-FreeRADIUS 1.1.0 ; $Date$, urgency=low
- * Now uses autoconf 2.5x, and the various associated tools.
- * Include ucd-snmp-config.h, fixing use of net-snmp's
- ucd-snmp backwards compatibility mode.
- * Move the Login-Time,Current-Time,Expiration attribute handling
- to new modules rlm_logintime and rlm_expiration.
- * Added %{mschap:NT-Hash <passwd>} and %{mschap: LM-Hash <passwd>},
- and update rlm_pap to handle NT/LM-hashed passwords.
- * New rlm_protocol_filter, which permits/denies requests containing
- certain attributes.
- * Don't escape printed strings during xlat's, to avoid the
- infinite expansion of backslashes..
- * Better checks on incoming packets, so that rad_decode() doesn't
- leak memory, or memcpy infinite amounts of data on bad packets.
+FreeRADIUS 1.1.3 ; $Date$, urgency=low
+
+ Feature improvements
+ * rlm_otp now talks to otpd for OTP verification, rather than
+ doing the work itself; this improves portability and security
+ (access to OTP token keys is now much more limited)
+
+ Bug fixes
+ * Fixed configure/make error for Solaris (set HAVE_CLOSEFROM).
+ * Update libtool and ltdl to 1.5.22, to fix 'make install R=';
+ also improve integration by importing unmodified original
+ source
+
+FreeRADIUS 1.1.2 ; $Date$, urgency=low
+
+ Feature improvements
+ * Allow tagged VSA's for Juniper. Closes bugs #367 and #368.
+ * Allow Ascend "abinary" format to be specified as octets,
+ (e.g. Ascend-Data-Filter = 0x010203...)
+ * Added "cipher_list" configuration to the EAP-TLS module.
+ See "eap.conf" and "man 1 cipher" for details.
+ * Added "check_cert_issuer" configuration to the EAP-TLS module.
+ See "eap.conf" for details. (closes: #346)
+ * Added "suppress" configuration entry to rlm_detail,
+ to suppress certain attributes (e.g. User-Password).
+ This closes bug #359.
+ * More dictionary updates
+ * Write SSL errors to log file, rather than stderr.
+ This closes bug #347.
+ * Allow a core dump on uid change on Linux (closes: #361)
+
+ Bug fixes
+ * Return better error codes in SQL IODBC module. Closes bug #341.
+ * Corrected list of EAP handlers.
+ * Initialize variable in rlm_ldap.c. This fixes RedHat
+ bug #136468.
+ * Escape more ldap strings, so configuration entries
+ that have magic LDAP characters don't break LDAP.
+ This closes bug #360.
+ * Updated doc/rlm_ldap. This closes bug #353.
+ * Updated redhat/freeradius.spec. This closes bug #330.
+ * Don't forcibly over-write Auth-Type in the mschap module.
+ This prevents an earlier module from forcing reject.
+ * Use the correct module reference in the authenticate section,
+ where Auth-Type wasn't explicitely specified.
+ * If there are typos in a subsection in radiusd.conf, exit
+ after printing an error, rather than continuing.
+ * Print Ascend "abinary" format as text rather than octets
+ when we receive it.
+ * Silently drop packets with bad Message-Authenticators, as per RFC3579
+ * Unbreak ./configure --disable-static (closes: #350)
+ * Unbreak ./configure --prefix (closes: #354)
+
+FreeRADIUS 1.1.1 ; Date: 2006/03/17 19:50:34, urgency=low
+
+ Security fixes
+ * Additional state checking in the EAP-MSCHAPv2 module.
+ Bug found by Steffen Schuster.
+
+ Feature improvements
+ * More dictionary updates
+ * Additional tests and fixes for Digest module from Phillipe Sultan.
+ * Add new "phone" response mode to rlm_otp/cryptocard.
+ * Put the eap sessions into a tree, so that looking them up is very
+ fast, and no longer O(n) in the number of sessions.
+ * Install the schema examples for a set of backends with the rest
+ of the documentation.
+ * Add support for xlat expansion of attributes from LDAP.
