-FreeRADIUS 3.0.11 Mon 05 Oct 2015 15:00:00 EDT urgency=medium
+FreeRADIUS 3.0.15 Fri 26 May 2017 13:00:00 EDT urgency=medium
+ Feature improvements
+ * Provide HOSTNAME in default systemd files.
+ * Incorporate RedHat specific files
+ * Update dictionary.starent, dictionary.ruckus
+ * Allow builds without TCP or DHCP
+
+ Bug fixes
+ * Fix multiple issues. See this web page for details:
+ http://freeradius.org/security/fuzzer-2017.html
+ * Pass correct statement length into sqlite3_prepare[_v2]
+ * Bind the lifetime of program name and python path to the module
+ * Check input / output length in make_secret().
+ CVE-2017-10978.
+ * Fix read overflow when decoding DHCP option 63
+ CVE-2017-10983.
+ * Fix write overflow in data2vp_wimax()
+ CVE-2017-10984.
+ * Fix infinite loop and memory exhaustion with 'concat' attributes
+ CVE-2017-10985
+ * Fix infinite read in dhcp_attr2vp()
+ CVE-2017-10986.
+ * Fix buffer over-read in fr_dhcp_decode_suboptions()
+ CVE-2017-10987.
+ * use strncmp() instead of memcmp() for bounded data
+ * Decode 'signed' attributes correctly.
+ * print messages when we see deprecated configuration
+ items
+ * show reasons why we couldn't parse a certificate
+ expiry time
+ * be more accepting about truncated ASN1 times.
+ * Fix OpenSSL API issue which could leak small amounts
+ of memory. Issue reported by Guido Vranken.
+ * For Access-Reject, call rad_authlog() after running
+ the post-auth section, just like for Access-Accept.
+ * don't crash when reading corrupted data from session
+ resumption cache. Fixes #1999.
+ * Parse port in dhcpclient. Fixes #2000.
+ * Don't leak memory for OpenSSL.
+ Patch from Guido Vranken.
+ * Portability fixes taken from OpenBSD port collection.
+ * run rad_authlog after post-auth for Access-Reject.
+ * Don't process VMPS packets twice.
+ * Fix attribute truncation in rlm_perl
+
+FreeRADIUS 3.0.14 Fri 26 May 2017 13:00:00 EDT urgency=medium
+ Feature improvements
+ * Enforce TLS client certificate expiration on
+ session resumption, and Session-Timeout.
+ See CVE-2017-9148.
+ * Updated dictionary.cisco.vpn3000, dictionary.patton
+ * Added dictionary.dellemc
+ * Lowered the log output for failed PEAP sessions.
+ * ALlow utc in rlm_date. Patch from
+ Peter Lambrechtsen.
+ * The internal OpenSSL session cache has been
+ disabled. Please see mods-available/eap
+ * Update detail reader documentation.
+ Patch from Matthew Newton. Fixes #1973.
+ * Make outgoing RadSec connections non-blocking.
+ * Add SQL backing to Moonshot-*-TargetedId
+ generation. Patch from Stefan Paetow.
+
+ Bug fixes
+ * radtest uses Cleartext-Password for EAP, not
+ User-Password.
+ * Update documentation for mods-enabled/ linking.
+ * Enhanced checks for moonshot salt. Fixes #1933.
+ * Allow session resumption for RadSec connections.
+ Fixes #1936.
+ * Update "huntgroups" file to note that port ranges
+ are not supported.
+ * Fix OpenSSL permissions issues on default key files.
+ Fixes #1941.
+ * Certificates are not required when PSK is used.
+ * Allow SubjectAltName as first extension in cert.
+ Fixes #1946.
+ * Fixed talloc issue with TLS session resumption.
+ Fixes #1980.
+ * "&Attr-26 := 0x01" now produces useful error messages.
+ * Handle connection error in rlm_ldap_cacheable_groupobj.
+ Fixes #1951.
+ * Fix endian issues in DHCP.
+ * Multiple minor fixes for Coverity complaints.
+ * Handle unexpected regex. Fixes #1959.
+ * Fix minor issues in dictionaries.
+ * Fix typos and grammar. Patches from Alan Buxey.
+ * Fix erroneous VP creation in rlm_preproces.
+ * Fix MIB. Patch from Jeff Gehlbach.
+ * Trust router updates from Alejandro Perez.
+ * Allow build with LibreSSL. Fixes #1989
+ * Use correct packet for channel bindings. Fixes #1990.
+ * Many fixes found by PVS-Studio. Thanks to PVS-Studio
+ for giving us a test license. Please see the git commit
+ history for more information.
+ * Fix incorrect length check in EAP-PWD. This may
+ be exploitable.
+
+FreeRADIUS 3.0.13 Mon 06 Mar 2017 13:00:00 EDT urgency=medium
+ Feature improvements
+ * Add dictionary.rfc7930. Note that we do not implement
+ the RFC.
