-FreeRADIUS 3.0.2 Mon 13 Jan 2014 14:30:00 EDT urgency=medium
+FreeRADIUS 3.0.4 Mon 12 May 2014 15:30:00 EDT urgency=medium
Feature improvements
+ * Home server "response_window" can now take fractions of a
+ second. See proxy.conf.
+ * radmin now supports "show module status", as the counterpart
+ to "set module status"
+ * Added dictionary ericsson.packet.ccore.networks
+ * Add %{tag:} expansion to get the tag value of an attribute.
+ * Report 'application_name' in connections to PostgreSQL servers.
+ FreeRADIUS connections will now appear as
+ 'FreeRADIUS <version> - <name>' in pg_stat_activity.
+ * All config item fields are now type checked at compile time
+ to prevent issues similar to #634 occuring again.
+ * Modify pairparsevalue to deal with embedded NULLs better,
+ and use the binary versions of attribute values in rlm_ldap.
+ * "ipaddr" will now use v6 if no v4 address is present. You should
+ use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
+ * The above applies to "listen", "home_server", and "client" sections.
+ * "client" sections will allow prefixes as "192.192.0/24". The old
+ "netmask" is still accepted, but the new format is preferred.
+ * Allow custom HTTP headers to be set for rlm_rest requests using
+ control:REST-HTTP-Header (attributes consumed after use).
+ * Extend format of %{rest:} expansion to allow HTTP method and POST
+ data to be specified
+ e.g. %{rest:POST http://example.org/api foo=bar&baz=boink}.
+ * Add %{hmacsha1:&data &key} and %{hmacmd5:&data &key} expansions
+ for signing data in requests.
+ * rlm_cache now consumes its control attributes to make runtime
+ configuration easier.
+ * Add control:Cache-Read-Only which when set to 'yes' will make the
+ cache module merge existing cache data, but not create new entries.
+ * Add %{unescape:} and %{urlunquote:} expansions to reverse escaping
+ and urlquoting.
+ * Add support for aliases in rlm_ldap.
+
+ Bug fixes
+ * make case-insensitive regular expressions work again.
+ * Added tests for the above
+ * A few more talloc parenting issues
+ * Fix delayed proxy reply handling. Closes #637
+ * Fix OpenSSL initialization order when using
+ RADIUS/TLS. Fixes #646
+ * Don't double-quote strings in debugging messages
+ * Fix foreach / break. Fixes #639
+ * Chargeable-User-Identifier, ADSL-Agent-Circuit-Id and
+ ADSL-Agent-Remote-Id should be "octets" types in the default
+ dictionary.
+ * Fix typo in mainconfig. Fixes #634
+ * More rlm_perl fixes. Fixes #635
+ * Free OpenSSL memory on clean exit.
+ * Fix <attr>[0] !* ANY - Was removing all instances of <attr>
+ * Fix case where multiple attributes were returned from LHS of
+ mapping, as with rlm_ldap. Fixes #652
+ * Fix corner case in cursor where using fr_cursor_next_by_da
+ after calling fr_cursor_remove may of resulted in a read of
+ uninitialised memory.
+ * Don't SEGV if all connections to a database server go away.
+ Fixes #651.
+ * Fix issue where <attr> -= <value> was not removing tagged
+ instances of <attr> equal to <value> (only untagged).
+ * Fix issue where tag values were not being set on attributes
+ created with unlang/ldap update blocks.
+ * Create rlm_sqlcounter attributes as integer64 types instead
+ of integer types, so large counter values can be specified.
+ * Fix issue where specifying a dynamic client IP addresss using
+ FreeRADIUS-Client-IPv6-Prefix or FreeRADIUS-Client-IP-Prefix
+ may have caused a validation error.
+ * Don't print two "&" for messages about attribute or list
+ references.
+ * Fix urlquote and escape to encode Unicode characters correctly.
+ * Fix redundant-load-balance blocks to try other modules in
+ the group if one fails.
+ * Fix issue with rlm_pap password normalisation where
+ 'known good' password strings stored in octets type attributes,
+ would be sometimes misnormalised as base64.
+ * Don't stop processing DHCP options if we find a 0x00 padding
+ option.
+ * Fix issue where modifying the value of an attribute created
+ from a template with a literal value, may have resulted in the
+ template literal being freed.