+
+ Bug fixes
+ * Fix rlm_perl crash. (closes: #348)
+ * Fix handling of CoA-Request packets (close #344). Also correct
+ name of CoA packets.
+ * Fix an error on x86_64 machines when reading dictionaries.
+ (closes: #312)
+ * Fix compilation errors on FreeBSD and NetBSD because of rlm_otp
+ module. (closes: #314 #328)
+ * Workaround Cisco bug in State attribute handling in rlm_otp.
+ * Support LP64 for async mode in rlm_otp.
+ * Fix libtool problems on Debian with rlm_eap_peap and rlm_eap_ttls
+ modules. (closes: #75)
+ * Make "use_tunneled_reply" work properly for PEAP.
+ * Copy the whole string when getting a one-to-one-mapped attribute
+ from LDAP (closes: #261)
+ * Fix net-snmp's ucd-snmp compatibility mode.
+
+FreeRADIUS 1.1.0 ; Date: 2006/01/04 05:55:19, urgency=low
+
+ Feature improvements
+ * rlm_ldap has "set_auth_type" configuration option, which should
+ address some configuration problems when using it.
+ * Fix MIT Kerberos bug
+ * Modules can be load balanced, both in isolation and redundantly.
+ See doc/load-balance.txt for more information.
+ * rlm_perl is now marked "stable"
+ * N-tier certificate patch from Mohammed Petiwala.
+ * Copied dictionaries from the CVS head (many, many, more vendors)
+ * Enabled support for weird VSA formats, like Lucent and Starent.
+ * Support encrypted IP address and integers, for Juniper clients.
+ * Add PEAP machine authentication support in module "rlm_mschap".
+ * Support User-Password field encryption in digest mode.
+ * rlm_x99_token has become rlm_otp (with lots of changes).
+ * Add rlm_sqlcounter to the list of stable modules.
+ * Read MySQL specific options in sections [freeradius] and [client]
+ from file "my.cnf".
+ * Support the ${Cisco-AVPair[n]} syntax.
+ * Execute modules in {Pre,Post}-Proxy-Type stanzas.
+ * Add new options to radclient to run stress tests on the server.
+ * New module "rlm_sql_log" to postpone the storage of accounting data
+ in a SQL database. See rlm_sql_log(5) manpage.
+ * New program "radsqlrelay" which sends the SQL logfile according to
+ the SQL server's capabilities.
+
+ Bug fixes
+ * #306 (HUP when built with threads, but executed with -s)
+ * #285 (more attributes in dictionary.cisco.vpn3000)
+ * rlm_digest has a number of bug fixes to authentication types.
+ * Don't leak memory in module "rlm_sql".
* Update the dictionaries, so that VALUEs with the same name,
but different numbers, aren't allowed.
- * rlm_eap now uses trees, rather than linked lists, to maintain
- it's list of active sessions.
- * Silently drop packets with bad Message-Authenticators, as per RFC3579
- * Add Message-Authenticator to rlm_digest sample.
+ * Queue the request before looking for available threads.
+ * Don't free the check items after we received the proxy reply.
+ * Expand config variables in included files, too.
+ * Check the return value of accounting modules and don't proxy
+ invalid requests.
+ * In rlm_passwd, don't close a file stream more than once.
+ * Fix format string errors in rlm_sql.c, spotted by Primoz Bratanic.
+ * Walk the whole string in when escaping strings in rlm_ldap.
+ * Include crypt.h if it is available so we get a prototype for crypt(),
+ spotted by Konstantin Kubatkin.
+ * Removed (for almost all uses) length restrictions on vendor names
+ and VALUE names.
+ * Don't leak memory when proxying an Access-Challenge response.
+ * Make the sleep time user-defined, so radrelay can send more than
+ 7 requests/s.
+ * Fix a memory leak in rlm_checkval.
+ * radclient doesn't resend countless times packets with invalid
+ signature.
+ * Fix segfault and mem leak in rlm_pam.
