-FreeRADIUS 1.0.0 ; Date: $Date$, urgency=low
- * EAP-TTLS support in rlm_eap
- * Fix compilation of rlm_counter when not building with pthreads
- * Fix segfault due to poorly initialised value in rlm_mschap
+FreeRADIUS 1.1.3 ; $Date$, urgency=low
+
+ Feature improvements
+ * rlm_otp now talks to otpd for OTP verification, rather than
+ doing the work itself; this improves portability and security
+ (access to OTP token keys is now much more limited)
+
+ Bug fixes
+ * Fixed configure/make error for Solaris (set HAVE_CLOSEFROM).
+ * Update libtool and ltdl to 1.5.22, to fix 'make install R=';
+ also improve integration by importing unmodified original
+ source
+
+FreeRADIUS 1.1.2 ; $Date$, urgency=low
+
+ Feature improvements
+ * Allow tagged VSA's for Juniper. Closes bugs #367 and #368.
+ * Allow Ascend "abinary" format to be specified as octets,
+ (e.g. Ascend-Data-Filter = 0x010203...)
+ * Added "cipher_list" configuration to the EAP-TLS module.
+ See "eap.conf" and "man 1 cipher" for details.
+ * Added "check_cert_issuer" configuration to the EAP-TLS module.
+ See "eap.conf" for details. (closes: #346)
+ * Added "suppress" configuration entry to rlm_detail,
+ to suppress certain attributes (e.g. User-Password).
+ This closes bug #359.
+ * More dictionary updates
+ * Write SSL errors to log file, rather than stderr.
+ This closes bug #347.
+ * Allow a core dump on uid change on Linux (closes: #361)
+
+ Bug fixes
+ * Return better error codes in SQL IODBC module. Closes bug #341.
+ * Corrected list of EAP handlers.
+ * Initialize variable in rlm_ldap.c. This fixes RedHat
+ bug #136468.
+ * Escape more ldap strings, so configuration entries
+ that have magic LDAP characters don't break LDAP.
+ This closes bug #360.
+ * Updated doc/rlm_ldap. This closes bug #353.
+ * Updated redhat/freeradius.spec. This closes bug #330.
+ * Don't forcibly over-write Auth-Type in the mschap module.
+ This prevents an earlier module from forcing reject.
+ * Use the correct module reference in the authenticate section,
+ where Auth-Type wasn't explicitely specified.
+ * If there are typos in a subsection in radiusd.conf, exit
+ after printing an error, rather than continuing.
+ * Print Ascend "abinary" format as text rather than octets
+ when we receive it.
+ * Silently drop packets with bad Message-Authenticators, as per RFC3579
+ * Unbreak ./configure --disable-static (closes: #350)
+ * Unbreak ./configure --prefix (closes: #354)
+
+FreeRADIUS 1.1.1 ; Date: 2006/03/17 19:50:34, urgency=low
+
+ Security fixes
+ * Additional state checking in the EAP-MSCHAPv2 module.
+ Bug found by Steffen Schuster.
+
+ Feature improvements
+ * More dictionary updates
+ * Additional tests and fixes for Digest module from Phillipe Sultan.
+ * Add new "phone" response mode to rlm_otp/cryptocard.
+ * Put the eap sessions into a tree, so that looking them up is very
+ fast, and no longer O(n) in the number of sessions.
+ * Install the schema examples for a set of backends with the rest
+ of the documentation.
+ * Add support for xlat expansion of attributes from LDAP.
+
+ Bug fixes
+ * Fix rlm_perl crash. (closes: #348)
+ * Fix handling of CoA-Request packets (close #344). Also correct
+ name of CoA packets.
+ * Fix an error on x86_64 machines when reading dictionaries.
+ (closes: #312)
+ * Fix compilation errors on FreeBSD and NetBSD because of rlm_otp
+ module. (closes: #314 #328)
+ * Workaround Cisco bug in State attribute handling in rlm_otp.