+ * Fix parenting issues in tls code which may have resulted in
+ memory corruption and crashes.
+ * Fix issue in radsniff where writing to PCAP files and using
+ -R response filters, where the requests would still be written
+ to the PCAP for non matching responses.
+ * Define __APPLE_USE_RFC_2292 so that the server builds with IPv6
+ support on OSX.
+ * Fix LDAP group lookups for named rlm_ldap instances.
+ Note that attribute references should be used when
+ checking LDAP-Group attributes. e.g. if (&LDAP-Group == 'foo').
+ * Delayed attribute references can now be used in unlang
+ existence checks. i.e. if (&Attribute-Name) { ... }
+
+FreeRADIUS 3.0.3 Mon 12 May 2014 15:30:00 EDT urgency=medium
+ Feature improvements
+ * Everything now builds with no warnings from the C compiler,
+ clang static analyzer, or cppcheck.
+ * rlm_ldap now supports defining the LDAP attribute name via
+ backticked expansion (i.e. shell command) in
+ RADIUS <-> LDAP mappings.
+ * rlm_ldap now supports older style generic attributes.
+ * dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed
+ when the server starts. Syntax errors in the strings
+ are caught, and a descriptive error is printed.
+ * Static regular expressions (e.g. /a*b/) are now parsed
+ when the server starts. Syntax errors in the strings
+ are caught, and a descriptive error is printed.
+ * dynamic expansions are cached after being parsed. They are
+ no longer re-parsed at run-time for every request.
+ * regular expressions are now parsed and cached when the server
+ starts.
+ * Added the %{rest:} expansion to rlm_rest, which will send
+ a GET request to the URL passed as the format string.
+ Any body text will be written to the expansion buffer.
+ * rlm_rest now available as a debian package.
+ * When an 'if' condition statically evaluates to true/false,
+ unlang does more static optimization. For examples, see
+ src/tests/keywords/if-skip
+ * All modules are marked as safe for '-C', which lets the
+ dynamic expansion checks work in more situations.
+ * Added 'none' and 'custom' rlm_rest body types. 'custom'
+ allows sending of arbitrary expanded text and content-type
+ headers.
+ * Added "config" section to Perl. See mods-available/perl
+ * Added '%v' which expands to the server version - Patch
+ from Alan Buxey.
+ * more mis-matched casts are caught in "if" conditions,
+ and descriptive errors are printed.
+ * Support basic response validation in radclient. This allows
+ administrators to write local test cases for their
+ site-specific configurations.
+ * Removed radconf2xml and radmin "show client config" and
+ "show home_server config".
+ * Forbid running with vulnerable versions of OpenSSL.
+ See "allow_vulnerable_openssl" in the "security"
+ subsection of "radiusd.conf"
+ * Catch underlying "heartbleed" problem, so that nothing bad
+ happens even when using a vulnerable version of OpenSSL.
+ * Add locking API for sql_null, linelog, and detail modules,
+ which should improve performance and work around issues
+ on platforms with bad file locking.
+ * Allow DHCP NAKs to be delayed, via setting
+ reply:FreeRADIUS-Response-Delay = 1
+ * Allow tag and array references anywhere attributes
+ are allowed in "unlang".
+ * many enhancements to radsniff, including output
+ to collectd, ipv6 support and packet loss statistics.
+ * Many dictionary updates (ZTE, Brocade, Motorola).
+ * rlm_yubikey now automatically splits passwords from OTP
+ strings.
+ * The detail file reader is now threaded by default.
+ This should improve performance reading the files.
+
+ Bug fixes
+ * Fix xlat expression %{attribute[n]} so that it actually
+ returns the n'th attribute instead of the first one.
+ * Don't parse string on RHS of update {} when using unary
+ operators (!*). The RHS should always be ignored.
+ * Check for more optional functions in json-c so we can
+ Build with libjson0, which is the name of the json-c package
+ on debian/ubuntu.
+ * Fix issue in radmin where the main dictionaries would
+ not be loaded which, depending on the configuration, may
+ have caused validation errors.
+ * Fix handling of "%{reply:3GPP-*}"
+ * Fix rlm_perl garbage attributes
+ * Fix oracle SQL queries, which amongst other things still
+ used the old expansion format, which is no longer
+ supported/parsed.
+ * Truncate long format strings and error markers instead of
+ omitting them.