+
+FreeRADIUS 1.0.5 ; Date: 2005/09/04 16:23:00, urgency=medium
+
+ Security Fixes
+ * SQL injection attack in the module "rlm_sqlcounter".
+ * Buffer overflows in the module "rlm_sqlcounter".
+ * Expansion of variable %t may write 26 bytes beyond the buffer
+ bound. Primoz Bratanic is credited with the discovery of these
+ three bugs.
+
+ Bug fixes
+ * Don't de-reference a NULL pointer if the auth-type is unknown
+ in the function rad_check_password().
+ * Escape more characters in the LDAP queries.
+ Bug found by Suse engineers.
+ * In rlm_sql_unixodbc, don't call rad_malloc from sql_error(),
+ it leaks memory.
+ * Fix an off-by-one error in the module rlm_sql_unixodbc.
+ Bug found by Suse engineers.
+ * In rlm_sql, resize the buffer for the value of SQL-User-Name.
+ * Initialize memory for a new SQL socket in the module rlm_sql.
+ * Don't add too many attributes after running an external program.
+ Bug found by Suse engineers.
+ * Fix an off-by-one error in the function getthing().
+ * snprintf() and vsnprintf() replacements were not compiled if
+ the autoconf tests didn't find the functions.
+ * Don't use vsprintf() anymore, but the replacement for vsnprintf()
+ in libradius instead.
+ * The function decode_attribute() may write beyond buffer bounds.
+ Bug found by Suse engineers.
+ * Fix a memset() in the function request_enqueue() which was
+ begining at the wrong address. Bug found by Matthias Ruttman.
+ * Fix an off-by-one error in the function xlat_copy().
+ Bug found by Primoz Bratanic.
+ * Fix other off-by-one errors in module "rlm_unix", too.
+ Bug found by Allan Bazinet.
+ * Fix a 2-byte over-run read in function rad_decode().
+ * Update thread pool queue properly.
+ * Autonconf tests try first any user-specified directory,
+ otherwise they may pick up the wrong version.
+ * Delete the autoconf tests for the libldap dependancies.
+ * Install all the regular files under the "doc" directory.
+ * Distinguish between exit code <0 (failure) and >0 (reject)
+ in Exec-Program-Wait. Patch from Thor Spruyt.
+ * Make Expiration work.
+ * Clean up the code for opening a proxy socket.
+ * When finding a realm to proxy to, if all are dead, wake them
+ if wake_all_if_all_dead is true.
+ * In radwho, print the NAS-Port as unsigned int.
+ * Use extended regex instead of basic regex in rlm_attr_filter.
+ * Catch the case where someone deletes a directory that rlm_detail
+ is using.
+ * Use the variable $(LDFLAGS) when linking a module.
+ * Ignore the Stripped-User-Name when a realm has the "nostrip"
+ directive.
+ * Add support for NT-Password in rlm_pap.
+ * In rlm_sqlcounter, use the time left to the next reset if it's
+ inferior to the time left in the counter.
+ * Calculate Message-Authenticator correctly for Accounting-Request
+ and Accounting-Response. Bug found by Paolo Rotela.
+ * Build on MAC OS X. Still need --disable-shared, though.
+ * Fix bug #255 (crash with expired CRL's, etc.)
+ * Fix quote removal of the values from a SQL database.
+ * Reap the zombie process after a command run from "Exec-Program".
+ * Allow to cancel proxy of accounting with "Proxy-To-Realm := LOCAL".
+ * Don't copy VSA's to an Access-Reject packet.
+
+FreeRADIUS 1.0.4 ; Date: 2005/06/11 22:46:52, urgency=medium
+
+ * Fix installation problem.
+ * Increase a buffer size, so radrelay doesn't truncate values.
+ * Updates in the documentation. Patches from Thor Spruyt.
+
+FreeRADIUS 1.0.3 ; Date: 2005/06/03 17:15:11, urgency=high
+
+ Security Fixes
+ * Always escape the strings in the SQL module.
+ * Check buffer bound when input character needs escaping in
+ the SQL module. Bug found by Primoz Bratanic.
