1 FreeRADIUS 2.2.1 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium
3 * Updated dictionary.alcatel, dictionary.bskyb, dictionary.proxim
4 * Added %{randstr:..} support. Creates random strings in a
6 * Added operator support to rlm_python
7 * Added %{hex:...} for hex version of raw attribute data
8 * Added %{base64:...} for raw attribute data (e.g. 32-bit IP addr),
9 and %{tobase64:...} for the printable string form (e.g. 1.2.3.4),
10 and %{base64tohex:...} to convert a base64 string to a hex string.
11 * Use correct terminology when printing errors regarding request/
12 response/message authenticators.
13 * Added keytab support to Heimdal Kerberos. Patch from Ryan Steinmetz.
14 * radsqlrelay does multiple INSERTs in one transaction.
15 Patch from Uwe Meyer-Gruhl.
16 * Run Post-Proxy-Type Reject {} if the upstream server rejected the
20 * Skip OCSP if there's no host / port / url, with soft_fail
21 * Properly decode AT_IDENTITY in EAP-SIM. Patch from Iliya Peregoudov
22 * Thread max_queue_size has better bounds checking.
23 * Use correct variable for warning message if the user misconfigures
25 * radtest is more generous about parsing ppphint
26 * radeapclient now accepts -4 and -6, just like radclient.
27 Patch from John Dennis.
28 * Ignore ".rpmnew" and a bunch of other files when loading config
29 files from a directory.
30 * Wait for child threads before exiting. This prevents errors on
31 exit, but may increase exit time if databases are blocked!
32 Patch from Iliya Peregoudov.
33 * Wrap rbtree calls in mutexes in rlm_cache to prevent memory
34 corruption. Patch from Phil Mayers.
35 * Port fix for %{3GPP-*} expansion from master branch.
36 * Fix sample certificate scripts when multiple client certs are
39 FreeRADIUS 2.2.0 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium
41 * 100% configuration file compatible with 2.1.x.
42 The only fix needed is to disallow "hashsize=0" for rlm_passwd
43 * Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware,
44 Redback, and Mikrotik dictionaries
45 * Switch to using SHA1 for certificate digests instead of MD5.
47 * Added copyright statements to the dictionaries, so that we know
48 when people are using them.
49 * Better documentation for radrelay and detail file writer.
50 See raddb/modules/radrelay and raddb/radrelay.conf
51 * Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
52 * Added -F <file> to radwho
53 * Added query timeouts to MySQL driver. Patch from Brian De Wolf.
54 * Add /etc/default/freeradius to debian package.
55 Patch from Matthew Newton
56 * Finalize DHCP and DHCP relay code. It should now work everywhere.
57 See raddb/sites-available/dhcp, src_ipaddr and src_interface.
58 * DHCP capabilitiies are now compiled in by default.
59 It runs as a DHCP server ONLY when manually enabled.
60 * Added one letter expansions: %G - request minute and %I request
62 * Added script to convert ISC DHCP lease files to SQL pools.
63 See scripts/isc2ippool.pl
64 * Added rlm_cache to cache arbitrary attributes.
65 * Added max_use to rlm_ldap to force connection to be re-established
66 after a given number of queries.
67 * Added configtest option to Debian init scripts, and automatic
68 config test on restart.
69 * Added cache config item to rlm_krb5. When set to "no" ticket
70 caching is disabled which may increase performance.
73 * Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12,
74 and 802.1X should upgrade immediately.
75 * Fix typo in detail file writer, to skip writing if the packet
76 was read from this detail file.
77 * Free cached replies when closing resumed SSL sessions.
78 * Fix a number of issues found by Coverity.
79 * Fix memory leak and race condition in the EAP-TLS session cache.
80 Thanks to Phil Mayers for tracking down OpenSSL APIs.
81 * Restrict ATTRIBUTE names to character sets that make sense.
82 * Fix EAP-TLS session Id length so that OpenSSL doesn't get
84 * Fix SQL IPPool logic for non-timer attributes. Closes bug #181
85 * Change some informational messages to DEBUG rather than error.
86 * Portability fixes for FreeBSD. Closes bug #177
87 * A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols
89 * Safely handle extremely long lines in conf file variable expansion
90 * Fix for Debian bug #606450
91 * Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
92 * The passwd module no longer permits "hashsize = 0". Setting that
93 is pointless for a host of reasons. It will also break the server.
94 * Fix proxied inner-tunnel packets sometimes having zero authentication
95 vector. Found by Brian Julin.
96 * Added $(EXEEXT) to Makefiles for portability. Closes bug #188.
97 * Fix minor build issue which would cause rlm_eap to be built twice.
98 * When using "status_check=request" for a home server, the username
99 and password must be specified, or the server will not start.
100 * EAP-SIM now calculates keys from the SIM identity, not from the
101 EAP-Identity. Changing the EAP type via NAK may result in
102 identities changing. Bug reported by Microsoft EAP team.
103 * Use home server src_ipaddr when sending Status-Server packets
104 * Decrypt encrypted ERX attributes in CoA packets.
105 * Fix registration of internal xlat's so %{mschap:...} doesn't
106 disappear after a HUP.
107 * Can now reference tagged attributes in expansions.
108 e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
109 * Correct calculation of Message-Authenticator for CoA and Disconnect
110 replies. Patch from Jouni Malinen
111 * Install rad_counter, for managing rlm_counter files.
112 * Add unique index constraint to all SQL flavours so that alternate
113 queries work correctly.
114 * The TTLS diameter decoder is now more lenient. It ignores
115 unknown attributes, instead of rejecting the TTLS session.
116 * Use "globfree" in detail file reader. Prevents very slow leak.
118 * Operator =~ shouldn't copy the attribute, like :=. It should
119 instead behave more like ==.
120 * Build main Debian package without SQL dependencies
121 * Use max_queue_size in threading code
122 * Update permissions in raddb/sql/postgresql/admin.sql
123 * Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL
124 wouldn't use methods it knew about.
125 * Add more sanity checks in dynamic_clients code so the server won't
126 crash if it attempts to load a badly formated client definition.