1 FreeRADIUS 2.2.1 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium
3 * Updated dictionaries for alcatel, bskyb, meru, trapeze,
4 proxim, zeus, and rfc6677
5 * Added %{randstr:..} support. Creates random strings in a
7 * Added operator support to rlm_python
8 * Added %{hex:...} for hex version of raw attribute data
9 * Added %{base64:...} for raw attribute data (e.g. 32-bit IP addr),
10 and %{tobase64:...} for the printable string form (e.g. 1.2.3.4),
11 and %{base64tohex:...} to convert a base64 string to a hex string.
12 * Use correct terminology when printing errors regarding request/
13 response/message authenticators.
14 * Added keytab support to Heimdal Kerberos. Patch from Ryan Steinmetz.
15 * radsqlrelay does multiple INSERTs in one transaction.
16 Patch from Uwe Meyer-Gruhl.
17 * Run Post-Proxy-Type Reject {} if the upstream server rejected the
19 * On startup, the server checks if it was linked with the correct
20 OpenSSL libraries. If not, it errors out. This prevents later
21 crashes in OpenSSL, due to library incompatibilities.
22 * Added radmin command "hup main.log", to re-open the log files,
23 without HUPing any other part of the server.
24 * Added support for EAP-Key-Name. See raddb/sites-available/default,
25 and look for comments mentioning EAP-Key-Name. MacSec now works.
26 * Added support for hex numbers (0x...) to %{expr: ...}
27 * Backported TLS client certificate validation from 3.0.0.
28 * Run Post-Auth for EAP inner-tunnel methods.
30 * Added "show config <path>" to radmin. You can now examine any
31 configuration item in a running server.
34 * Skip OCSP if there's no host / port / url, with soft_fail
35 * Properly decode AT_IDENTITY in EAP-SIM. Patch from Iliya Peregoudov
36 * Thread max_queue_size has better bounds checking.
37 * Use correct variable for warning message if the user misconfigures
39 * radtest is more generous about parsing ppphint
40 * radeapclient now accepts -4 and -6, just like radclient.
41 Patch from John Dennis.
42 * Ignore ".rpmnew" and a bunch of other files when loading config
43 files from a directory.
44 * Wait for child threads before exiting. This prevents errors on
45 exit, but may increase exit time if databases are blocked!
46 Patch from Iliya Peregoudov.
47 * Wrap rbtree calls in mutexes in rlm_cache to prevent memory
48 corruption. Patch from Phil Mayers.
49 * Port fix for %{3GPP-*} expansion from master branch.
50 * Fix sample certificate scripts when multiple client certs are
52 * Track return code priorities across if/else/elsif in unlang.
54 * In debug mode, print out DHCP options when sending a DHCP packet.
55 * Fixes to the redis modules from Brian Candler
56 * Print better debug message for LDAP "operations error"
57 * Fix a number of minor issues as found by Coverity
58 * Frees module config in order to prevent occasional crash on exit
59 * Update DHCP debugging messages to make it clearer what's
61 * Print multiple DHCP options the correct number of times in
63 * On debug builds, don't dlclose() modules when '-m' is used.
64 This allows valgrind to show module symbols.
65 * Don't count Status-Server packets in Access-Request statistics
66 * Minor cleanups to debug output
67 * Be more careful handling module configurations to avoid crash
68 on otherwise clean exit.
69 * For raddebug, correctly set the group of the output file.
70 * renamed dhclient to dhcpclient. People who install it
71 shouldn't have their systems broken.
72 * for EAP-TLS methods, random_file is no longer required.
73 OpenSSL already reads /dev/urandom.
75 FreeRADIUS 2.2.0 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium
77 * 100% configuration file compatible with 2.1.x.
78 The only fix needed is to disallow "hashsize=0" for rlm_passwd
79 * Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware,
80 Redback, and Mikrotik dictionaries
81 * Switch to using SHA1 for certificate digests instead of MD5.
