-FreeRADIUS 2.0.0 ; $Date$, urgency=low
- * Fix fd leak in rlm_otp.
- * Use Cleartext-Password for "known good" password in config items,
- rather than "User-Password". This should solve a lot of problems.
- * Define Password-With-Header for LDAP-style "{crypt}...." passwords,
- to avoid overloading User-Password.
- * Permit per-socket list of clients in "listen" directives
- * Faster client lookups, to permit scaling to 10^6 or more clients.
- * Removed radrelay and radsqlrelay. See "man radrelay.conf" for
- details.
- * Full IPv6 support. The server can listen on IPv6 sockets,
- and send/receive IPv6 packets.
- * rlm_ns_mta_md5 is deprecated. rlm_pap does everything it does,
- and more.
- * The command-line options "-i ipaddr" and "-p port" now work.
- * rlm_unix no longer reads /etc/passwd (etc.) directly. See
- "man rlm_unix" for details. Also see the "authorize" section
- of "radiusd.conf".
- * Configuration files now use binary trees, which means that
- arbitrary amounts of information can be stored in them.
- * Fixed xlat's for %{config:...}. Dynamic expanstion now works
- better, so %{config:section.subsection.%{User-Name}.item" works,
- even if the User-Name contains periods. This is a cheap way
- of getting in-memory databases, as anything can be put into
- the configuration files.
- * Fix locking issues for radrelay.
- * Add radsqlrelay, which works like radrelay, but reads data
- from an SQL database.
- * rlm_ldap now auto-discovers password headers. See the "ldap"
- subsection of "modules", in "radiusd.conf" for details.
- * rlm_pap now auto-discovers password encryption/hash methods.
- See "man rlm_pap" and the "authorize" section of "radiusd.conf".
- * Don't call exit() if module instantiation files.
- * "virtual" modules can now be used. See the last bit of the
- "instantiate" section in "radiusd.conf".
- * Fix problems with Exec-Program-Wait & forking issues.
- * Configuration files can now "$INCLUDE directory/", to automatically
- load all files in that directory. Use with caution!
- * Fix for log_dest = stdout/stderr.
- * New "policy" module, which has none of the limitations of the
- "users" file. See "man rlm_policy" for details.
- * rlm_sql can now behave more like the "users" file.
- * New rlm_caching module.
- * Now uses autoconf 2.5x, and the various associated tools.
- * Include ucd-snmp-config.h, fixing use of net-snmp's
- ucd-snmp backwards compatibility mode.
- * Modules can now be load-balanced. See "doc/configurable_failover"
- * Move the Login-Time,Current-Time,Expiration attribute handling
- to new modules rlm_logintime and rlm_expiration.
- * Added %{mschap:NT-Hash <passwd>} and %{mschap: LM-Hash <passwd>},
- and update rlm_pap to handle NT/LM-hashed passwords.
- * New rlm_protocol_filter, which permits/denies requests containing
- certain attributes.
- * Don't escape printed strings during xlat's, to avoid the
- infinite expansion of backslashes..
- * Add Message-Authenticator to rlm_digest sample.
- * Correct handling of post-auth REJECT stanza to include externally and
- proxy-received rejections. (Bugzilla bug #149)
- * Fix building SNMP support on Solaris 9, which needs -lkstat
- * Fix bug in calling checkrad script with NAS port > 9999999
- * Fix long-standing bug when both crypt and pthreads are in use
+FreeRADIUS 2.1.10 Mon 01 Sep 8:00:00 CEST 2010, urgency=medium
+ Feature improvements
+ * Install the "radcrypt" program.
+ * Enable radclient to send requests containing MS-CHAPv1
+ * Make the "inner-tunnel" virtual server listen on 127.0.0.1:18120
+ This change makes PEAP testing much easier.
+ * Added more documentation and examples for the "passwd" module.
-FreeRADIUS 1.0.1 ; Date: 2004/09/02 10:52:03, urgency=high
- Denial-of-Service Security Fix
- * Fix two remote crashes and a memory leak in RADIUS packet
- decoding.
-
- Bug fixes.
- * Fix premature "success" during EAP/TLS handshake.
- * Dictionary handling now complains about identically named
- values with different values, and rejects dictionary
- entries with bad data
- * Update dictionaries to deal with the above change.
-
-FreeRADIUS 1.0.0 ; Date: 2004/07/17 06:31:32, urgency=low
- pre3 -> release
- * Fix LDAP dictionary map loading.
- * Check login time allowance to packet timestamp where available.
- * Compilation fix for machines without <pthread.h>.
- * Man page improvements.
- * Grab latest config.sub and config.guess (2004-03-12).
-
- pre2 -> pre3
- * Make IPv6 support work better.
- * Updated 3com dictionary.
- * Fixed MD5 code to be more portable.
+ Bug fixes
+ * Fix endless loop when there are multiple sub-options for
+ DHCP option 82.
+ * More debug output when sending / receiving DHCP packets.
+ * EAP-MSCHAPv2 should return the MPPE keys when used outside
+ of a TLS tunnel. This is needed for IKE.
+ * Added SSL "no ticket" option to prevent SSL from creating sessions
+ without IDs. We need the IDs, so this option should be set.
+ * Fix proxying of packets from inside a TTLS/PEAP tunnel.
+ Closes bug #25.
+ * Allow IPv6 address attributes to be created from domain names
+ Closes bug #82.
+ * Set the string length to the correct value when parsing double
+ quotes. Closes bug #88.
+ * No longer look users up in /etc/passwd in the default configuration.
+ This can be reverted by enabling "unix" in the "authorize" section.
+ * More #ifdef's to enable building on systems without certain
+ features.
+ * Fixed SQL-Group comparison to register only if the group
+ query is defined.
+ * Fixed SQL-Group comparison to register <instance>-SQL-Group,
+ just like rlm_ldap. This lets you have multiple SQL group checks.
+ * Fix scanning of octal numbers in "unlang". Closes bug #89.
+ * Be less aggressive about freeing "stuck" requests. Closes bug #35.
+ * Fix example in "originate-coa" to refer to the correct packet.
+ * Change default timeout for dynamic clients to 1 hour, not 1 day.
+ * Allow passwd module to map IP addresses, too.
+ * Allow passwd module to be used for CoA packets
+ * Put boot filename into DHCP header when DHCP-Boot-Filename
+ is specified.
+ * raddb/certs/Makefile no longer has certs depend on index.txt and
+ serial. Closes bug #64.
+ * Ignore NULL errorcode in PostgreSQL client. Closes bug #39
+ * Made Exec-Program and Exec-Program-Wait work in accounting
+ section again. See sites-available/default.
+ * Fix long-standing memory leak in esoteric conditions. Found
+ by Jerry Nichols.
+ * Added "Password-With-Header == userPassword" to raddb/ldap.attrmap
+ This will automatically convert more passwords.
+ * Updated rlm_pap to decode Password-With-Header, if it was base64
+ encoded, and to treat the contents as potentially binary data.
+ * Fix Novell eDir code to use the right function parameters.
+ Closes bug #86.
+ * Allow spaces to be escaped when executing external programs.
+ Closes bug #93.
+ * Be less restrictive about checking permissions on control socket.
+ If we're root, allow connecting to a non-root socket.
+ * Remove control socket on normal server exit. If the server isn't
+ running, the control socket should not exist.
+ * Use MS-CHAP-User-Name as Name field from EAP-MSCHAPv2 for MS-CHAP
+ calculations. It *MAY* be different (upper / lower case) from
+ the User-Name attribute. Closes bug #17.
+ * If the EAP module fails, more SSL errors are now in
+ Module-Failure-Message.
+ * Update Oracle configure scripts. Closes bug #57.
+ * Added text to DESC fields of doc/examples/openldap.schema
+
+FreeRADIUS 2.1.9 Mon 24 May 8:00:00 CEST 2010, urgency=medium
+ Feature improvements
+ * Add radmin command "stats detail <file>" to see what
+ is going on inside of a detail file reader.
+ * Added documentation for CoA. See raddb/sites-available/coa
+ * Add sub-option support for Option 82. See dictionary.dhcp
+ * Add "server" field to default SQL NAS table, and documented it.
- pre1 -> pre2
- * Updated SQL onoff query
- * Updated Nomadix, RedBack and Valemont dictionaries.
- * MD4/MD5 fixes.
- * Don't complain about ports we're listening on when HUP'd.
- * Permit -i to work for radclient.
- * Fix bug in new proxy code.
- * rlm_passwd is now a little friendlier.