+
+ Bug fixes
+ * Return EAP-Fail in Access-Reject, rather than an empty Access-Reject
+ * Don't send Proxy-State from home server in TTLS.
+ * Fixes for forking external programs, so the server doesn't
+ suddenly stop processing requests, or stop forking programs.
+ * radzap now works, but it's command-line options have changed
+ completely, and it's a shell script.
+ * radwho has updated command-line options, and no longer reads
+ Unix "utmp" files.
+ * Fix bug in calling checkrad script with NAS port > 9999999
+ * Fix long-standing bug when both crypt and pthreads are in use
+ * Don't SEGV when rlm_sql gets 'NULL' value from request.
+ * Re-arrange code in radrelay to not duplicate accounting packets.
+ * In rlm_attr_rewrite, change the value when the attribute type
+ is different from string.
+
+FreeRADIUS 1.0.2 ; Date: 2005/02/13 01:03:20, urgency=medium
+
+ * Novell eDirectoty support. Patch from Novell.
+ * localweb & Trapeze dictionary updates.
+ * EAP-SIM fixes.
+ * Make "Strip-User-Name = No" work.
+ * Don't declare zero-length arrays in rlm_passwd
+ * Bug fix to make udpfromto code work
+ * radrelay shouldn't dump core if it can't read a VP from the
+ detail file.
+ * Only initialize the random pool once.
+ * In rlm_sql, don't escape characters twice.
* Fix MD4 calculation on big-endian machines.
- * Correct handling of post-auth REJECT stanza to include externally and
- proxy-received rejections. (Bugzilla bug #149)
+ * In rlm_ldap, only claim Auth-Type if a plain text password is present.
+ * Treat Quintium VSAs like Cisco VSAs
+ * Locking fixes in threading code
+ * rlm_krb5 includes /usr/include/et for Fedora Core
+ * Fix post-auth REJECT stanza processing for rejections from external
+ processes or home RADIUS servers
+ * Fix building on gcc-4.0 by not trying to access static auth_port from
+ other files.
* Fix building SNMP support on Solaris 9, which needs -lkstat
-FreeRADIUS 1.0.1 ; Date: 2004/09/02 10:52:03, urgency=high
+FreeRADIUS 1.0.1 ; Date: 2004/09/02 10:52:03 , urgency=high
+
Denial-of-Service Security Fix
* Fix two remote crashes and a memory leak in RADIUS packet
decoding.
- Bug fixes.
+ Bug fixes
* Fix premature "success" during EAP/TLS handshake.
* Dictionary handling now complains about identically named
values with different values, and rejects dictionary
* Update dictionaries to deal with the above change.
FreeRADIUS 1.0.0 ; Date: 2004/07/17 06:31:32, urgency=low
+
pre3 -> release
* Fix LDAP dictionary map loading.
- * Check login time allowance to packet timestamp where available.
- * Compilation fix for machines without <pthread.h>.
+ * Check login time allowance to packet timestampe where available.
+ * Compilation fix for machines withouth <pthread.h>.
* Man page improvements.
* Grab latest config.sub and config.guess (2004-03-12).
garbage it previously showed.
* Cleaned up header files and function prototypes for the SQL
sub-modules.
-
+
FreeRADIUS 0.7 ; Date: 2002/07/26 18:01:50 , urgency=high
* Allow attributes of type 'date' to be sent in outgoing packets.
'make install'
* Fixed EAP module to use 16-bit integers, so that it will
work on big-endian architectures.
-
+
FreeRADIUS 0.5.0 ; Date: 2002/03/14 22:18:22, urgency=medium
* Many bug fixes. For explicit details, see:
* Added support for Exec-Program to acct. Bug found by
<magmike@mail.ru>
* Corrected rlm_files so that raddb/acct_users works
- * When doing synchronous proxying, update proxy next try
+ * When doing synchronous proxying, update proxy next try
entries, so that the server doesn't eat CPU time.
Raghu <raghud@hereuare.com>
* Add primitive dictionary.nomadix <CBoyd@apogeetelecom.com>