+ * Support LP64 for async mode in rlm_otp.
+ * Fix libtool problems on Debian with rlm_eap_peap and rlm_eap_ttls
+ modules. (closes: #75)
+ * Make "use_tunneled_reply" work properly for PEAP.
+ * Copy the whole string when getting a one-to-one-mapped attribute
+ from LDAP (closes: #261)
+ * Fix net-snmp's ucd-snmp compatibility mode.
+
+FreeRADIUS 1.1.0 ; Date: 2006/01/04 05:55:19, urgency=low
+
+ Feature improvements
+ * rlm_ldap has "set_auth_type" configuration option, which should
+ address some configuration problems when using it.
+ * Fix MIT Kerberos bug
+ * Modules can be load balanced, both in isolation and redundantly.
+ See doc/load-balance.txt for more information.
+ * rlm_perl is now marked "stable"
+ * N-tier certificate patch from Mohammed Petiwala.
+ * Copied dictionaries from the CVS head (many, many, more vendors)
+ * Enabled support for weird VSA formats, like Lucent and Starent.
+ * Support encrypted IP address and integers, for Juniper clients.
+ * Add PEAP machine authentication support in module "rlm_mschap".
+ * Support User-Password field encryption in digest mode.
+ * rlm_x99_token has become rlm_otp (with lots of changes).
+ * Add rlm_sqlcounter to the list of stable modules.
+ * Read MySQL specific options in sections [freeradius] and [client]
+ from file "my.cnf".
+ * Support the ${Cisco-AVPair[n]} syntax.
+ * Execute modules in {Pre,Post}-Proxy-Type stanzas.
+ * Add new options to radclient to run stress tests on the server.
+ * New module "rlm_sql_log" to postpone the storage of accounting data
+ in a SQL database. See rlm_sql_log(5) manpage.
+ * New program "radsqlrelay" which sends the SQL logfile according to
+ the SQL server's capabilities.
+
+ Bug fixes
+ * #306 (HUP when built with threads, but executed with -s)
+ * #285 (more attributes in dictionary.cisco.vpn3000)
+ * rlm_digest has a number of bug fixes to authentication types.
+ * Don't leak memory in module "rlm_sql".
+ * Update the dictionaries, so that VALUEs with the same name,
+ but different numbers, aren't allowed.
+ * Queue the request before looking for available threads.
+ * Don't free the check items after we received the proxy reply.
+ * Expand config variables in included files, too.
+ * Check the return value of accounting modules and don't proxy
+ invalid requests.
+ * In rlm_passwd, don't close a file stream more than once.
+ * Fix format string errors in rlm_sql.c, spotted by Primoz Bratanic.
+ * Walk the whole string in when escaping strings in rlm_ldap.
+ * Include crypt.h if it is available so we get a prototype for crypt(),
+ spotted by Konstantin Kubatkin.
+ * Removed (for almost all uses) length restrictions on vendor names
+ and VALUE names.
+ * Don't leak memory when proxying an Access-Challenge response.
+ * Make the sleep time user-defined, so radrelay can send more than
+ 7 requests/s.
+ * Fix a memory leak in rlm_checkval.
+ * radclient doesn't resend countless times packets with invalid
+ signature.
+ * Fix segfault and mem leak in rlm_pam.
+
+FreeRADIUS 1.0.5 ; Date: 2005/09/04 16:23:00, urgency=medium
+
+ Security Fixes
+ * SQL injection attack in the module "rlm_sqlcounter".
+ * Buffer overflows in the module "rlm_sqlcounter".
+ * Expansion of variable %t may write 26 bytes beyond the buffer
+ bound. Primoz Bratanic is credited with the discovery of these
+ three bugs.
+
+ Bug fixes
+ * Don't de-reference a NULL pointer if the auth-type is unknown
+ in the function rad_check_password().
+ * Escape more characters in the LDAP queries.
+ Bug found by Suse engineers.
