-FreeRADIUS 3.0.11 Mon 05 Oct 2015 15:00:00 EDT urgency=medium
+FreeRADIUS 3.0.12 Mon 25 Jan 2016 14:00:00 EST urgency=medium
+ Feature improvements
+ * Add support for =~ and !~ in update sections.
+ See "man unlang"
+ * Add dictionary.checkpoint.
+ * Simultaneous-Use prints out more information.
+ * Print WARNING in debug mode when packets may be
+ truncated.
+ * Added expansions %{home_server:state} and
+ %{home_server_pool:state}, which show the
+ state of the server / pool.
+ * Mark rlm_sql_freetds as stable.
+ * Make rlm_perl less fragile. Patch from
+ Herwin Weststrate.
+ * Allow extended attributes to have "encrypt=2"
+ * Update dictionary.aruba.
+ * Add support for EAP-FAST. This is an isolated
+ feature which does not affect anything else.
+ * Update OpenSSL vulnerability list. Use a version
+ of OpenSSL released after September 20, 2016.
+ * EAP certificate verification is now done when
+ "verify" is enabled and "ocsp" is disabled.
+
+ Bug fixes
+ * Use correct typedef for older versions of sqlite.
+ * Update mssql schema to add priority
+ * don't complain on /dev/urandom in ldap
+ * fix == operator in update sections
+ * Don't create DHCP strings with many trailing zeros.
+ Patch from Nicolas C. Fixes #1526.
+ * Allow MS-CHAP change passwords instead of complaining
+ on large buffer.
+ * Allow assignment or equality operator on SQL.
+ * Update aclocal tests for FreeBSD 10. Patches from
+ Mathieu Simon.
+ * Remove occasional hang in rlm_linelog.
+ * Copy VSAs to inner tunnel for TTLS and PEAP.
+ Fixes #1544
+ * A few minor bugfixes caught in v3.1.x cleanup, and
+ back-ported to v3.0.x.
+ * do_not_respond again works in post-proxy
+ * Allow realm "~^.*$" {} and User-Name with no realm.
+ * Fix leak when creating unknown attributes
+ * Fix Debian / logrotate.
+ * Make OpenSSL error functions thread-safe.
+ * Fix crash with rlm_sql and updating SQL-User-Name.
+ * Debian build updates.
+ * Allow regular expression comparisons in radclient
+ fixes #1574.
+ * Fix memory leak on unknown attributes in detail file
+ reader.
+ * Update example paths in "man" pages when installing
+ them
+ * Build fixes for rlm_mschap. Fixes #1489.
+ * BSD build fixes. Patch from issue #1583.
+ * Be more careful about /lib/ when building.
+ Fixes #1585.
+ * Correct ifdef placement error. Fixes #1572.
+ * Allow for more files in internal "exfile" API
+ So it will be possible to open more than 64
+ "detail" files at the same time.
+ * Remove support for statically built EAP modules.
+ Fixes #1591.
+ * Many fixes to rlm_python from Guillaume Pannatier.
+ * Use correct week adjustment in SQLcounter.
+ Fixes #1608
+ * Minor fixes to allow compilation without DHCP,
+ VMPS, or TCP.
+ * Fix checks for module / config file change on HUP.
+ * Compile regex comparisons when sent via
+ "debug condition". Fixes #1632.
+ * Update filenames in documentation and examples.
+ Patch from Alan Buxey, #1655.
+ * Don't crash if SQL connection becomes unavailable.
+ Fixes #1640.
+ * Disallow originate_coa when proxy_requests = no
+ Fixes #1684.
+ * Free rad_perlconf_hv in correct perl context.
+ Fixes #1675.
+ * Set OpenSSL FIPS compatibility flag when necessary.
+ * Pulled fixes for the build system over from other
+ branches.
+ * Fix OCSP for RADIUS over TLS.
+ * Fix skip_if_ocsp_ok behavior.
+ * Better fixes for systems without closefrom() but
+ which have /proc. Fixes #1757.
+
+FreeRADIUS 3.0.11 Mon 25 Jan 2016 14:00:00 EST urgency=medium
Feature improvements
* "unlang" comparisons of IP addresses to IP prefixes
are now detected, and types automatically cast.
* Allow shorthand form of ipv4prefix values e.g. 127/8.
* Add "auto_chain" to raddb/mods-available/eap, tls
- subsection. This allows the disablign of OpenSSL
- auto-chaining of certificates. Which it can get wrong.
+ subsection. This allows the disabling of OpenSSL
+ auto-chaining of certificates. Which might be wrong.
* Added printing of coa and disconnect stats (radmin).
* radclient defaults to expecting Access-Accept responses
to Status-Server.
* Portability fixes for Solaris.
* More errors from ntlm_auth gets passed to MS-CHAP.
* Update abfab-tr-idp virtual server.
+ * Added "filter_password" in policy.d/filter. This
+ removes embedded zero bytes in User-Password, for
+ compatibility with broken clients.
+ * The server now issues a WARNING message if duplicate
+ configuration items are found.
+ * TLS can skip the "verify" section if OCSP returns OK.
+ See raddb/mods-available/eap, "skip_if_ocsp_ok".
+ * Set TLS-OCSP-Cert-Valid = yes / no / skipped, which
+ is the result from the OCSP check.
+ * Interoperate with AD and "LmCompatibiltyLevel = 5",
+ by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for
+ native winbind in rlm_mschap.
+ * TTLS and PEAP now require "virtual_server" to be a real server.
+ * Print WARNING when TTLS or PEAP identities are spoofed
+ or not properly anonymized. See RFC 7542 for requirements.
+ * Various rlm_python fixes from Herwin Weststrate.
+ * Allow setting Response-Packet-Type in "Post-Proxy-Type Fail",
+ which is useful when the home server does not respond.
+ * elasticsearch updates from Matthew Newton
Bug fixes
* Fix issue where field nas_type would not be accessible via
* Fixed SoH. Attributes were not being copied to the virtual server.
* Used a wrong list to global statistics in "stats".
* Create EAP-PWD identity correctly. Prevents segfaults.
+ * Dynamically validate authentication types for PEAP and EAP-MSCHAPv2.
+ * Fix includes in installed headers.
+ * OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly.
+ See raddb/mods-available/eap, "disable_tlsv1_2"
+ * Allow password change to work for MS-CHAP. This requires 'r=0',
+ because password changes are not retries.
+ * Fix home server fail-over for home servers using TCP and/or RadSec.
+ * Special characters in expanded regexes are now escaped
+ e.g. User-Name containing '.', and comparing /%{User-Name}/,
+ the '.' will now be escaped. See src/tests/keywords/regex-escape.
+ * Use correct authentication vector when sending Access-Reject replies
+ for RadSec.
+ * Set FreeRADIUS-Proxied-To in TTLS again. You should use the
+ "inner-tunnel" virtual server, instead of relying on this attribute.
+ * Fix debugging constants in rlm_perl. Patch from Herwin Weststrate.
+ * Add samba-dev / samba4-dev to debian builds so that rlm_mschap can
+ automatically use the new winbind API.
+ * Automatically skip zero-length attributes when sending packets,
+ instead of erroring out.
FreeRADIUS 3.0.10 Mon 05 Oct 2015 15:00:00 EDT urgency=medium
Feature improvements