+ Bug fixes
+ * Reset "received ping" counter for Status-Server checks. In some
+ corner cases it was not getting reset.
+ * Handle large VMPS attributes.
+ * Count accounting responses from a home server in SNMP / statistics
+ code.
+ * Set EAP-Session-Resumed = Yes, not "No" when session is resumed.
+ * radmin packet counter statistics are now unsigned, for numbers
+ 2^31..2^32. After that they roll over to zero.
+ * Be more careful about expanding data in PAP and MS-CHAP modules.
+ This prevents login failures when passwords contain '{'.
+ * Clean up zombie children if there were many "exec" modules being
+ run for one packet, all with "wait = no".
+ * re-open log file after HUP. Closes bug #63.
+ * Fix "no response to proxied packet" complaint for Coa / Disconnect
+ packets. It shouldn't ignore replies to packets it sent.
+ * Calculate IPv6 netmasks correctly. Closes bug #69.
+ * Fix SQL module to re-open sockets if they unexpectedly close.
+ * Track scope for IPv6 addresses. This lets us use link-local
+ addresses properly. Closes bug #70.
+ * Updated Makefiles to no longer use the shell for recursing into
+ subdirs. "make -j 2" should now work.
+ * Updated raddb/sql/mysql/ippool.conf to use "= NULL". Closes
+ bug #75.
+ * Updated Makefiles so that "make reconfig" no longer uses the shell
+ for recursing into subdirs, and re-builds all "configure" files.
+ * Used above method to regenerate all configure scripts.
+ Closes bug #34.
+ * Updated SQL module to allow "server" field of "nas" table
+ to be blank: "". This means the same as it being NULL.
+ * Fixed regex realm example. Create Realm attribute with value
+ of realm from User-Name, not from regex. Closes bug #40.
+ * If processing a DHCP Discover returns "fail / reject", ignore
+ the packet rather than sending a NAK.
+ * Allow '%' to be escaped in sqlcounter module.
+ * Fix typo internal hash table.
+ * For PEAP and TTLS, the tunneled reply is added to the reply,
+ rather than integrated via the operators. This allows multiple
+ VSAs to be added, where they would previously be discarded.
+ * Make request number unsigned. This changes nothing other than
+ the debug output when the server receives more than 2^31 packets.
+ * Don't block when reading child output in 'exec wait'. This means
+ that blocked children get killed, instead of blocking the server.
+ * Enabled building without any proxy functionality
+ * radclient now prefers IPv4, to match the default server config.
+ * Print useful error when a realm regex is invalid
+ * relaxed rules for preprocess module "with_cisco_vsa_hack". The
+ attributes can now be integer, ipaddr, etc. (i.e. non-string)
+ * Allow rlm_ldap to build if ldap_set_rebind_proc() has only
+ 2 arguments.
+ * Update configure script for rlm_python to avoid dynamic linking
+ problems on some platforms.
+ * Work-around for bug #35
+ * Do suid to "user" when running in debug mode as root
+ * Make "allow_core_dumps" work in more situations.
+ * In detail file reader, treat bad records as EOF.
+ This allows it to continue working when the disk is full.
+ * Fix Oracle default accounting queries to work when there are no
+ gigawords attributes. Other databases already had the fix.
+ * Fix rlm_sql to show when it opens and closes sockets. It already
+ says when it cannot connect, so it should say when it can connect.
+ * "chmod -x" for a few C source files.
+ * Pull update spec files, etc. from RedHat into the redhat/ directory.
+ * Allow spaces when parsing integer values. This helps people who
+ put "too much" into an SQL value field.
+
+FreeRADIUS 2.1.8 Wed 30 Dec 16:44:50 CEST 2009, urgency=medium
+ Feature improvements
+ * Print more descriptive error message for too many EAP sessions.
+ This gives hints on what to do when "failed to store handler"
+ * Moved illegal attributes to dictionary.ascend.illegal and
+ dictionary.usr.illegal. You may need to manually re-enable them.
+ * Allow old-style dictionary formats, where the vendor name is the
+ last entry on a line.
- Non source-code changes
- * Preliminary tests indicate that the server builds and runs on
- Interix (SFU on Windows XP).
- * EAP module configuration is now in "raddb/eap.conf", as it was
- getting large.
- * Updated GPL boilerplate in the source.
- * Added new RFC's to doc/rfc/
- * Added more "man" pages for many of the modules. Many of the
- 'doc/rlm_*' files have been deleted, and replaced with 'man' pages.
- * Added many new dictionaries: 3GPP, 3GPP2, Propel, Karlnet,
- Sonicwall, Navini, Bristol University, Valemont, Mikrotik.
- * doc/configurable_failover is now understandable by mere humans.
- * Update scripts/rc.radiusd with examples of how to deal with
- shared library issues.
- * Added demo certs.
- * Updates to configure scripts for MySQL.
- * Updated doc/tuning_guide, with comments about SQL.
-
- Core feature improvements
- * Many, many minor bug fixes and feature enhancements.
- * Added "reject" action in configurable failover for modules
- * Added a "listen" directive, which supersedes the old
- "bind_address" and "port" directives. "listen" allows much
- finer-grained control over what IP's, ports, and packets the
- server pays attention to.
- * The proxy code has been updated to work properly, and to
- allocate new sockets for proxying packets when there are more
- than 256 requests outstanding to a home server. Many thanks
- to Stephen Jaeger for help in debugging the new feature.
- * Regular expression matches in brackets can now be referenced
- as in Perl, via %{1}, %{2}, etc.
- * added ability for mschap module to use ntlm_auth, to perform
- MS-CHAPv1 and MS-CHAPv2 authentication against a Windows
- Domain Controller.
- * Check return value from registered xlat functions. If return
- value is 0, treat the attribute as not found. This lets things
- like %{sql: select... :-FAILED} work.
- * Realms can now be configured to ignore DEFAULT and NULL
- realms. This makes prefix/suffix realms co-exists a little
- better.
- * Added red-black tree implementation to src/lib. The
- dictionaries now use it, rather than singly linked lists. Tests
- indicate that the server is up to 30% faster.
- * Updated MSCHAP module to be able to better deal with Windows
- machines which put a username with domain into User-Name, but
- which use only the username to create the MS-CHAP-Response.
- * Made "hints" file more generic and flexible, without changing
- old functionality.
- * Enhanced configuration file variable handling. See
- doc/variables.txt for details.
- * Checks for OpenSSL now enforce version number, and are common
- across all modules, rather than being duplicated.
- * Implement "udpfromto", which allows the server to work better in
- LVS. Code from Jan Berkel and Miquel van Smoorenburg. To use
- it, do: ./configure --with-udpfromto=yes
- * Re-arranged "walk over cached requests" code for clarity.
- * The server now keeps more SNMP statistics about the packets it
- has processed.
- * De-coupled the queue of input requests from the pool of threads.
- This allows "spikes" of requests to be queued, even though all
- threads are busy. This change significantly increases the
- servers ability to process large numbers of requests on a
- multi-CPU machine.
- * Re-arranged the internal "core" request handling code, to
- make a little more sense.
- * Removed support for Replicate-To-Realm. Use radrelay.
- * Print & parse unknown attributes as Attr-%d, Vendor-%d-Attr-%d,
- or VendorName-Attr-%d.
- * rlm_passwd is now marked "stable", and has many bugs fixed.
- * More flexible configuration for rlm_ldap.
- * New implementation of parser for Ascend's data filter
- attributes, that is now thread-safe and GPL'd.
- * Preliminary (not entirely complete) support for IPv6 attributes,
- including IFID.
- * Added support for rejected packets to run an Post-Auth-Type REJECT
- stanza instead of skipping post-auth entirely.
- * Added support for %{*:Packet-Type} translation. (Not for %{check:})
- * Added support for %{check:Attribute-Name} to go with
- %{request:Attribute-Name} and the like.
- * Add support to rlm_sql for post-authentication query execution.
- * Add support to rlm_sql for accounting_update_query_alt
- * Add support for supplementary groups of switched-to user
- * Add support for xlat-ing backquoted reply values from SQL queries.
- * Add Public Domain MD5 implementation by Colin Plumb
- * Add Public Domain MD4 implementation by Colin Plumb and
- Todd C. Miller
- * Remove smbdes.c from libradius, and add to rlm_mschap and
- rlm_eap_leap
- * Replace GPL'd snprintf.c in libradius with LGPL'd snprintf.[ch]
-
- EAP-module feature improvements
- * Allow checking of EAP identity against certificate.
