Note recent changes

[freeradius.git] / doc / ChangeLog

FreeRADIUS 2.2.1 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium
        Feature improvements
        * Updated dictionaries for alcatel, bskyb, meru, trapeze,
          proxim, zeus, and rfc6677
        * Added %{randstr:..} support. Creates random strings in a
          controllable format.
        * Added operator support to rlm_python
        * Added %{hex:...} for hex version of raw attribute data
        * Added %{base64:...} for raw attribute data (e.g. 32-bit IP addr),
          and %{tobase64:...} for the printable string form (e.g. 1.2.3.4),
          and %{base64tohex:...} to convert a base64 string to a hex string.
        * Use correct terminology when printing errors regarding request/
          response/message authenticators.
        * Added keytab support to Heimdal Kerberos. Patch from Ryan Steinmetz.
        * radsqlrelay does multiple INSERTs in one transaction.
          Patch from Uwe Meyer-Gruhl.
        * Run Post-Proxy-Type Reject {} if the upstream server rejected the
          request.
        * On startup, the server checks if it was linked with the correct
          OpenSSL libraries.  If not, it errors out.  This prevents later
          crashes in OpenSSL, due to library incompatibilities.
        * Added radmin command "hup main.log", to re-open the log files,
          without HUPing any other part of the server.
        * Added support for EAP-Key-Name.  See raddb/sites-available/default,
          and look for comments mentioning EAP-Key-Name.  MacSec now works.
        * Added support for hex numbers (0x...) to %{expr: ...}
        * Backported TLS client certificate validation from 3.0.0.
        * Run Post-Auth for EAP inner-tunnel methods.
        * Added more RFCs
        * Added "show config <path>" to radmin.  You can now examine any
          configuration item in a running server.

        Bug fixes
        * Skip OCSP if there's no host / port / url, with soft_fail
        * Properly decode AT_IDENTITY in EAP-SIM.  Patch from Iliya Peregoudov
        * Thread max_queue_size has better bounds checking.
        * Use correct variable for warning message if the user misconfigures
          the server.
        * radtest is more generous about parsing ppphint
        * radeapclient now accepts -4 and -6, just like radclient.
          Patch from John Dennis.
        * Ignore ".rpmnew" and a bunch of other files when loading config
          files from a directory.
        * Wait for child threads before exiting.  This prevents errors on
          exit, but may increase exit time if databases are blocked!
          Patch from Iliya Peregoudov.
        * Wrap rbtree calls in mutexes in rlm_cache to prevent memory
          corruption. Patch from Phil Mayers.
        * Port fix for %{3GPP-*} expansion from master branch.
        * Fix sample certificate scripts when multiple client certs are
          made
        * Track return code priorities across if/else/elsif in unlang.
          Closes #107
        * In debug mode, print out DHCP options when sending a DHCP packet.
        * Fixes to the redis modules from Brian Candler
        * Print better debug message for LDAP "operations error"
        * Fix a number of minor issues as found by Coverity
        * Frees module config in order to prevent occasional crash on exit
        * Update DHCP debugging messages to make it clearer what's
          going on.
        * Print multiple DHCP options the correct number of times in
          debugging mode
        * On debug builds, don't dlclose() modules when '-m' is used.
          This allows valgrind to show module symbols.
        * Don't count Status-Server packets in Access-Request statistics
        * Minor cleanups to debug output
        * Be more careful handling module configurations to avoid crash
          on otherwise clean exit.
        * For raddebug, correctly set the group of the output file.
        * renamed dhclient to dhcpclient.  People who install it
          shouldn't have their systems broken.
        * for EAP-TLS methods, random_file is no longer required.
          OpenSSL already reads /dev/urandom.