+ * In rlm_sql_unixodbc, don't call rad_malloc from sql_error(),
+ it leaks memory.
+ * Fix an off-by-one error in the module rlm_sql_unixodbc.
+ Bug found by Suse engineers.
+ * In rlm_sql, resize the buffer for the value of SQL-User-Name.
+ * Initialize memory for a new SQL socket in the module rlm_sql.
+ * Don't add too many attributes after running an external program.
+ Bug found by Suse engineers.
+ * Fix an off-by-one error in the function getthing().
+ * snprintf() and vsnprintf() replacements were not compiled if
+ the autoconf tests didn't find the functions.
+ * Don't use vsprintf() anymore, but the replacement for vsnprintf()
+ in libradius instead.
+ * The function decode_attribute() may write beyond buffer bounds.
+ Bug found by Suse engineers.
+ * Fix a memset() in the function request_enqueue() which was
+ begining at the wrong address. Bug found by Matthias Ruttman.
+ * Fix an off-by-one error in the function xlat_copy().
+ Bug found by Primoz Bratanic.
+ * Fix other off-by-one errors in module "rlm_unix", too.
+ Bug found by Allan Bazinet.
+ * Fix a 2-byte over-run read in function rad_decode().
+ * Update thread pool queue properly.
+ * Autonconf tests try first any user-specified directory,
+ otherwise they may pick up the wrong version.
+ * Delete the autoconf tests for the libldap dependancies.
+ * Install all the regular files under the "doc" directory.
+ * Distinguish between exit code <0 (failure) and >0 (reject)
+ in Exec-Program-Wait. Patch from Thor Spruyt.
+ * Make Expiration work.
+ * Clean up the code for opening a proxy socket.
+ * When finding a realm to proxy to, if all are dead, wake them
+ if wake_all_if_all_dead is true.
+ * In radwho, print the NAS-Port as unsigned int.
+ * Use extended regex instead of basic regex in rlm_attr_filter.
+ * Catch the case where someone deletes a directory that rlm_detail
+ is using.
+ * Use the variable $(LDFLAGS) when linking a module.
+ * Ignore the Stripped-User-Name when a realm has the "nostrip"
+ directive.
+ * Add support for NT-Password in rlm_pap.
+ * In rlm_sqlcounter, use the time left to the next reset if it's
+ inferior to the time left in the counter.
+ * Calculate Message-Authenticator correctly for Accounting-Request
+ and Accounting-Response. Bug found by Paolo Rotela.
+ * Build on MAC OS X. Still need --disable-shared, though.
+ * Fix bug #255 (crash with expired CRL's, etc.)
+ * Fix quote removal of the values from a SQL database.
+ * Reap the zombie process after a command run from "Exec-Program".
+ * Allow to cancel proxy of accounting with "Proxy-To-Realm := LOCAL".
+ * Don't copy VSA's to an Access-Reject packet.
+
+FreeRADIUS 1.0.4 ; Date: 2005/06/11 22:46:52, urgency=medium
+
+ * Fix installation problem.
+ * Increase a buffer size, so radrelay doesn't truncate values.
+ * Updates in the documentation. Patches from Thor Spruyt.
+
+FreeRADIUS 1.0.3 ; Date: 2005/06/03 17:15:11, urgency=high
+
+ Security Fixes
+ * Always escape the strings in the SQL module.
+ * Check buffer bound when input character needs escaping in
+ the SQL module. Bug found by Primoz Bratanic.
+
+ Bug fixes
+ * Return EAP-Fail in Access-Reject, rather than an empty Access-Reject
+ * Don't send Proxy-State from home server in TTLS.
+ * Fixes for forking external programs, so the server doesn't
+ suddenly stop processing requests, or stop forking programs.
+ * radzap now works, but it's command-line options have changed
+ completely, and it's a shell script.
+ * radwho has updated command-line options, and no longer reads
+ Unix "utmp" files.
