Switch to using SHA1 for certificate digests instead of MD5.
114 See raddb/certs/*.cnf
115 * Added copyright statements to the dictionaries, so that we know
116 when people are using them.
117 * Better documentation for radrelay and detail file writer.
118 See raddb/modules/radrelay and raddb/radrelay.conf
119 * Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
120 * Added -F <file> to radwho
121 * Added query timeouts to MySQL driver. Patch from Brian De Wolf.
122 * Add /etc/default/freeradius to debian package.
123 Patch from Matthew Newton
124 * Finalize DHCP and DHCP relay code. It should now work everywhere.
125 See raddb/sites-available/dhcp, src_ipaddr and src_interface.
126 * DHCP capabilitiies are now compiled in by default.
127 It runs as a DHCP server ONLY when manually enabled.
128 * Added one letter expansions: %G - request minute and %I request
130 * Added script to convert ISC DHCP lease files to SQL pools.
131 See scripts/isc2ippool.pl
132 * Added rlm_cache to cache arbitrary attributes.
133 * Added max_use to rlm_ldap to force connection to be re-established
134 after a given number of queries.
135 * Added configtest option to Debian init scripts, and automatic
136 config test on restart.
137 * Added cache config item to rlm_krb5. When set to "no" ticket
138 caching is disabled which may increase performance.
141 * Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12,
142 and 802.1X should upgrade immediately.
143 * Fix typo in detail file writer, to skip writing if the packet
144 was read from this detail file.
145 * Free cached replies when closing resumed SSL sessions.
146 * Fix a number of issues found by Coverity.
147 * Fix memory leak and race condition in the EAP-TLS session cache.
148 Thanks to Phil Mayers for tracking down OpenSSL APIs.
149 * Restrict ATTRIBUTE names to character sets that make sense.
150 * Fix EAP-TLS session Id length so that OpenSSL doesn't get
152 * Fix SQL IPPool logic for non-timer attributes. Closes bug #181
153 * Change some informational messages to DEBUG rather than error.
154 * Portability fixes for FreeBSD. Closes bug #177
155 * A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols
157 * Safely handle extremely long lines in conf file variable expansion
158 * Fix for Debian bug #606450
159 * Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
160 * The passwd module no longer permits "hashsize = 0". Setting that
161 is pointless for a host of reasons. It will also break the server.
162 * Fix proxied inner-tunnel packets sometimes having zero authentication
163 vector. Found by Brian Julin.
164 * Added $(EXEEXT) to Makefiles for portability. Closes bug #188.
165 * Fix minor build issue which would cause rlm_eap to be built twice.
166 * When using "status_check=request" for a home server, the username
167 and password must be specified, or the server will not start.
168 * EAP-SIM now calculates keys from the SIM identity, not from the
169 EAP-Identity. Changing the EAP type via NAK may result in
170 identities changing. Bug reported by Microsoft EAP team.
171 * Use home server src_ipaddr when sending Status-Server packets
172 * Decrypt encrypted ERX attributes in CoA packets.
173 * Fix registration of internal xlat's so %{mschap:...} doesn't
174 disappear after a HUP.
175 * Can now reference tagged attributes in expansions.
176 e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
177 * Correct calculation of Message-Authenticator for CoA and Disconnect
178 replies. Patch from Jouni Malinen
179 * Install rad_counter, for managing rlm_counter files.
180 * Add unique index constraint to all SQL flavours so that alternate
181 queries work correctly.
182 * The TTLS diameter decoder is now more lenient. It ignores
183 unknown attributes, instead of rejecting the TTLS session.
184 * Use "globfree" in detail file reader. Prevents very slow leak.
186 * Operator =~ shouldn't copy the attribute, like :=. It should
187 instead behave more like ==.
188 * Build main Debian package without SQL dependencies
189 * Use max_queue_size in threading code
190 * Update permissions in raddb/sql/postgresql/admin.sql
191 * Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL
192 wouldn't use methods it knew about.
193 * Add more sanity checks in dynamic_clients code so the server won't
194 crash if it attempts to load a badly formated client definition.
projects / freeradius.git / blob