1 FreeRADIUS 2.2.1 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium
3 * Updated dictionary.alcatel, dictionary.bskyb, dictionary.proxim,
5 * Added %{randstr:..} support. Creates random strings in a
7 * Added operator support to rlm_python
8 * Added %{hex:...} for hex version of raw attribute data
9 * Added %{base64:...} for raw attribute data (e.g. 32-bit IP addr),
10 and %{tobase64:...} for the printable string form (e.g. 1.2.3.4),
11 and %{base64tohex:...} to convert a base64 string to a hex string.
12 * Use correct terminology when printing errors regarding request/
13 response/message authenticators.
14 * Added keytab support to Heimdal Kerberos. Patch from Ryan Steinmetz.
15 * radsqlrelay does multiple INSERTs in one transaction.
16 Patch from Uwe Meyer-Gruhl.
17 * Run Post-Proxy-Type Reject {} if the upstream server rejected the
19 * On startup, the server checks if it was linked with the correct
20 OpenSSL libraries. If not, it errors out. This prevents later
21 crashes in OpenSSL, due to library incompatibilities.
22 * Added radmin command "hup main.log", to re-open the log files,
23 without HUPing any other part of the server.
24 * Added support for EAP-Key-Name. See raddb/sites-available/default,
25 and look for comments mentioning EAP-Key-Name. MacSec now works.
26 * Added support for hex numbers (0x...) to %{expr: ...}
27 * Backported TLS client certificate validation from 3.0.0.
30 * Skip OCSP if there's no host / port / url, with soft_fail
31 * Properly decode AT_IDENTITY in EAP-SIM. Patch from Iliya Peregoudov
32 * Thread max_queue_size has better bounds checking.
33 * Use correct variable for warning message if the user misconfigures
35 * radtest is more generous about parsing ppphint
36 * radeapclient now accepts -4 and -6, just like radclient.
37 Patch from John Dennis.
38 * Ignore ".rpmnew" and a bunch of other files when loading config
39 files from a directory.
40 * Wait for child threads before exiting. This prevents errors on
41 exit, but may increase exit time if databases are blocked!
42 Patch from Iliya Peregoudov.
43 * Wrap rbtree calls in mutexes in rlm_cache to prevent memory
44 corruption. Patch from Phil Mayers.
45 * Port fix for %{3GPP-*} expansion from master branch.
46 * Fix sample certificate scripts when multiple client certs are
48 * Track return code priorities across if/else/elsif in unlang.
50 * In debug mode, print out DHCP options when sending a DHCP packet.
51 * Fixes to the redis modules from Brian Candler
52 * Print better debug message for LDAP "operations error"
53 * Fix a number of minor issues as found by Coverity
54 * Frees module config in order to prevent occasional crash on exit
55 * Update DHCP debugging messages to make it clearer what's
57 * Print multiple DHCP options the correct number of times in
59 * On debug builds, don't dlclose() modules when '-m' is used.
60 This allows valgrind to show module symbols.
61 * Don't count Status-Server packets in Access-Request statistics
64 FreeRADIUS 2.2.0 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium
66 * 100% configuration file compatible with 2.1.x.
67 The only fix needed is to disallow "hashsize=0" for rlm_passwd
68 * Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware,
69 Redback, and Mikrotik dictionaries
70 * Switch to using SHA1 for certificate digests instead of MD5.
72 * Added copyright statements to the dictionaries, so that we know
73 when people are using them.
74 * Better documentation for radrelay and detail file writer.
75 See raddb/modules/radrelay and raddb/radrelay.conf
76 * Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
77 * Added -F <file> to radwho
78 * Added query timeouts to MySQL driver. Patch from Brian De Wolf.
79 * Add /etc/default/freeradius to debian package.
80 Patch from Matthew Newton
81 * Finalize DHCP and DHCP relay code. It should now work everywhere.
82 See raddb/sites-available/dhcp, src_ipaddr and src_interface.
83 * DHCP capabilitiies are now compiled in by default.
84 It runs as a DHCP server ONLY when manually enabled.
85 * Added one letter expansions: %G - request minute and %I request
87 * Added script to convert ISC DHCP lease files to SQL pools.
88 See scripts/isc2ippool.pl
89 * Added rlm_cache to cache arbitrary attributes.
90 * Added max_use to rlm_ldap to force connection to be re-established
91 after a given number of queries.
92 * Added configtest option to Debian init scripts, and automatic
93 config test on restart.
94 * Added cache config item to rlm_krb5. When set to "no" ticket
95 caching is disabled which may increase performance.
98 * Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12,
99 and 802.1X should upgrade immediately.
100 * Fix typo in detail file writer, to skip writing if the packet
101 was read from this detail file.
102 * Free cached replies when closing resumed SSL sessions.
103 * Fix a number of issues found by Coverity.
104 * Fix memory leak and race condition in the EAP-TLS session cache.
105 Thanks to Phil Mayers for tracking down OpenSSL APIs.
106 * Restrict ATTRIBUTE names to character sets that make sense.
107 * Fix EAP-TLS session Id length so that OpenSSL doesn't get
109 * Fix SQL IPPool logic for non-timer attributes. Closes bug #181
110 * Change some informational messages to DEBUG rather than error.
111 * Portability fixes for FreeBSD. Closes bug #177
112 * A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols
114 * Safely handle extremely long lines in conf file variable expansion
115 * Fix for Debian bug #606450
116 * Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
117 * The passwd module no longer permits "hashsize = 0". Setting that
118 is pointless for a host of reasons. It will also break the server.
119 * Fix proxied inner-tunnel packets sometimes having zero authentication
120 vector. Found by Brian Julin.
121 * Added $(EXEEXT) to Makefiles for portability. Closes bug #188.
122 * Fix minor build issue which would cause rlm_eap to be built twice.
123 * When using "status_check=request" for a home server, the username
124 and password must be specified, or the server will not start.
125 * EAP-SIM now calculates keys from the SIM identity, not from the
126 EAP-Identity. Changing the EAP type via NAK may result in
127 identities changing. Bug reported by Microsoft EAP team.
128 * Use home server src_ipaddr when sending Status-Server packets
129 * Decrypt encrypted ERX attributes in CoA packets.
130 * Fix registration of internal xlat's so %{mschap:...} doesn't
131 disappear after a HUP.
132 * Can now reference tagged attributes in expansions.
133 e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
134 * Correct calculation of Message-Authenticator for CoA and Disconnect
135 replies. Patch from Jouni Malinen
136 * Install rad_counter, for managing rlm_counter files.
137 * Add unique index constraint to all SQL flavours so that alternate
138 queries work correctly.
139 * The TTLS diameter decoder is now more lenient. It ignores
140 unknown attributes, instead of rejecting the TTLS session.
141 * Use "globfree" in detail file reader. Prevents very slow leak.
143 * Operator =~ shouldn't copy the attribute, like :=. It should
144 instead behave more like ==.
145 * Build main Debian package without SQL dependencies
146 * Use max_queue_size in threading code
147 * Update permissions in raddb/sql/postgresql/admin.sql
148 * Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL
149 wouldn't use methods it knew about.
150 * Add more sanity checks in dynamic_clients code so the server won't
151 crash if it attempts to load a badly formated client definition.