+ * Fix bug in calling checkrad script with NAS port > 9999999
+ * Fix long-standing bug when both crypt and pthreads are in use
+ * Don't SEGV when rlm_sql gets 'NULL' value from request.
+ * Re-arrange code in radrelay to not duplicate accounting packets.
+ * In rlm_attr_rewrite, change the value when the attribute type
+ is different from string.
+
+FreeRADIUS 1.0.2 ; Date: 2005/02/13 01:03:20, urgency=medium
+
+ * Novell eDirectoty support. Patch from Novell.
+ * localweb & Trapeze dictionary updates.
+ * EAP-SIM fixes.
+ * Make "Strip-User-Name = No" work.
+ * Don't declare zero-length arrays in rlm_passwd
+ * Bug fix to make udpfromto code work
+ * radrelay shouldn't dump core if it can't read a VP from the
+ detail file.
+ * Only initialize the random pool once.
+ * In rlm_sql, don't escape characters twice.
+ * Fix MD4 calculation on big-endian machines.
+ * In rlm_ldap, only claim Auth-Type if a plain text password is present.
+ * Treat Quintium VSAs like Cisco VSAs
+ * Locking fixes in threading code
+ * rlm_krb5 includes /usr/include/et for Fedora Core
+ * Fix post-auth REJECT stanza processing for rejections from external
+ processes or home RADIUS servers
+ * Fix building on gcc-4.0 by not trying to access static auth_port from
+ other files.
+ * Fix building SNMP support on Solaris 9, which needs -lkstat
+
+FreeRADIUS 1.0.1 ; Date: 2004/09/02 10:52:03 , urgency=high
+
+ Denial-of-Service Security Fix
+ * Fix two remote crashes and a memory leak in RADIUS packet
+ decoding.
+
+ Bug fixes
+ * Fix premature "success" during EAP/TLS handshake.
+ * Dictionary handling now complains about identically named
+ values with different values, and rejects dictionary
+ entries with bad data
+ * Update dictionaries to deal with the above change.
+
+FreeRADIUS 1.0.0 ; Date: 2004/07/17 06:31:32, urgency=low
+
+ pre3 -> release
+ * Fix LDAP dictionary map loading.
+ * Check login time allowance to packet timestampe where available.
+ * Compilation fix for machines withouth <pthread.h>.
+ * Man page improvements.
+ * Grab latest config.sub and config.guess (2004-03-12).
+
+ pre2 -> pre3
+ * Make IPv6 support work better.
+ * Updated 3com dictionary.
+ * Fixed MD5 code to be more portable.
+
+ pre1 -> pre2
+ * Updated SQL onoff query
+ * Updated Nomadix, RedBack and Valemont dictionaries.
+ * MD4/MD5 fixes.
+ * Don't complain about ports we're listening on when HUP'd.
+ * Permit -i to work for radclient.
+ * Fix bug in new proxy code.
+ * rlm_passwd is now a little friendlier.
+
+ Non source-code changes
+ * Preliminary tests indicate that the server builds and runs on
+ Interix (SFU on Windows XP).
+ * EAP module configuration is now in "raddb/eap.conf", as it was
+ getting large.
+ * Updated GPL boilerplate in the source.
+ * Added new RFC's to doc/rfc/
+ * Added more "man" pages for many of the modules. Many of the
+ 'doc/rlm_*' files have been deleted, and replaced with 'man' pages.
+ * Added many new dictionaries: 3GPP, 3GPP2, Propel, Karlnet,
+ Sonicwall, Navini, Bristol University, Valemont, Mikrotik.
+ * doc/configurable_failover is now understandable by mere humans.
+ * Update scripts/rc.radiusd with examples of how to deal with
+ shared library issues.
+ * Added demo certs.
+ * Updates to configure scripts for MySQL.
+ * Updated doc/tuning_guide, with comments about SQL.
+
+ Core feature improvements
+ * Many, many minor bug fixes and feature enhancements.