+ * Added 'cipher_server_preference' to mods-available/eap
+ Patch from #1797.
+ * OpenSSL 1.1.0 compatibility fixes.
+ * rlm_perl: radiusd::xlat to evaluate xlat string
+ within perl script
+ * Allow authentication retry in winbind. Patch from
+ Herwin Weststrate. See raddb/mods-available/mschap.
+ * Added "recv-coa" method to rlm_rest. It behaves the
+ same as "authorize".
+ * Document Trust Router tr_port option. Patch from
+ Stefan Paetow.
+ * Update elasticsearch/logstash examples so that they work
+ with elastic stack v5. Patch from Matthew Newton.
+ * Print information about packets, replies, and contents
+ in the detail file reader.
+ * Update abfab-tr policy. Pull request #1893
+ from Stefan Paetow.
+ * Reject packets which contain User-Password and
+ EAP-Message.
+ * Add example for filtering Access-Challenge.
+ See sites-enabled/default.
+ * Pull symlink fixes from v4.0.x. Fixes #1859.
+ * Add systemd reload. Not everything is reloaded, but
+ some is. Fixes #1662.
+ * Better documentation for listen "ipaddr". Fixes #1921
+ * Add dictionary.cnergee, updated dictionary.nomadix.
+ * radclient no longer needs -x to print statistics with -s.
+
+ Bug fixes
+ * Minor typos. Fixes #1763
+ * Fix typo in RPM build. Closes #1767.
+ * rlm_mschap check for password expiry only
+ if password was correct. Fixes #1762.
+ * Update debian build.
+ * update rlm_counter "man" page. Fixes #1775.
+ * Remove erroneous assert. Fixes #1778.
+ * fix mschap password change test. Fixes #1792.
+ * Cleanup config file on data remove. Fixes #1795.
+ * passwd module returns "notfound" if not found.
+ * Check for old OpenSSL, and don't build rlm_eap_fast
+ if it necessary. Fixes #1803
+ * Cleanup memory better after ldap version query.
+ Patch from Aleksey Katargin.
+ * Rename lt_* functions to avoid linker issues with
+ libtool. Fixes #1277
+ * Many miscellaneous fixes and typos.
+ * Allow long strings in %{%{foo} bar:-%{baz} blah".
+ Fixes #1866
+ * Fix filtering operators, along with more documentation and
+ more tests for them.
+ * Fix OpenSSL fixes. Fixes #1876.
+ * Finish SQL select queries even when SELECT returns no rows.
+ Fixes #1879.
+ * Set Module-Failure-Message for more EAP errors.
+ * Correct typo in dictionary.rfc5580. Fixes #1882
+ * Remove obselete systemd syslog.target.
+ * Client-Port-Balance load-balancing now uses client port.
+ * Radrelay examples fixed from Alex Clouter.
+ * Update systemd target. Pull request #1896.
+ * Trim starting whitespace in xlat strings.
+ * Get MySQL result lengths using normal API.
+ * suid down after fchown(). Fixes #1914.
+ * Fix cases of comparing pointer to NUL character. Fixes #1915.
+ * OpenSSL v1.1 fixes. Pull request #1921.
+ * Better Handle v4/v6 host names. Pull request #1919.
+ * Remove "Auth-Type = System" from docs and examples.
+ * Don't crash on malformed %{home_server}. Fixes #1922
+ * fix erroneous use of talloc destructor in rlm_eap
+ * Issue trigger modules.sql.fail. Fixes #1923
+ * Document python_path gotcha's. Fixes #1845
+ * dlopen() the specific version of Python. Fixes #1592
+
+FreeRADIUS 3.0.12 Thur 29 Sep 2016 13:00:00 EDT urgency=medium
+ Feature improvements
+ * Add support for =~ and !~ in update sections.
+ See "man unlang"
+ * Add dictionary.checkpoint.
+ * Simultaneous-Use prints out more information.
+ * Print WARNING in debug mode when packets may be
+ truncated.
+ * Added expansions %{home_server:state} and
+ %{home_server_pool:state}, which show the
+ state of the server / pool.
+ * Mark rlm_sql_freetds as stable.
+ * Make rlm_perl less fragile. Patch from
+ Herwin Weststrate.
+ * Allow extended attributes to have "encrypt=2"
+ * Update dictionary.aruba.
+ * Add support for EAP-FAST. This is an isolated
+ feature which does not affect anything else.
+ * Update OpenSSL vulnerability list. Use a version
+ of OpenSSL released after September 20, 2016.
+ * EAP certificate verification is now done when
+ "verify" is enabled and "ocsp" is disabled.
+ * New dhcpclient and rlm_rad_counter man pages.
+ * Minor abfab and moonshot additions.