- * EAP-TLS now checks Certificate Revocation List
- * Added EAP-TTLS support in rlm_eap. Tested with many clients,
- and with tunneled PAP, CHAP, MS-CHAP, MSCHAPv2, EAP-MD5,
- EAP-MSCHAPv2, and EAP-GTC.
- * Added EAP-PEAP support, with tunneled EAP-MSCHAP-V2, and EAP-GTC.
- Patch from Masao Nishiku. (Many, many thanks!)
- * Added EAP-SIM.
- * Enabled proxying of the authentication request which is tunneled
- inside of PEAP and TTLS.
-
- Utility improvements
- * Add support to checkrad.pl for mikrotik-brand NASs over SNMP
- * Added rlm_ippool_tool, by Edwin Groothuis.
- * Updates to radclient, so that you can specify multiple '-f'
- options, and it will send those packets in parallel. This
- allows for significantly higher packet rates when load testing.
-
Bug fixes
- * Fix a bug in the attr_filter module, which would throw away
- the tag from tagged attributes.
- * Bug fixes to thread handling from Malcolm Caldwell.
- * Fixed a bug in libltdl which printed the wrong error message
- when trying to link to a library. Found by Paul Stewart.
- * Correct error condition in rlm_krb5. Patch from Jon Moore.
- * Updates for 64-bit systems.
- * Patch to make ctime_r work on non-compliant platforms.
- Patch from Oliver Graf.
- * Updates to rlm_ippool for stability.
- * Catch packets which are just about 4K in size.
- Bug found by Nils-Henner Krueger.
- * Many fixes to the SQL module & sub-modules.
-
-FreeRADIUS 0.9.3 ; Date: 2003/11/20 20:15:48, urgency=high
-
- * Change rlm_eap to not log an error if given a non-EAP packet
- * Fix rlm_ippool's call to pod2man for perl versions before 5.6
- * Fix a remote DoS and due to mis-handling of tagged attributes,
- and Tunnel-Password attribute.
+ * DHCP sockets now set the broadcast flag before binding to a
+ socket. You should set "broadcast = yes" in the DHCP listener.
+ * Be more restrictive on string parsing in the config files
+ * Fix password length in scripts/create-users.pl
+ * Be more flexible about parsing the detail file. Allow
+ operators other than "=" to be used.
+ * Ensure that requests read from the detail file are cleaned up
+ (i.e. don't leak) if they are proxied without a response.
+
+FreeRADIUS 2.1.7 Mon Sept 14 11:20:00 CEST 2009; , urgency=medium
+ Feature improvements
+ * Full support for CoA and Disconnect packets as per RFC 3576
+ and RFC 5176. Both receiving and proxying CoA is supported.
+ * Added "src_ipaddr" configuration to "home_server". See
+ proxy.conf for details.
+ * radsniff now accepts -I, to read from a filename instead of
+ a device.
+ * radsniff also prints matching requests and any responses to those
+ requests when '-r' is used.
+ * Added example of attr_filter for Access-Challenge packets
+ * Added support for udpfromto in DHCP code
+ * radmin can now selectively mark modules alive/dead.
+ See "set module state".
+ * Added customizable messages on login success/fail.
+ See msg_goodpass && msg_badpass in log{} section of radiusd.conf
+ * Document "chase_referrals" and "rebind" in raddb/modules/ldap
+ * Preliminary implementation of DHCP relay.
+ * Made thread pool section optional. If it doesn't exist,
+ the server will run single-threaded.
+ * Added sample radrelay.conf for people upgrading from 1.x
+ * Made proxying more stable by failing over, rather than
+ rejecting the first request. See "response_window" in proxy.conf
+ * Allow home_server_pools to exist without realms.
+ * Add dictionary.iea (closes bug #7)
+ * Added support for RFC 5580
+ * Added experimental sql_freetds module from Gabriel Blanchard.
+ * Updated dictionary.foundry
+ * Added sample configuration for MySQL cluster in raddb/sql/ndb
+ See the README file for explanations.
-FreeRADIUS 0.9.2 ; Date: 2003/10/14 19:00:09, urgency=low
-
- * New rlm_ippool code to fix IP leaks
- * New rlm_ippool_tool for manipulation of rlm_ippool databases
-
- * Change radrelay to reject records without an Acct-Status-Type attribute
- * Change rlm_counter to reject packets which predate last server reset
- * Change version output to include GNU GPL information
- * Change rlm_ldap to output bad search filters
-
- * Fix compilation of various modules when not building with pthreads
- * Fix segfault due to poorly initialised value in rlm_mschap
- * Fix to only reject packets once
- * Fix rlm_exec to work when wait=no
- * Fix rlm_attr_filter to work in post-proxy (as intended)
- * Fix rlm_sql to only try to load SQL drivers
- * Fix to orrectly limit size of RADIUS packets
- * Fix usage information to output to stdout when used with -h flag
- * Fix configure to assume gethostbyname is BSD-Style on FreeBSD
-
-FreeRADIUS 0.9.1 ; Date: 2003/09/04 14:56:34, urgency=low
-
- * Replicate-To-Realm is deprecated, and hence no longer documented
- * Document rlm_detail support for authorize and post-auth sections
- * Improve slightly MySQL accounting record SQL query
- * Opaquefied CHAP-Challenge
- * Add attributes to Nomadix dictionary
- * Fix rlm_exec's parsing of non-attribute return values
- * Fix for a segfault while reading config files
- * Fix for a segfault regarding hostname lengths
- * Fix for a segfault while reading deprecated config files
- * Fix compilation of radiusd.c when threads are disabled
- * Recover from inability to relay
- * Stop complaining in error log when a system call is interrupted.
- * Don't print binary CHAP-Passwords into the logs
- * Successfully detect GNU dbm >= 1.8.1's dbm compatibility library
- * Fix rlm_unix to deal with requests without a username
- * Fix "uninmplemented function" crash in postgresql driver on -HUP
- * Revert INTERVAL types to BIGINT in postgresql example schema
- * Fix radrelay to notice when it's out of IDs
- * Fix radrelay to correctly skip bad attributes
- * Fix radrelay to not leak IDs when discarding packets
- * Fix configure to correctly identify systems without SYSV or GNU-style
- gethostby{addr,name}_r.
-
-FreeRADIUS 0.9.0 ; Date: 2003/07/04 21:01:29, urgency=low
+ Bug fixes
+ * Fixed corner case where proxied packets could have extra
+ character in User-Password attribute. Fix from Niko Tyni.
+ * Extended size of "attribute" field in SQL to 64.
+ * Fixes to ruby module to be more careful about when it builds.
+ * Updated Perl module "configure" script to check for broken
+ Perl installations.
+ * Fix "status_check = none". It would still send packets
+ in some cases.
+ * Set recursive flag on the proxy mutex, which enables safer
+ cleanup on some platforms.
+ * Copy the EAP username verbatim, rather than escaping it.
+ * Update handling so that robust-proxy-accounting works when
+ all home servers are down for extended periods of time.
+ * Look for DHCP option 53 anywhere in the packet, not just
+ at the start.
+ * Fix processing of proxy fail handler with virtual servers.
+ * DHCP code now prints out correct src/dst IP addresses
+ when sending packets.
+ * Removed requirement for DHCP to have clients
+ * Fixed handling of DHCP packets with message-type buried in the packet
+ * Fixed corner case with negation in unlang.
+ * Minor fixes to default MySQL & PostgreSQL schemas
+ * Suppress MSCHAP complaints in debugging mode.
+ * Fix SQL module for multiple instance, and possible crash on HUP
+ * Fix permissions for radius.log for sites that change user/group,
+ but which don't create the file before starting radiusd.
+ * Fix double counting of packets when proxying
+ * Make %l work
+ * Fix pthread keys in rlm_perl
+ * Log reasons for EAP failure (closes bug #8)
+ * Load home servers and pools that aren't referenced from a realm.
+ * Handle return codes from virtual attributes in "unlang"
+ (e.g. LDAP-Group). This makes "!(expr)" work for them.
+ * Enable VMPS to see contents of virtual server again
+ * Fix WiMAX module to be consistent with examples. (closes bug #10)
+ * Fixed crash with policies dependent on NAS-Port comparisons
+ * Allowed vendor IDs to be be higher than 32767.
+ * Fix crash on startup with certain regexes in "hints" file.
+ * Fix crash in attr_filter module when packets don't exist
+ * Allow detail file reader to be faster when "load_factor = 100"
+ * Add work-around for build failures with errors related to
+ lt__PROGRAM__LTX_preloaded_symbols. libltdl / libtool are horrible.