+ * Fix multiple attribute parsing in rlm_rest JSON.
+ * Don't crash in rlm_rest if connect_uri is commented out
+ in the configuration.
+ * Don't double-escape strings to / from Perl. You may need
+ to double-check your Perl scripts if they use "\" characters.
+ See mods-available/perl for documentation.
+ * Don't re-run "authorize" if a home server fails to respond.
+ * Don't append "0x" to hex output of octets types, for xlat
+ expansions. This is the same as v2, and makes it easier
+ to concatenate multiple attributes of type "octets"
+ * FreeBSD fixes for execinfo linking.
+ * Make some of the module configurations more consistent.
+ * Fix corner cases where STDOUT wouldn't be closed in
+ daemon mode.
+ * Re-enable "update coa" and originating CoA requests.
+ * Prevent multiple threads writing to the sql query logs.
+ * Fix zombie period calculation. Closes #579
+ * Properly parent VPs for talloc, when moving them in map2request.
+ * Various fixes for talloc parent / child relationships
+ * Allow rlm_counter to support VSAs.
+ * Normalize return codes for many modules. "do nothing" is noop,
+ not "ok".
+ * Run Post-Proxy-Type Fail. Closes #576
+ * Fix DHCP destination port for replies to relays. Closes #591
+ * Do-Not-Respond policy works again Closes #593
+ * Proxy-To-Virtual-Server works again. Closes #596
+ * Build fixes for ancient systems. Closes #607, #608, #609.
+ * %{Module-Return-Code} works again. Closes #610.
+ * Don't increment statistics for Status-Server responses.
+ Closes #612.
+ * A duplicate request isn't a duplicate if the original one
+ is marked "done". This should lower retransmissions from
+ clients.
+ * Fix multiple regular expression and glob memory leaks.
+ * Don't allocate any memory in fr_fault() as it can cause malloc
+ to deadlock.
+ * Temporarily set dumpable flag before calling system in fr_fault()
+ else the debugger may not be able to attach.
+ * Set nonblock on all TCP client sockets.
+ * Fix minor buffer overrun in mschapv2 where some attribute strings
+ were not correctly \0 terminated.
+ * Fix crash on authentication failure with MIT kerberos.
+ * Fix code so that octal escape sequences aren't prematurely unescaped
+ in rlm_sql, radclient, preprocess, and other places. This may
+ require configuration changes, as these sequences will no longer
+ need double escaping (\\) of the backslash.
+ * The connection pools no longer have one connection used twice
+ in certain rare conditions.
+ * Use self pipes for internal signals. The code was there, but was
+ unused.
+ * Don't crash if there are outstanding EAP sessions and were told to
+ exit gracefully.
+ * Fix typo in dictionary.rfc4072
+
+FreeRADIUS 3.0.2 Fri 21 Mar 2014 08:30:00 EDT urgency=medium
+ Feature improvements
+ * secret keys and LDAP / SQL passwords are now printed as
+ '<<< secret >>>' in debugging mode. Use -Xx to see the
+ actual passwords.
+ * Print out more information about passwords in -Xx,
+ including hashes, comparisons, etc.
* Allow cast (and implicit conversion) of integers to IPv4 addresses
* More xlats allow attribute references. This means they can
operate on binary data. e.g. expr, base64, md5, sha1.
- * Added more tests
+ * Added more tests.
* The dictionaries are now auto-loaded. raddb/dictionary
- no longer needs to $INCLUDE ${prefix}/share/dictionary
+ should no longer have $INCLUDE ${prefix}/share/dictionary
* A "panic_action" can be set to have the server dump a gdb
- log on SEGV or other fatal error.
+ log on SEGV or other fatal error. See radiusd.conf
+ * Add support for SHA-224, SHA-256, SHA-384, SHA-512 to rlm_pap.
+ * Add "%{sha256:}" and "%{sha512:}" xlat functions.
+ * Cache CUI in EAP session resumption.
+ * templates can now have sub-sections, which will be included
+ in the section referencing the template.
+ * Update more dictionaries.
+ * Added more instances of the "always" module, for all return
+ codes.
+ * Suppress broken NASes when proxying. Retransmits which occur
+ more than once per second are rate-limited to once per second.
+ * Allow '&' in more xlat expansions.
+ * Update PostgreSQL schema and queries to record last updated
+ time, and accounting interim.