+ * Added "reject" action in configurable failover for modules
+ * Added a "listen" directive, which supersedes the old
+ "bind_address" and "port" directives. "listen" allows much
+ finer-grained control over what IP's, ports, and packets the
+ server pays attention to.
+ * The proxy code has been updated to work properly, and to
+ allocate new sockets for proxying packets when there are more
+ than 256 requests outstanding to a home server. Many thanks
+ to Stephen Jaeger for help in debugging the new feature.
+ * Regular expression matches in brackets can now be referenced
+ as in Perl, via %{1}, %{2}, etc.
+ * added ability for mschap module to use ntlm_auth, to perform
+ MS-CHAPv1 and MS-CHAPv2 authentication against a Windows
+ Domain Controller.
+ * Check return value from registered xlat functions. If return
+ value is 0, treat the attribute as not found. This lets things
+ like %{sql: select... :-FAILED} work.
+ * Realms can now be configured to ignore DEFAULT and NULL
+ realms. This makes prefix/suffix realms co-exists a little
+ better.
+ * Added red-black tree implementation to src/lib. The
+ dictionaries now use it, rather than singly linked lists. Tests
+ indicate that the server is up to 30% faster.
+ * Updated MSCHAP module to be able to better deal with Windows
+ machines which put a username with domain into User-Name, but
+ which use only the username to create the MS-CHAP-Response.
+ * Made "hints" file more generic and flexible, without changing
+ old functionality.
+ * Enhanced configuration file variable handling. See
+ doc/variables.txt for details.
+ * Checks for OpenSSL now enforce version number, and are common
+ across all modules, rather than being duplicated.
+ * Implement "udpfromto", which allows the server to work better in
+ LVS. Code from Jan Berkel and Miquel van Smoorenburg. To use
+ it, do: ./configure --with-udpfromto=yes
+ * Re-arranged "walk over cached requests" code for clarity.
+ * The server now keeps more SNMP statistics about the packets it
+ has processed.
+ * De-coupled the queue of input requests from the pool of threads.
+ This allows "spikes" of requests to be queued, even though all
+ threads are busy. This change significantly increases the
+ servers ability to process large numbers of requests on a
+ multi-CPU machine.
+ * Re-arranged the internal "core" request handling code, to
+ make a little more sense.
+ * Removed support for Replicate-To-Realm. Use radrelay.
+ * Print & parse unknown attributes as Attr-%d, Vendor-%d-Attr-%d,
+ or VendorName-Attr-%d.
+ * rlm_passwd is now marked "stable", and has many bugs fixed.
+ * More flexible configuration for rlm_ldap.
+ * New implementation of parser for Ascend's data filter
+ attributes, that is now thread-safe and GPL'd.
+ * Preliminary (not entirely complete) support for IPv6 attributes,
+ including IFID.
* Added support for rejected packets to run an Post-Auth-Type REJECT
stanza instead of skipping post-auth entirely.
+ * Added support for %{*:Packet-Type} translation. (Not for %{check:})
* Added support for %{check:Attribute-Name} to go with
%{request:Attribute-Name} and the like.
+ * Add support to rlm_sql for post-authentication query execution.
+ * Add support to rlm_sql for accounting_update_query_alt
+ * Add support for supplementary groups of switched-to user
+ * Add support for xlat-ing backquoted reply values from SQL queries.
+ * Add Public Domain MD5 implementation by Colin Plumb
+ * Add Public Domain MD4 implementation by Colin Plumb and
+ Todd C. Miller
+ * Remove smbdes.c from libradius, and add to rlm_mschap and
+ rlm_eap_leap
+ * Replace GPL'd snprintf.c in libradius with LGPL'd snprintf.[ch]
+
+ EAP-module feature improvements
+ * Allow checking of EAP identity against certificate.
+ * EAP-TLS now checks Certificate Revocation List
+ * Added EAP-TTLS support in rlm_eap. Tested with many clients,
+ and with tunneled PAP, CHAP, MS-CHAP, MSCHAPv2, EAP-MD5,
+ EAP-MSCHAPv2, and EAP-GTC.