+ * Made ldap module "rebind" option aware of older, incompatible
+ versions of OpenLDAP.
+ * Check value of Fall-Through in attr_filter module.
+
+FreeRADIUS 2.1.6 Mon May 18 10:00:00 CEST 2009; urgency=medium
+ Feature improvements
+ * radclient exits with 0 on successful (accept / ack), and 1
+ otherwise (no response / reject)
+ * Added support for %{sql:UPDATE ..}, and insert/delete
+ Patch from Arran Cudbard-Bell
+ * Added sample "do not respond" policy. See raddb/policy.conf
+ and raddb/sites-available/do_not_respond
+ * Cleanups to Suse spec file from Norbert Wegener
+ * New VSAs for Juniper from Bjorn Mork
+ * Include more RFC dictionaries in the default install
+ * More documentation for the WiMAX module
+ * Added "chase_referrals" and "rebind" configuration to rlm_ldap.
+ This helps with Active Directory. See raddb/modules/ldap
+ * Don't load pre/post-proxy if proxying is disabled.
+ * Added %{md5:...}, which returns MD5 hash in hex.
+ * Added configurable "retry_interval" and "poll_interval"
+ for "detail" listeners.
+ * Added "delete_mppe_keys" configuration option to rlm_wimax.
+ Apparently some WiMAX clients misbehave when they see those keys.
+ * Added experimental rlm_ruby from
+ http://github.com/Antti/freeradius-server/tree/master
+ * Add Tunnel attributes to ldap.attrmap
+ * Enable virtual servers to be reloaded on HUP. For now, only
+ the "authorize", "authenticate", etc. processing sections are
+ reloaded. Clients and "listen" sections are NOT reloaded.
+ * Updated "radwatch" script to be more robust. See scripts/radwatch
+ * Added certificate compatibility notes in raddb/certs/README,
+ for compatibility with different operating systems. (i.e. Windows)
- * Many, many, bug fixes and feature enhancements.
- * radrelay now updates packet 'id' on retransmissions.
- * More checks for thread-safe functions.
- * Fix CHAP related buffer overflow (ouch!), thanks to Masao NISHIKU.
- * Issue warnings if deprecated configuration files are used.
- * rlm_passwd can now add items to the reply, request, or config items.
- * The rlm_digest, rlm_exec, and rlm_ippool modules are now marked
- as 'stable', and included in the default build.
- * Removed 'raduse'. No one has used it for years.
- * Massive fixes for Debian packaging.
- * radclient can now send "disconnect" packets, to NASes which
- support it. The server, however, CANNOT send disconnect packets.
- * Made Auth-Type, Acct-Type, etc. names consistent across
- dictionary files and radiusd.conf. The old (inconsistent) names
- are still allowed for backwards compatibility.
- * Cleaned up problems with the rlm_sql module.
- * Updates to the rlm_ldap module.
- * rlm_mschap no longer reads SMB password files. See rlm_passwd,
- instead.
- * Changed default entry in the 'users' file to 'Auth-Type = System',
- to allow EAP and Digest authentication to work automagically.
- * Support for Cisco LEAP.
- * Added many new dictionaries (Extreme, Wispr, ERX, Netscreen...)
- * Removed support for ATTRIB_NMC. It is now handled (better)
- in a different manner.
- * Dictionaries have been moved from /etc/raddb to /usr/share/freeradius
- * Many documentation updates
- * Ignore whitespace-only lines in the 'users' file.
- * Patch to fix 'rlm_realm' from returning the DEFAULT entry when
- we are looking for the NULL entry and it doesn't exist. Bug
- noted by Nathan Miller.
- * Disable child process spawning if we don't have threads.
- The code doesn't work, so it's better to force the server
- to run in single-process mode.
- * New rlm_exec module, which allows a more generic way of
- executing external programs.
- * Preliminary large file support in 'configure' and in the server,
- to support 2G+ detail files.
- * Install documentation into /usr/local/share/doc/freeradius
- * New/updated dictionaries for RedCreek, Bintec, Alcatel,
- ITK, Telebit, and Cabletron.
- * Updates to allow building on MAC OSX.
- * Add support for Acct-Type,Session-Type and PostAuth-Type
- * Removed builddbm. It hasn't been used for ages.
- * Added new post_proxy section, based on patch from Chris Brotsos.
- * rlm_counter shouldn't reset the counters on instantiation,
- if the reset is set to 'never'.
- * Significant updates to the rlm_python and rlm_perl modules
- * Fix the rlm_pap module to handle password lengths properly.
- * Do SQL 'close' on bad sockets, to prevent descriptor leaks
- * Case insensitivity option for rlm_radutmp
- * New pseudo-round-robin load balancing for realms.
- * Suppress empty SQL queries.
- * Include strong PRNG
- * Create 'snmp' configuration directive, so that we can disable
- SNMP at run time, even if it's built into the server.
- * Refresh realm as 'active' when we see a response from it,
- Based on a patch by Angelos Karageorgiou.
- * Don't core dump if Status-Server is received, but it's disabled.
- * Support more variants of character fields in Oracle.
- Patch from Stocker Gernot.
- * Better parsing of dictionary files.
- * Alteon web switch dictionary, from Thomas Linden
+ Bug fixes
+ * Minor changes to allow building without VQP.
+ * Minor fixes from John Center
+ * Fixed raddebug example
+ * Don't crash when deleting attributes via unlang
+ * Be friendlier to very fast clients
+ * Updated the "detail" listener so that it only polls once,
+ and not many times in a row, leaking memory each time...
+ * Update comparison for Packet-Src-IP-Address (etc.) so that
+ the operators other than '==' work.
+ * Did autoconf magic to work around weird libtool bug
+ * Make rlm_perl keep tags for tagged attributes in more situations
+ * Update UID checking for radmin
+ * Added "include_length" field for TTLS. It's needed for RFC
+ compliance, but not (apparently) for interoperability.
+
+FreeRADIUS 2.1.5 Sun Jan 1 1:1:00 CEST 2009; , urgency=medium
+ * Release number skipped due to procedural issues.
+
+FreeRADIUS 2.1.4 Tue Mar 10 17:05:00 CEST 2009; , urgency=medium
+ Feature improvements
+ * Permit multiple "-e" in radmin.
+ * Add support for originating CoA-Request and Disconnect-Request.
+ See raddb/sites-available/originate-coa.
+ * Added "lifetime" and "max_queries" to raddb/sql.conf.
+ This helps address the problem of hung SQL sockets.
+ * Allow packets to be injected via radmin. See "inject help"
+ in radmin.
+ * Answer VMPS reconfirmation request. Patch from Hermann Lauer.
+ * Sample logrotate script in scripts/logrotate.freeradius
+ * Add configurable poll interval for "detail" listeners
+ * New "raddebug" command. This prints debugging information from
+ a running server. See "man raddebug.
+ * Add "require_message_authenticator" configuration to home_server
+ configuration. This makes the server add Message-Authenticator
+ to all outgoing Access-Request packets.
+ * Added smsotp module, as contributed by Siemens.
+ * Enabled the administration socket in the default install.
+ See raddb/sites-available/control-socket, and "man radmin"
+ * Handle duplicate clients, such as with replicated or
+ load-balanced SQL servers and "readclients = yes"
-FreeRADIUS 0.8 ; Date: 2002/11/18 15:37:24, urgency=low
+ Bug fixes
+ * Clean up control sockets when they are closed, so that we don't
+ leak memory.
+ * Define SUN_LEN for systems that don't have it.
+ * Correct some boundary conditions in the conditional checker ("if")
+ in "unlang". Bug noted by Arran Cudbard-Bell.
+ * Work around minor building issues in gmake. This should only
+ have affected developers.
+ * Change how we manage unprivileged user/group, so that we do not
+ create control sockets owned by root.
+ * Fixed more minor issues found by Coverity.
+ * Allow raddb/certs/bootstrap to run when there is no "make"
+ command installed.
+ * In radiusd.conf, run_dir depends on the name of the program,
+ and isn't hard-coded to "..../radiusd"
+ * Check for EOF in more places in the "detail" file reader.
+ * Added Freeswitch dictionary.
+ * Chop ethernet frames in VMPS, rather than droppping packets.
+ * Fix EAP-TLS bug. Patch from Arnaud Ebalard
+ * Don't lose string for regex-compares in the "users" file.
+ * Expose more functions in rlm_sql to rlm_sqlippool, which
+ helps on systems where RTLD_GLOBAL is off.