+ * Pass CFLAGS through from environment in RPM builds.
+ Allows more custom builds.
+ * Build with Heimdal in addition to libkrb5.
+
+ Bug fixes
+ * Use correct typedef for older versions of sqlite.
+ * Update mssql schema to add priority
+ * Don't complain on /dev/urandom in ldap
+ * Fix == operator in update sections
+ * Don't create DHCP strings with many trailing zeros.
+ Patch from Nicolas C. Fixes #1526.
+ * Allow MS-CHAP change passwords instead of complaining
+ on large buffer.
+ * Allow assignment or equality operator on SQL.
+ * Update aclocal tests for FreeBSD 10. Patches from
+ Mathieu Simon.
+ * Remove occasional hang in rlm_linelog.
+ * Copy VSAs to inner tunnel for TTLS and PEAP.
+ Fixes #1544
+ * A few minor bugfixes caught in v3.1.x cleanup, and
+ back-ported to v3.0.x.
+ * do_not_respond again works in post-proxy
+ * Allow realm "~^.*$" {} and User-Name with no realm.
+ * Fix leak when creating unknown attributes
+ * Fix Debian / logrotate.
+ * Make OpenSSL error functions thread-safe.
+ * Fix crash with rlm_sql and updating SQL-User-Name.
+ * Debian build updates.
+ * Allow regular expression comparisons in radclient
+ fixes #1574.
+ * Fix memory leak on unknown attributes in detail file
+ reader.
+ * Update example paths in "man" pages when installing
+ them
+ * Build fixes for rlm_mschap. Fixes #1489.
+ * BSD build fixes. Patch from issue #1583.
+ * Be more careful about /lib/ when building.
+ Fixes #1585.
+ * Correct ifdef placement error. Fixes #1572.
+ * Allow for more files in internal "exfile" API
+ So it will be possible to open more than 64
+ "detail" files at the same time.
+ * Remove support for statically built EAP modules.
+ Fixes #1591.
+ * Many fixes to rlm_python from Guillaume Pannatier.
+ * Use correct week adjustment in SQLcounter.
+ Fixes #1608
+ * Minor fixes to allow compilation without DHCP,
+ VMPS, or TCP.
+ * Fix checks for module / config file change on HUP.
+ * Compile regex comparisons when sent via
+ "debug condition". Fixes #1632.
+ * Update filenames in documentation and examples.
+ Patch from Alan Buxey, #1655.
+ * Don't crash if SQL connection becomes unavailable.
+ Fixes #1640.
+ * Disallow originate_coa when proxy_requests = no
+ Fixes #1684.
+ * Free rad_perlconf_hv in correct perl context.
+ Fixes #1675.
+ * Multiple fixes for Debian builds. #1510, among
+ others.
+ * Set OpenSSL FIPS compatibility flag when necessary.
+ * Pulled fixes for the build system over from other
+ branches.
+ * Fix OCSP for RADIUS over TLS.
+ * Fix skip_if_ocsp_ok behavior.
+ * Better fixes for systems without closefrom() but
+ which have /proc. Fixes #1757.
+ * Minor build fixes back-ported from v4.0.x.
+ * build --whout-ascend-binary. Fixes #1761.
+ * Be more aggressive about not opening new connections
+ in debug mode after CTRL-C. Address #1604.
+
+FreeRADIUS 3.0.11 Mon 25 Jan 2016 14:00:00 EST urgency=medium
Feature improvements
* "unlang" comparisons of IP addresses to IP prefixes
are now detected, and types automatically cast.
by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for
native winbind in rlm_mschap.
* TTLS and PEAP now require "virtual_server" to be a real server.
- * Print WARNIGN when TTLS or PEAP identities are spoofed
+ * Print WARNING when TTLS or PEAP identities are spoofed
or not properly anonymized. See RFC 7542 for requirements.
+ * Various rlm_python fixes from Herwin Weststrate.
+ * Allow setting Response-Packet-Type in "Post-Proxy-Type Fail",
+ which is useful when the home server does not respond.
+ * elasticsearch updates from Matthew Newton
Bug fixes
* Fix issue where field nas_type would not be accessible via
the '.' will now be escaped. See src/tests/keywords/regex-escape.
* Use correct authentication vector when sending Access-Reject replies
for RadSec.
+ * Set FreeRADIUS-Proxied-To in TTLS again. You should use the
+ "inner-tunnel" virtual server, instead of relying on this attribute.
+ * Fix debugging constants in rlm_perl. Patch from Herwin Weststrate.
+ * Add samba-dev / samba4-dev to debian builds so that rlm_mschap can
+ automatically use the new winbind API.
+ * Automatically skip zero-length attributes when sending packets,
+ instead of erroring out.
FreeRADIUS 3.0.10 Mon 05 Oct 2015 15:00:00 EDT urgency=medium
Feature improvements