+ * Optimize more "if" conditions when the server loads. This will
+ avoid work at run time. e.g. ("foo" == "bar") --> FALSE.
+ * Allow removal of all attributes within a list with !* operator.
+ * Allow list to list copies with request qualifiers (outer.).
+ * Add support for ipv4 prefixes and ipv6 addresses and prefixes to
+ %{integer:}.
+ * allow radmin command "set module status <module> <code>"
+ which can be used to forcibly enable/disable modules.
+ * pap module now assumes Cleartext-Password if Password-With-Header
+ doesn't have a {...} header.
+ * Added "unpack" module. It can unpack binary data from horrible
+ VSA formats. See raddb/mods-available/unpack
+ * Added example IP Pool for DHCP, using sqlite. From Matthew Newton
+ See raddb/mods-config/sql/ippool-dhcp/
Bug fixes
* Fix SQL groups.
is not in_use.
* Fix %{mschap:User-Name} xlat.
* Allow comparisons of signed integers and of ethernet addresses.
- * Fix parsing of text based ascend binary filters
+ * Fix parsing of text-based ascend binary filters.
* Fix a few minor Coverity and clang analyzer issues.
* Log WARNING and ERROR prefixes only once, not twice.
- * Allow '&' in more xlat expansions.
* Fix attribute truncation seen in Perl and other places.
* Use correct port when DHCP relaying.
* Fix behaviour on FreeBSD where sending packets from an interface
correctly with more versions of the library.
* In heimdal kerberos, create MEMORY ccaches on a per context basis.
This prevents issues with the root ccache being used.
+ * Fix corner case with proxying, where home server goes down.
+ * Rate-limit "max_requests" complaint. We don't want to fill the
+ logs when something goes wrong.
+ * Use /dev/urandom for raddb/certs/random, if it exists.
+ * Issue WARNING that old-style clients should no longer be used.
+ * Auto-set secret to "radsec" for tcp+tls home servers.
+ * Fix double free in home_server_add when there is a parse error
+ on startup.
+ * rlm_unix checks if the dictionaries are broken, instead of crashing
+ * Fix potential memory corruption when normalising salted password
+ hashes from hex, where the combined hash and salt was > 64 bytes.
+ * Register sqlcounter attributes correctly, and other issues with it
+ * treat 127.0.0.1/32 as being identical to 127.0.0.1
+ * Don't mangle error output of SQL drivers like PostgreSQL
+ * Fix usage of "tls = ${tls}". It could previously cause problems
+ when the reference was used multiple times.
+ * Fix TLS session leak for incoming sockets.
+ * Try harder to clean up memory on exit when using "-mM"
+ * Fix memory leak when home server is down for RadSec connections
+ * rate-limit outgoing connection attempts when the home server
+ is down. It will retry no more than once per second.
+ * When parsing ipv6 address prefixes, always mask off the host
+ portion.
+ * Fix rlm_counter so that it does not create two reply
+ attributes.
+ * Fix issues with DHCP Sub-TLVs where the value of the first
+ Sub-TLV would appear corrupted, and subsequent TLVs would
+ not appear in debug output.
+ * Initialize scope in IP address parsing
+ * Prevent vendor attributes and RFC space attributes from clashing
+ in rlm_attr_filter.
+ * Set source IP address for DHCP packets from DHCP-Server-IP-Address,
+ or DHCP-DHCP-Server-Identifier, if we're unable to otherwise
+ determine the source IP.
+ * Fix POST attribute parsing in rlm_rest.
+ * Fix JSON attribute parsing in rlm_rest.
+ * Don't append trailing & to POST options in rlm_rest (minor).
+ * Process HTTP 100 Continue messages correctly in rlm_rest
+ * Fix generation of long > 512 byte POST payloads, where attribute
+ values on the chunk boundary may have been omitted in rlm_rest.
+ * Remove duplicate escape sequence parsing in rlm_sqlippool and
+ rlm_sqlcounter which caused issues with escaping %. Escape
+ sequence parsing is now handled purely by the xlat functions.
+ * Ensure %% is treated as a string literal, and so not passed to any
+ xlat escape functions for processing.
+ * Correct calculation of Message-Authenticator
+ for CoA packets. Closes #556
FreeRADIUS 3.0.1 Mon 13 Jan 2014 14:30:00 EDT urgency=medium
Feature improvements