+ * Added EAP-PEAP support, with tunneled EAP-MSCHAP-V2, and EAP-GTC.
+ Patch from Masao Nishiku. (Many, many thanks!)
+ * Added EAP-SIM.
+ * Enabled proxying of the authentication request which is tunneled
+ inside of PEAP and TTLS.
+
+ Utility improvements
+ * Add support to checkrad.pl for mikrotik-brand NASs over SNMP
+ * Added rlm_ippool_tool, by Edwin Groothuis.
+ * Updates to radclient, so that you can specify multiple '-f'
+ options, and it will send those packets in parallel. This
+ allows for significantly higher packet rates when load testing.
+
+ Bug fixes
+ * Fix a bug in the attr_filter module, which would throw away
+ the tag from tagged attributes.
+ * Bug fixes to thread handling from Malcolm Caldwell.
+ * Fixed a bug in libltdl which printed the wrong error message
+ when trying to link to a library. Found by Paul Stewart.
+ * Correct error condition in rlm_krb5. Patch from Jon Moore.
+ * Updates for 64-bit systems.
+ * Patch to make ctime_r work on non-compliant platforms.
+ Patch from Oliver Graf.
+ * Updates to rlm_ippool for stability.
+ * Catch packets which are just about 4K in size.
+ Bug found by Nils-Henner Krueger.
+ * Many fixes to the SQL module & sub-modules.
+
+FreeRADIUS 0.9.3 ; Date: 2003/11/20 20:15:48, urgency=high
+
+ * Change rlm_eap to not log an error if given a non-EAP packet
+ * Fix rlm_ippool's call to pod2man for perl versions before 5.6
+ * Fix a remote DoS and due to mis-handling of tagged attributes,
+ and Tunnel-Password attribute.
+
+FreeRADIUS 0.9.2 ; Date: 2003/10/14 19:00:09, urgency=low
+
+ * New rlm_ippool code to fix IP leaks
+ * New rlm_ippool_tool for manipulation of rlm_ippool databases
+
+ * Change radrelay to reject records without an Acct-Status-Type attribute
+ * Change rlm_counter to reject packets which predate last server reset
+ * Change version output to include GNU GPL information
+ * Change rlm_ldap to output bad search filters
+
+ * Fix compilation of various modules when not building with pthreads
+ * Fix segfault due to poorly initialised value in rlm_mschap
+ * Fix to only reject packets once
+ * Fix rlm_exec to work when wait=no
+ * Fix rlm_attr_filter to work in post-proxy (as intended)
+ * Fix rlm_sql to only try to load SQL drivers
+ * Fix to orrectly limit size of RADIUS packets
+ * Fix usage information to output to stdout when used with -h flag
+ * Fix configure to assume gethostbyname is BSD-Style on FreeBSD
FreeRADIUS 0.9.1 ; Date: 2003/09/04 14:56:34, urgency=low
garbage it previously showed.
* Cleaned up header files and function prototypes for the SQL
sub-modules.
-
+
FreeRADIUS 0.7 ; Date: 2002/07/26 18:01:50 , urgency=high
* Allow attributes of type 'date' to be sent in outgoing packets.
'make install'
* Fixed EAP module to use 16-bit integers, so that it will
work on big-endian architectures.
-
+
FreeRADIUS 0.5.0 ; Date: 2002/03/14 22:18:22, urgency=medium
* Many bug fixes. For explicit details, see:
* Added support for Exec-Program to acct. Bug found by
<magmike@mail.ru>
* Corrected rlm_files so that raddb/acct_users works
- * When doing synchronous proxying, update proxy next try
+ * When doing synchronous proxying, update proxy next try
entries, so that the server doesn't eat CPU time.
Raghu <raghud@hereuare.com>
* Add primitive dictionary.nomadix <CBoyd@apogeetelecom.com>
projects / freeradius.git / blobdiff