83 * Added copyright statements to the dictionaries, so that we know
84 when people are using them.
85 * Better documentation for radrelay and detail file writer.
86 See raddb/modules/radrelay and raddb/radrelay.conf
87 * Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
88 * Added -F <file> to radwho
89 * Added query timeouts to MySQL driver. Patch from Brian De Wolf.
90 * Add /etc/default/freeradius to debian package.
91 Patch from Matthew Newton
92 * Finalize DHCP and DHCP relay code. It should now work everywhere.
93 See raddb/sites-available/dhcp, src_ipaddr and src_interface.
94 * DHCP capabilitiies are now compiled in by default.
95 It runs as a DHCP server ONLY when manually enabled.
96 * Added one letter expansions: %G - request minute and %I request
98 * Added script to convert ISC DHCP lease files to SQL pools.
99 See scripts/isc2ippool.pl
100 * Added rlm_cache to cache arbitrary attributes.
101 * Added max_use to rlm_ldap to force connection to be re-established
102 after a given number of queries.
103 * Added configtest option to Debian init scripts, and automatic
104 config test on restart.
105 * Added cache config item to rlm_krb5. When set to "no" ticket
106 caching is disabled which may increase performance.
109 * Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12,
110 and 802.1X should upgrade immediately.
111 * Fix typo in detail file writer, to skip writing if the packet
112 was read from this detail file.
113 * Free cached replies when closing resumed SSL sessions.
114 * Fix a number of issues found by Coverity.
115 * Fix memory leak and race condition in the EAP-TLS session cache.
116 Thanks to Phil Mayers for tracking down OpenSSL APIs.
117 * Restrict ATTRIBUTE names to character sets that make sense.
118 * Fix EAP-TLS session Id length so that OpenSSL doesn't get
120 * Fix SQL IPPool logic for non-timer attributes. Closes bug #181
121 * Change some informational messages to DEBUG rather than error.
122 * Portability fixes for FreeBSD. Closes bug #177
123 * A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols
125 * Safely handle extremely long lines in conf file variable expansion
126 * Fix for Debian bug #606450
127 * Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
128 * The passwd module no longer permits "hashsize = 0". Setting that
129 is pointless for a host of reasons. It will also break the server.
130 * Fix proxied inner-tunnel packets sometimes having zero authentication
131 vector. Found by Brian Julin.
132 * Added $(EXEEXT) to Makefiles for portability. Closes bug #188.
133 * Fix minor build issue which would cause rlm_eap to be built twice.
134 * When using "status_check=request" for a home server, the username
135 and password must be specified, or the server will not start.
136 * EAP-SIM now calculates keys from the SIM identity, not from the
137 EAP-Identity. Changing the EAP type via NAK may result in
138 identities changing. Bug reported by Microsoft EAP team.
139 * Use home server src_ipaddr when sending Status-Server packets
140 * Decrypt encrypted ERX attributes in CoA packets.
141 * Fix registration of internal xlat's so %{mschap:...} doesn't
142 disappear after a HUP.
143 * Can now reference tagged attributes in expansions.
144 e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
145 * Correct calculation of Message-Authenticator for CoA and Disconnect
146 replies. Patch from Jouni Malinen
147 * Install rad_counter, for managing rlm_counter files.
148 * Add unique index constraint to all SQL flavours so that alternate
149 queries work correctly.
150 * The TTLS diameter decoder is now more lenient. It ignores
151 unknown attributes, instead of rejecting the TTLS session.
152 * Use "globfree" in detail file reader. Prevents very slow leak.
154 * Operator =~ shouldn't copy the attribute, like :=. It should
155 instead behave more like ==.
156 * Build main Debian package without SQL dependencies
157 * Use max_queue_size in threading code
158 * Update permissions in raddb/sql/postgresql/admin.sql
159 * Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL
160 wouldn't use methods it knew about.
161 * Add more sanity checks in dynamic_clients code so the server won't
162 crash if it attempts to load a badly formated client definition.