+ * Fix typos in MySQL schemas for ippools.
+ * Remove macro that was causing build issues on some platforms.
+ * Fixed issues with dead home servers. Bug noted by Chris Moules.
+ * Fixed "access after free" with some dynamic clients.
+
+FreeRADIUS 2.1.3 Fri Dec 5 17:40:00 CEST 2008; , urgency=medium
+ Feature improvements
+ * Allow running with "user=radiusd" and binding to secure
+ sockets.
+ * Start sending Status-Server "are you alive" messages earlier,
+ which helps with proxying multiple realms to a home server.
+ * Removed thread pool code from rlm_perl. It's not necessary.
+ * Added example Perl configuration to raddb/modules/perl
+ * Force OpenSSL to support certificates with SHA256.
+ This seems to be necessary for WiMAX certs.
- * Added Oracle-specific queries.
- * Updated SQL queries to match schema.
- * PostGreSQL reconnect patch.
- * Added documentation on how to build on MAC OSX.
- * Allowed SQL module to ignore unknown Acct-Status-Type values.
- * Updated PostGreSQL queries and schema.
- * Updated the log rotation configuration files.
- * Colubris and updated Nomadix dictionaries, from Marko Myllynen.
- * Normalized error messages from the SQL modules, so that they're
- more informative.
- * Added Suse specific directory and configuration files, from
- Peter Nixon
- * SQL fail-over patch, so that the module returns FAIL if
- the back-end database is down. Based on a patch from
- Thomas Jalsovsky.
- * Cleaned up the internal handling of the configuration
- information, in preparation for better handling SIGHUP.
- * Updated rlm_krb5 configuration to better find it's libraries
- and include files.
- * radclient now complains if it receives a reply from a machine
- other than the one to which it sent the request.
- * Updated Postgresql SQL queries to get the operator, too.
- * Added Juniper dictionary.
- * Added Cisco VPN3000, VPN5000, and BBSM dictionaries.
- * New platform-neutral 'rc.radiusd'
- * Configuration files with private information get chmod'd
- 0600 after installation.
- * Preliminary support for clean shutdowns when a SIGTERM is
- received.
- * SNMP timeouts for checkrad, so there will be fewer situations
- where it hangs for 30 seconds...
- * Added code to clean up modules and memory when asked to exit
- via SIGTERM.
- * Removed all need for the old-style 'naslist' and 'client' files,
- and noted that they are deprecated.
- * Added support for Status-Server packets, stolen shamelessly
- from Cistron RADIUSD. This is despite the RFC's saying such
- things are wrong.
- * Bug fixes to rlm_dbm.
- * Updates for checkrad, max40xx routine, from Aleksandr Kuzminsky.
- * Disable caching of passwords for the Unix module. It was
- causing too much confusion.
- * Fix a memory leak when proxying Authentication-Request's
- * Attributes which are not found in the dictionary are now of
- type 'octets', instead of 'string'.
- * Support for "round-robin" load balancing, when proxying requests
- to multiple servers for one realm.
- * Minor changes for better HPUX support.
- * Updated the documentation and README's
- * Made FreeTDS build ONLY after hand-editing, as the FreeTDS
- libraries are in a state of flux, due to active development.
- * Fixes to help build the server on MAC OSX
- * Cisco VPN 3000 dictionary, as posted to the list by Chris Deramus.
- * Fix EAP problems with retransmission, from Rainer Weikusat.
- * Updates to the Oracle module, from Andrea Gabellini.
- * In xlat, Unix timestamps are unsigned ints.
- * Security fixes for the Kerberos Module.
- * New 'post-auth' section, to do additional processing of
- requests after they've been authenticated.
- * doc/aaa.txt describes how the server works.
- * More uniform encoding/decoding of passwords, so that they will
- be seen as clear-text where possible.
- * radwho and radzap now read 'radiusd.conf' to discover where the
- radutmp files are located. Patch from Andrea Gabellini.
- * Preliminary 'expression' module, to allow you to do cool things
- like: Session-Timeout = `%{expr:3600 - %{sql:SELECT ...}}`
- * Added ability to do xlat on check items, and reply items,
- so that the value of the reply attributes can be dynamically
- generated.
- * Added MIBs, taken from the RFC's. This makes SNMP queries to
- the server a little easier to set up.
- * Don't SEGV when we receive a packet which is larger than the
- size claimed in the RADIUS portion. Patch from Vaughn Skinner.
- * SNMP patches from Harrie Hazewinkel.
- * Added Altiga dictionary, from Calum <calum.aug02@umtstrial.co.uk>
- * New Rewrite-Rule for rlm_attr_rewrite, to selectively choose
- which rewrite rule is performed, and when.
- * Minor bug fixes for radrelay.
- * Bug fixes in SQL and sub-modules.
- * Major updates to dialup_admin.
- * Fixed handling of tagged string attributes, so that the server
- doesn't go off into never-never land.
- * Cleaned up experimental rlm_smb, so that it builds on more
+ Bug fixes
+ * Fix Debian patch to allow it to build.
+ * Fix potential NULL dereference in debugging mode on certain
+ platforms for TTLS and PEAP inner tunnels.
+ * Fix uninitialized memory in handling of vendor definitions
+ * Fix parsing of quoted (but non-string) attributes in the "users"
+ file.
+ * Initialize uknown NAS IP to 255.255.255.255, rather than 0.0.0.0
+ * use SUN_LEN in control socket, to avoid truncation on some
platforms.
- * Don't over-write request->reply->vps with the Reply-Message,
- when doing authentication rejects with Exec-Program-Wait.
- * Added 'instantiate' section, so that modules like 'expr',
- with only an 'xlat' function can be registered.
- * Allow '{' and '}' in xlat'd strings.
- * C++ compatibility patch from Andrey Kotrekhov, for libradius.
- * Automatically decrypt/encrypt User-Password, so that debugging
- mode will print out the text password, and not the random
- garbage it previously showed.
- * Cleaned up header files and function prototypes for the SQL
- sub-modules.
-
-FreeRADIUS 0.7 ; Date: 2002/07/26 18:01:50 , urgency=high
-
- * Allow attributes of type 'date' to be sent in outgoing packets.
- Bug found by Loh John Wu <ljwu@sandvine.com>
- * Add 'Realm' attribute, even if it's a LOCAL realm.
- Bug noted by Chris Brotsos.
- * Added experimental SMB authentication module, which uses
- PAP passwords to authenticate against an NT-Domain.
- NT/LM-passwords are not currently supported.
- * More documentation for rlm_passwd, rlm_mschap, and rlm_digest.
- * 'configure' changes to better find sem_init and friends.
- * Allow the use of previously installed libtool, and libltdl.
- This appears to help a lot on FreeBSD.
- * Fixes to work on non-threaded builds.
- Patch from Rainer Weikusat.
- * SQL now re-connects to the server, if the connection is lost.
- Currently only MySQL is fixed, but other patches will follow.
- Patch from Todd T. Fries.
- * Added experimental use of dynamicly translated variables,
- CallBack-Number = `%{request:Calling-Station-Id}`
- sets the value of the CallBack-Number attribute to the value of
- the Calling-Station-Id in the original request.
- * Cute hack: Allow regex matching on IP addresses, by placing
- the string representation of the IP address (1.2.3.4) into
- the internal data structure. This allows things like
- NAS-IP-Address =~ "^192\.168", which may be useful.
- * Add documentation for experimental rlm_dbm module.
- * Added experimental Perl module.
- * Added the relevant IETF RFC's (standards documents) to 'doc/rfc',
- along with some simple perl scripts to convert them to cross-
- referenced HTML.
- * Updated the experimental Python module.
- * Added Cisco SSG VSA's
- * When rejecting authentication due to external Exec-Program, do
- NOT free the reply pairs, as the server core will take care of
- doing that. Bug noted by Thomas Jalsovsky
- * New experimental module: rlm_cram
- Supports APOP, CRAM-MD5, CRAM-MD4, CRAM-SHA1 with it's own
- VSA's. This module may be used for SMTP/POP3/IMAP4 server
- authentication.
- * Make Exec-Program and Exec-Program-Wait work in debugging mode.
- * Finalize the radrelay additions, based on Cistron RADIUS
- Patches from Simon <lists@routemeister.net>
- * Fix issues with linking, by making libradius shared.
- * Fix issues with MD4, MD5, SHA1, and use of OpenSSL
- * Update rlm_x99_token module to compile.
+ * Correct internal handling of "debug condition" to prevent it
+ from being over-written.