FreeRADIUS 2.2.0 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium
        Feature improvements
        * 100% configuration file compatible with 2.1.x.
          The only fix needed is to disallow "hashsize=0" for rlm_passwd
        * Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware,
          Redback, and Mikrotik dictionaries
        * Switch to using SHA1 for certificate digests instead of MD5.
          See raddb/certs/*.cnf
        * Added copyright statements to the dictionaries, so that we know
          when people are using them.
        * Better documentation for radrelay and detail file writer.
          See raddb/modules/radrelay and raddb/radrelay.conf
        * Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
        * Added -F <file> to radwho
        * Added query timeouts to MySQL driver.  Patch from Brian De Wolf.
        * Add /etc/default/freeradius to debian package.
          Patch from Matthew Newton
        * Finalize DHCP and DHCP relay code.  It should now work everywhere.
          See raddb/sites-available/dhcp, src_ipaddr and src_interface.
        * DHCP capabilitiies are now compiled in by default.
          It runs as a DHCP server ONLY when manually enabled.
        * Added one letter expansions: %G - request minute and %I request
          ID.
        * Added script to convert ISC DHCP lease files to SQL pools.
          See scripts/isc2ippool.pl
        * Added rlm_cache to cache arbitrary attributes.
        * Added max_use to rlm_ldap to force connection to be re-established
          after a given number of queries.
        * Added configtest option to Debian init scripts, and automatic
          config test on restart.
        * Added cache config item to rlm_krb5. When set to "no" ticket
          caching is disabled which may increase performance.

        Bug fixes
        * Fix CVE-2012-3547.  All users of 2.1.10, 2.1.11, 2.1.12,
          and 802.1X should upgrade immediately.
        * Fix typo in detail file writer, to skip writing if the packet
          was read from this detail file.
        * Free cached replies when closing resumed SSL sessions.
        * Fix a number of issues found by Coverity.
        * Fix memory leak and race condition in the EAP-TLS session cache.
          Thanks to Phil Mayers for tracking down OpenSSL APIs.
        * Restrict ATTRIBUTE names to character sets that make sense.
        * Fix EAP-TLS session Id length so that OpenSSL doesn't get
          excited.
        * Fix SQL IPPool logic for non-timer attributes.  Closes bug #181
        * Change some informational messages to DEBUG rather than error.
        * Portability fixes for FreeBSD.  Closes bug #177
        * A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols
          nonsense.
        * Safely handle extremely long lines in conf file variable expansion
        * Fix for Debian bug #606450
        * Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
        * The passwd module no longer permits "hashsize = 0".  Setting that
          is pointless for a host of reasons.  It will also break the server.
        * Fix proxied inner-tunnel packets sometimes having zero authentication
          vector.  Found by Brian Julin.
        * Added $(EXEEXT) to Makefiles for portability.  Closes bug #188.
        * Fix minor build issue which would cause rlm_eap to be built twice.
        * When using "status_check=request" for a home server, the username
          and password must be specified, or the server will not start.
        * EAP-SIM now calculates keys from the SIM identity, not from the
          EAP-Identity.  Changing the EAP type via NAK may result in
          identities changing.  Bug reported by Microsoft EAP team.
        * Use home server src_ipaddr when sending Status-Server packets
        * Decrypt encrypted ERX attributes in CoA packets.
        * Fix registration of internal xlat's so %{mschap:...} doesn't
          disappear after a HUP.
        * Can now reference tagged attributes in expansions.
          e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
        * Correct calculation of Message-Authenticator for CoA and Disconnect
          replies.  Patch from Jouni Malinen
        * Install rad_counter, for managing rlm_counter files.
        * Add unique index constraint to all SQL flavours so that alternate
          queries work correctly.
        * The TTLS diameter decoder is now more lenient.  It ignores
          unknown attributes, instead of rejecting the TTLS session.
        * Use "globfree" in detail file reader.  Prevents very slow leak.
          Closes bug #207.
        * Operator =~ shouldn't copy the attribute, like :=.  It should
          instead behave more like ==.
        * Build main Debian package without SQL dependencies
        * Use max_queue_size in threading code
        * Update permissions in raddb/sql/postgresql/admin.sql
        * Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL
          wouldn't use methods it knew about.
        * Add more sanity checks in dynamic_clients code so the server won't
          crash if it attempts to load a badly formated client definition.