+ * Check return code of regcomp in "unlang", so that invalid
+ regular expressions are caught rather than mishandled.
+ * Make rlm_sql use <ltdl.h>. Addresses bug #610.
+ * Document list "type = status" better. Closes bug #580.
+ * Set "default days" for certificates, because OpenSSL won't
+ do it. This closes bug #615.
+ * Reference correct list in example raddb/modules/ldap.
+ Closes #596.
+ * Increase default schema size for Acct-Session-Id to 64.
+ Closes #540.
+ * Fix use of temporary files in dialup-admin. Closes #605
+ and addresses CVE-2008-4474.
+ * Addressed a number of minor issues found by Coverity.
+ * Added DHCP option 150 to the dictionary. Closes #618.
+
+FreeRADIUS 2.1.2 Thurs Dec 3 10:47:00 CEST 2008; , urgency=medium
+ Due to packaging issues, 2.1.2 has been pulled from the net.
+
+FreeRADIUS 2.1.1 Thu Sep 25 11:03:00 CEST 2008; , urgency=medium
+ Feature improvements
+ * Many more options and features in radmin. See "man radmin" and
+ raddb/sites-available/control-socket
+ * Many more commands available via the control socket. Connect
+ via "radmin", and type "help" for more information.
+ * Added dictionary.networkphysics and dictionary.lancom.
+ * Calculate WiMAX MIP keys, and added sample WiMAX SQL tables.
-FreeRADIUS 0.6.0 ; Date: Date: 2002/07/03 14:16:33 , urgency=high
+ Bug fixes
+ * Fixed bug that made radmin not work
+ * Fixed Suse && Debian package scripts
+ * Fixed issues with dynamic clients
+ * Fixed configure checks for -lreadline
+ * rlm_sqlippool no longer needs to be linked to rlm_sql.
+ * Add statistics for detail file listeners. This closes bug #593.
+ * Fixed printing of some WiMAX attributes.
+ * Fix double free on exit() in rlm_attr_filter
+ * Fixed build issues on Solaris.
+ * Fixed fast session resumption for EAP-TLS
+
+FreeRADIUS 2.1.0 Fri Sep 5 13:20:01 CEST 2008; , urgency=medium
+ Feature improvements
+ * Clients may now be defined dynamically, based on IP address.
+ See raddb/sites-available/dynamic-clients.
+ * SNMP support is now available through an experimental Perl script.
+ See scripts/snmp-proxy/README
+ * SNMP statistics are available through Status-Server packets.
+ See raddb/sites-available/status
+ * Added more Microsoft attributes from bug #568.
+ * The "linelog" module has more functionality and flexibility.
+ See raddb/modules/linelog.
+ * The debugging output has been sanitized. It should be much
+ more readable.
+ * Debug logs can now be turned on/off while the server is running, for
+ a user, group, realm, etc. See the "log" section of radiusd.conf.
+ * Added support for WiMAX Forum attributes. The dynamic keys
+ are not yet calculated. See share/dictionary.wimax
+ * Added session resumption for PEAP and TTLS.
+ See raddb/eap.conf, "cache" sub-section.
+ * Added "radmin" command-line tool for administering a running server.
+ See "man radmin" and raddb/sites-available/control-socket.
- * Many bug fixes. For explicit details, see:
- http://www.freeradius.org/cvs-log/
- * Change to the user/group specified in the config file in all
- modes ( debug and daemon ).
- * SQL sockets are rotated so that all are used, to prevent the
- SQL server timing out and closing unused sockets. Patch from
- Todd T. Fries
- * Sybase driver from mattias@nogui.se.
- * Modules are now versioned.
- * Delete garbage Proxy-Reply attributes sent by the home server
- before performing our own reply.
- * Fix race conditions when duplicate packets resulted in a request
- being processed by two threads, at the same time.
- * Add '-d' command-line option to radwho
- Bug noted by Matthew Schumacher
- * Corrected issue that when a home server never replied to a
- proxied request, the server may die.
- * In SQL, look in radcheck, if not found there, try radgroupcheck.
- Patch from Thomas Jalsovsky.
- * Set sql user name for ALIVE accounting packets, too.
- Patch from Simon <lists@routemeister.net>.
- * Use port-specific checking for realms, now that we can proxy to
- different auth/acct servers for the same realms.
- Patch from Eddie Stassen.
- * Minor updates to encrypted tunnel passwords.
- * Default 'run_dir' is now /var/run/radiusd, not var/run.
- /var/run is writeable only by root, and radiusd may be run suid.
- * Modules are now versioned, so that upgrading the server
- ensures that the new modules are installed.
- * Fix sql code, so that magic SQL characters don't get the
- SQL server excited.
- * Remove references to "UNKNOWN-NAS" in log messages.
- * Properly handle fork() and obtaining child processes exit
- status when using threads. (pthread is broken w.r.t. signals)
- * Correct code which would send erroneous reject, when the reject
- was delayed, and a new request came in.
- * Fix race condition where proxied requests would sometimes never
- be re-sent. Bug noted by Eddie Stassen.
- * Corrected LDAP3 schema
- * Implemented Digest authentication, as per IETF document
- draft-sterman-aaa-sip-00.txt, to perform authentication against
- a Cisco SIP server.
- * If no password or group files have been specified in the config,
- use the standard system calls to find them, rather than giving
- up. Patch from Steve Langasek.
- * Return Proxy-State attributes in a delated Access-Reject
- * Corrected 'session zap' logic, when an old and unused session
- is deleted from the databases. Accounting packets with garbage
- Client-IP-Address attributes should no longer be a problem.
- * Bug fixed in LDAP attribute map, for MS-CHAP related attributes.
- * Fixes to the EAP module to work better with XP.
- * Support for MS-SQL, using the FreeTDS library,
- from Dmitri Ageev
- * New operators =* and !*. See 'man 5 users' for details.
- * Added translation for %{config:section.subsection.item}, to
- allow run-time translation of internal configuration parameters.
- * New rlm_sqlcounter module, to keep counters based on SQL data.
- * Fix rlm_realm, to allow seperate proxying of accounting and
- authentication requests.
- * Bug fixes in PostgreSQL back-end, from Andrew Kukhta.
- * Increase internal buffers, to allow large SQL query strings.
- * Added debug level 3 (-xxx), where debug messages have time stamps.
- * Fix 'radwho' to use the correct radutmp file, as found by
- 'configure' (but radwho still doesn't read radiusd.conf)
- * Fix bugs in tunnel (tagged attribute) code, which would prevent
- tagged attributes from being generated correctly in a packet.
- * Build only 'stable' modules by default. Experimental modules
- require --with-experimental-modules to be passed to 'configure'
- * New module rlm_ippool, to do server-side IP pooling.
- * Fix rlm_eap module for portability, to work on non-x86 platforms.
- * Re-connect to the LDAP server if the connection idles out
- * Increased the visibility of the warning messages when doing
- 'make install'
- * Fixed EAP module to use 16-bit integers, so that it will
- work on big-endian architectures.
+ Bug fixes
+ * Double escaping of '\\' in the "users" (and some other) files
+ has been fixed. If you have '\\' in the "users" file, your
+ configuration WILL NEED TO BE CHECKED, AND FIXED!
+ * Parse "security" section in radiusd.conf. This was accidentally
+ deleted in 2.0.5. Closes bug #566.
+ * Bind to interface before IP, which allows DHCP sockets to
+ listen on "*" for multiple interfaces.
+ * Fix handling of giaddr in DHCP responses.
+ * Corrected parsing of status_check in home_server so that it works.
+ * Fix hints so that "Puser" works again.
+ * Removed length restrictions on attribute names in the dictionaries.
+ * Update socket code to avoid C compiler optimizations.
+
+FreeRADIUS 2.0.5 ; Date: 2008/06/07 17:17:00 , urgency=medium
+ Feature improvements
+ * Permit SQL authorize_reply_query to be empty.
+ * Allow setting response packet type in Post-Proxy-Type Fail
+ handler.
+ * Added install-chown target to set correct permission and ownership
+ make RADMIN=radmin RGROUP=radius install-chown
+ * Support for LDAP-Group and other dynamic comparison attributes
+ in unlang. Developed from a patch by Jason Alderfer.
+ * Added chroot support. See radiusd.conf for comments.
+ * Allow clients of 0/0. We do not recommend using this, though.
+ * Moved many module configurations into raddb/modules/*
-FreeRADIUS 0.5.0 ; Date: 2002/03/14 22:18:22, urgency=medium
-
- * Many bug fixes. For explicit details, see:
- http://www.freeradius.org/cvs-log/
- * Added Foundry dictionary, from Thomas Keitel
- * Fix a logic bug in the 'walk over request list' code, which
- would sometimes result in a request being deleted while it
- was still being processed. Found by Rainer Clasen
- * New 'tuning' guide, for optimizing the server's speed.
- * The default ports are now 1812/1813, which is the standard.
- * Fix a bug which would hang the server when many SQL connections
- were open. Found by Cvetan Ivanov <zezo@spnet.net>
- * Updated MySQL schema, with sanity checks, based on a schema from
- Thomas Huehn <huehn@eozaen.net>
- * Added 'Aptis' (Nortel CVX) dictionary.
- * Added Ipv6 attributes (as 'octets' type for now)
- * 'xlat' capability for SQL, so other modules can do SQL queries.
- * We don't need a shared secret for LOCAL realms.
- * Added better description of internal variables.
- * Configurable fail-over to DEFAULT realm. Sometimes we don't
- want to use the DEFAULT realm, if all configured realms are
- marked dead. From Rainer Clasen.
- * new configuration items 'max_attributes' and 'reject_delay'
- If the packet contains too many attributes, it can be rejected.
- We can also delay sending an Access-Reject, which slows down
- certain DoS attacks.
- * Updates to redhat scripts and spec file, from Marko Myllynen.
- * Python module (EXPERIMENTAL) from migs paraz <mparaz@yahoo.com>
- * Add ability to find *best* match when comparing attributes.
- If there is more than one attribute in a request and the first
- one doesn't match, go check the second one, instead of failing.
- * unixODBC support for SQL, from Dmitri Ageev <d_ageev@ortcc.ru>
- * Use thread-safe versions of library calls. This work is still
- on-going.
- * New rlm_passwd module, to allow general parsing of passwd-style
- files.
- * Preliminary EAP-TLS support.
- * Updated LDAPv3 schema
- * Correct checks for Odbc, and fix bugs in the module.
- Andreas Kainz <aka@maxxio.at>
- * MAN page fixes and updates
- * Added PHP web interface 'dialup_admin'
- * Password = "UNIX" or "PAM" backwards compatibility removed.
- * Use the operators in the SQL schema and queries, and bug
- fixes in the SQL module.
- Randy Moore <ramoore@axion-it.net>
- * fgetpwent() compatibility, for systems without it,
- from Daniel Carroll <freeradius@defiant.mesastate.edu>
- * Added PAP authentication module, as a step to removing
- most authentication handlers in other modules.
- * Send a Access-Reject after max_request_time
- * Multiple fixes in the LDAP module.
- * Quintum dictionary by Jeremy McNamara <jj@indie.org>
- * Preliminary EAP Module with MD5 support
- Contributed by Raghu <raghud@hereuare.com>
- * Better sanity checking for bad VSA's when receiving a packet
- * new 'xlat register' so that attribute values may be pulled
- out of configurable databases at run-time.
- e.g. %{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u}
- * Minor fixes to debian package rules
- * Attribute 'Password' deprecated in favor of 'User-Password'.
- * MS-CHAP and MS-CHAPv2 MPPE support added.
- Contributed by Takahiro Wagatsuma <waga@sic.shibaura-it.ac.jp>.
- * X9.9 token enhancements (several).
-
- -- Alan DeKok <aland@ox.org>
-
-FreeRADIUS 0.4.0 ; urgency=low
-
- * Allow the MS-CHAP module to work, and to read /etc/smbpass
- 3APA3A <3APA3A@SECURITY.NNOV.RU>
- * Remove the server requirement that one of User-Password
- or CHAP-Password exist when doing authentication. These
- checks should be handled by the modules. This change
- also prepares us for EAP.
- Patch from Raghu <raghud@hereuare.com>
- * Make NAS-Port-ID in radwho, raduse, etc. unsigned,
- instead of signed.
- Patch from John Morrissey <jwm@horde.net>
- * Allow \t and \n inside of configuration strings.
- Frank Cusack <fcusack@fcusack.com>
- * X9.9 Challenge-Response token card support.
- For now, only CRYPTOCard tokens are supported.
- Frank Cusack <fcusack@fcusack.com>
- * Fix core dump on Solaris in radwho.c
- Patch from Eddie Stassen <eddies@saix.net>
- * Fix leak / core dump in Oracle module.
- * Fix memory leak in rlm_counter
- Kostas Kalevras <kkalev@noc.ntua.gr>
- * "LOCAL" realms do not need to have an entry in the 'clients'
- file. Philippe Levan <levan@epix.net>
-
- -- Alan DeKok <aland@ox.org>
-
-FreeRADIUS 0.3.0 ; urgency=low
+ Bug fixes
+ * Allow proxying to virtual servers for accounting packets, too.
+ * Added "num fields" function to PostgreSQL client.
+ * Updated proxy fallback mechanism to validate fallback servers,
+ and to process fallback requests in a child thread.
+ * rlm_realm returns "ok" for LOCAL realms, not "noop".
+ * Fixed some DHCP code handling. The examples should now work.
+
+FreeRADIUS 2.0.4 ; Date: 2008/04/30 08:56:40 , urgency=medium
+ Feature improvements
+ * Allow "virtual_server" in "realm" and "home_server" sections.
+ See raddb/proxy.conf and raddb/sites-available/virtual.example.com.
+ * Allow "passwd" module to be listed in "accounting" and "post-auth".
+ * Added "fallback" to "home_server_pool" configuration, to handle
+ the case of all home servers being dead. See raddb/proxy.conf.
+ * Added sample text to raddb/sites-available/inner-tunnel which
+ can simplify debugging of inner tunnel configurations.
+ * Added regular expression matching in realm names. See
+ raddb/proxy.conf for examples.
+ * Added simple DHCP server functionality. For comments, see
+ raddb/sites-available/dhcp.
+ * Added file globbing capabilities to detail file reader
+ * Added sample raddb/sites-available/robust-proxy-accounting
+ * Clients in SQL can now refer to a virtual server.
+ Patch from Michael Bretterklieber.
+ * Added some examples of creating RADIUS administrator in SQL,
+ and assigning appropriate access rights.
+
+ Bug fixes
+ * Install all files in raddb/sites-available
+ * Allow non-threaded builds.
+ * Don't treat '0x' as special for known attributes that are not
+ of type "octets".
+ * Fix log error in rlm_pap.
+ * Remove documentation about non-existent functionality.
+ * Updated warning messages in debug output.
+ * Fix handling of timeouts in rlm_ldap that affected 64-bit systems.
+ This fix was supposed to go into 2.0.3, but did not make it.
+ * Fix event handling in debug mode for failed proxy requests.
+ * Fix memleak in fifos. Closes #537.
+ * Fix memleak on blocked threads. Closes #538.
+ * Perform additional checks on NULL realms. Closes #541.
+ * Fix handling of "clients" in "listen" section.
+ * When detail file cannot process a packet, sleep for longer
+ to let the rest of the server do something.
+ * Add missing table to raddb/sql/mssql/schema.sql. Closes #545.
+ * Updated rlm_sql_postgresql to build with PostgreSQL 7.x.
+ Closes #533.
+ * Fix "postauth" of rlm_ldap to look for LDAP-UserDn in the
+ correct place.
+ * Update rlm_attr_filter for some corner cases. Closes #543.
+ * Fixed memory leak in libfreeradius event handler.
+ * In the SQL Accounting on/off queries, remove the restriction
+ that the session time had to be zero.
+
+FreeRADIUS 2.0.3 ; Date: 2008/03/17 09:22:17 , urgency=medium
+ Feature improvements
+ * Updated raddb/certs/ca.cnf with extensions to allow ca.der
+ to be imported as a CA on Symbian and Windows Mobile devices.
+ Closes bug #524
+ * Enable multiple matches in "hints" via Fall-Through = Yes.
+ Closes bug #477
+ * Added preliminary SQLite driver, contibuted by Apple.
+ Untested, with no sample configuration. This address bug #470.
+ * Updated logging sub-system so that log messages from libfreeradius
+ can go to the log file, and not stdout.
+ * Added dictionary.rfc5176
+ * EAP module now checks for instance name, and uses that for
+ authentication. This avoids the need to set Auth-Type when
+ there are multiple instances of the EAP module.
+ * Added Module-Return-Code attribute, which contains the value
+ returned by the previous module (ok/fail/update/etc.)
- * Added ability to send debug messages to the log file, when
- running in daemon mode.
- * Miscellaneous fixes to get Debian packaging working.
- * When trapping a signal, don't SIGKILL children on a SIGTERM,
- SIGTERM them, instead. This allows Exec-Program scripts to
- catch the signal, and finish processing, instead of dying.
- Bug noted by Michael Chernyakhovsky <magmike@mail.ru>
- * Increased limit on length of user name read from /etc/passwd,
- to match the maximum allowed by RADIUS.
- Bug noted by "Gonzalez B., Fernando" <fgonzalez@manquehue.cl>
- * Configurable fail-over when proxying packets. If the
- home server doesn't respond to a repeated proxied request,
- it's marked as 'dead', and the next one in the list is used.
- Patch by Eddie Stassen <eddies@saix.net> and <spirn@21cn.com>
- * Pass Access-Challenge attributes through the server, in
- preparation for EAP.
- Raghu <raghud@hereuare.com>
- * More fixes for RFC compliance on the Message-Authenticator
- Raghu <raghud@hereuare.com>
- * Merged OSFC2/OSFSIA authentication patches from Cistron.
- (Bug # 104) The patches are not well tested, however.
- * IBM DB2 UDB V7.1 SQL driver, contributed by
- Joerg Wendland <wendland@scan-plus.de>
- * Fix the IP + Port address assignment.
- Bug found by "John Padula" <john_padula@aviancommunications.com>
- * Patch to avoid smashing the contents of Ascend binary filters.
- Michael Chernyakhovsky <magmike@mail.ru>
- * Create and Validate Message-Authenticator attribute, in
- preparation for EAP.
- * Initialize variables properly in rlm_attr_filter.
- Patch from Andriy I Pilipenko <bamby@marka.net.ua>
- * Renamed RedHat init script from 'radiusd.init' to 'radiusd'.
- This allows it to work properly with the RedHat rc system.
- Patch from Christian Vogel <chris@amor.iksys.de>
- * Fix the configure script checks for PostgreSQL, so that
- they use the 'test' command properly.
- Bug found by Robert Haskins <rhaskins@ziplink.net>
- * Change instances of 'assert' to 'rad_assert', so that it
- can log the error to the standard radius log files.
- Patch from Vesselin Atanasov <vesselin@bgnet.bg>
- * Patch to prevent segv when freeing results, from
- Tomas Heredia <tomas@intermediasp.com>
- * Added support for Exec-Program to acct. Bug found by
- <magmike@mail.ru>
- * Corrected rlm_files so that raddb/acct_users works
- * When doing synchronous proxying, update proxy next try
- entries, so that the server doesn't eat CPU time.
- Raghu <raghud@hereuare.com>
- * Add primitive dictionary.nomadix <CBoyd@apogeetelecom.com>
- * Log messages to console, if the logger hasn't been
- initialized. <vesselin@bgnet.bg>
- * Log invalid user for proxy rejects, too. <help@visp.net>
- * Fixed Expiration attribute handling.
- * Added code to handle Ascend-Send-Secret and Ascend-Receive-Secret
- * Removed non thread-pool code. If we have threads, we now force
- the use of thread pools.
- * Update version number
- * correct bug where proxied accounting packets would never have a
- reply sent back to the NAS, or the reply would be sent twice.
+ Bug fixes
+ * Corrected typos in rlm_dbm. Closes bugs #521 and #522.
+ * Detail file "listen" sections now work much better.
+ * Don't allow old "log_*" to over-ride new format. Closes bug #525
+ * Initialize allocated memory in Oracle SQL driver. This fixes
+ occasional crashes on some systems. Closes bug #518
+ * Call correct function in rlm_protocol_filter. This enables the
+ module to build. Closes bug #512.
+ * Added deprecated flag to build for rlm_krb5. This allows it to
+ run on 64-bit systems. Closes bug #491
+ * Corrected error message when parsing invalid configurations
+ so it doesn't crash. Closes bug #527
+ * Fix handling of timeouts in rlm_ldap that affected 64-bit systems.
+ * Handle $INCLUDE's in "instantiate" section. Closes #528.
+ * Format updates to "man" pages from Stephen Gran.
+
+FreeRADIUS 2.0.2 ; Date: 2008/02/14 11:13:48 , urgency=medium
+ Feature improvements
+ * Added notes on how to debug the server in radiusd.conf
+ * Moved all "log_*" in radiusd.conf to log{} section.
+ The old configurations are still accepted, though.
+ * Added ca.der target in raddb/certs/Makefile. This is
+ needed for importing CA certs into Windows.
+ * Added ability send raw attributes via "Raw-Attribute = 0x0102..."
+ This is available only debug builds. It can be used
+ to create invalid packets! Use it with care.
+ * Permit "unlang" policies inside of Auth-Type{} sub-sections
+ of the authenticate{} section. This makes some policies easier
+ to implement.
+ * "listen" sections can now have "type = proxy". This lets you
+ control which IP is used for sending proxied requests.
+ * Added note on SSL performance to raddb/certs/README
- -- Alan DeKok <aland@ox.org>
+ Bug fixes
+ * Fixed reading of "detail" files.
+ * Allow inner EAP tunneled sessions to be proxied.
+ * Corrected MySQL schemas
+ * syslog now works in log{} section.
+ * Corrected typo in raddb/certs/client.cnf
+ * Updated raddb/sites-available/proxy-inner-tunnel to
+ permit authentication to work.
+ * Ignore zero-length attributes in received packets.
+ * Correct memcpy when dealing with unknown attributes.
+ * Corrected debugging messages in attr_rewrite.
+ * Corrected generation of State attribute in EAP. This
+ fixes the "failed to remember handler" issues.
+ * Fall back to DEFAULT realm if no realm was found.
+ Based on a patch from Vincent Magnin.
+ * Updated example raddb/sites-available/proxy-inner-tunnel
+ * Corrected behavior of attr_filter to match documentation.
+ This is NOT backwards compatible with previous versions!
+ See "man rlm_attr_filter" for details.
+
+FreeRADIUS 2.0.1 ; Date: 2008/01/22 13:29:37 , urgency=low
+ Feature improvements
+ * "unlang" has been expanded to do less run-time expansion,
+ and to have better handling of typed data. See "man unlang"
+ for documentation and new examples.
-FreeRADIUS Alpha 0.2.0, July 30, 2001.
-
- * call openlog() again when using PAM, to get the correct log
- facility.
- * Update child thread code, to minimize race conditions.
- * Make thread pools the default. Using plain child threads is NOT
- recommended.
- * Ignore SIGPIPE to get ride of crashes when using ldap.
- * Update proxying code to work better.
- * Platform independent pthread_cancel()ling
- * Fix 'unresponsive child pid' erroneous warning messages.
- * Many changes to get various SQL modules working.
- Note that there may still be some issues with Oracle.
- * Added configure options 'with-rlm-FOO-include/lib-dir', so that
- lower-level rlm_FOO modules can be configured via the top-level
- configuration file. This isn't completely done yet.
- * Fix check for shared library using libtool info, instead of
- assuming extension being ".so".
- * Fixes for HPUX. We probably need more.
- * Many additional bug fixes and changes.
+ Bug fixes
+ * The 'acct_unique' module has been updated to understand
+ the deprecated (but still used) Client-IP-Address attribute.
+ * The EAP-MSCHAPv2 module no longer leaks MS-CHAP2-Success in
+ packets.
+ * Fixed crash in rlm_dbm.
+ * Fixed parsing of syslog configuration.
+
+FreeRADIUS 2.0.0 ; Date: 2007/11/24 08:33:09 , urgency=low
+ Feature improvements
+ * Debugging mode is much clearer and easier to read.
+ * A new policy language makes many configurations trivial.
+ See "man unlang" for a complete description.
+ * Virtual servers are now supported. This permits clear separation
+ of policies. See raddb/sites-available/README
+ * EAP-TLS (PEAP, EAP-TTLS) and OpenSSL certificates "just work".
+ See raddb/certs/README for details.
+ * Proxying is much more configurable than before.
+ See proxy.conf for documentation on pools, and new config items.
+ * Full support for IPv6.
+ * Much more complete support for the RADIUS SNMP MIBs.
+ * HUP now works. Only some modules are re-loaded,
+ and the server configuation is *not* reloaded.
+ * "check config" option now works. See "man radiusd"
+ * radrelay functionality is now included in the server core.
+ See raddb/sites-available/copy-acct-to-home-server
+ * VMPS support. It is minimal, but functional.
+ * Cleaned up internal API's and names, including library names.
+
+ Bug fixes
+ * Many.