-FreeRADIUS 3.0.8 Thu 19 Feb 2015 12:00:00 EDT urgency=medium
+FreeRADIUS 3.0.10 Wed 08 Jul 2015 12:00:00 EDT urgency=medium
+ Feature improvements
+ * Do more optimization of unlang policies. This makes
+ run-time a bit faster.
+ * Re-name most of the functions in src/lib. Third-party
+ module authors will have to do the same.
+ * More documentation on contributing and how to write
+ modules.
+ * Update radiusd.service for systemd.
+ * Open IPv6 proxy socket if the server is listening on IPV6
+ auth / acct / coa packets.
+ * Create debian packages for DHCP. Fixes #1125.
+ * Add more tests for "update" section parsing.
+ * Update "man" pages.
+ * Update attributes for Alcatel 7750
+ * Add dictionary for Boingo Wi-Fi
+ * Add support for DHCP lease queries.
+ See raddb/sites-available/dhcp
+ * On HUP, check all modules for config files which have
+ changed. And only re-load those modules.
+ * Allow FreeRADIUS-Response-Delay(-USec) to be set for
+ RADIUS packets. Patch from Herwin Weststrate.
+ * Documentation fixes from Alan Buxey and Matthew Newton.
+ * Update "logrotate" script.
+ * Added more RFCs to doc/rfc for new standards implemented
+ by FreeRADIUS.
+ * Don't crash when doing "radmin -e "help hup".
+ Patch from Matthew Newton.
+ * The dictionary parser now does more sanity checks, which
+ prevents run-time problems with invalid attributes.
+ * Update debian packages. Patches from Christopher Hoskin.
+ * Add "session-state" to Perl. Patch from Herwin Weststrate.
+
+ Bug fixes
+ * Fix rlm_files so that there are no collisions when loading
+ 10's of 1000's of users.
+ * Fix radclient to use our internal v4/v6 parsing functions.
+ v6 addresses with ports now work correctly.
+ * Fix sending/receiving packet messages to wrap v6 addresses
+ in square brackets '[]'.
+ * Check for sasl/sasl.h when building rlm_ldap, and disable
+ SASL functionality if unavailable.
+ * Fix issue which caused a non \0 terminated buffer to be
+ assigned to attributes if the value being assigned contained
+ an invalid escape sequence.
+ * Fix deadlock when reconnecting connections in the connection
+ pool.
+ * Fix potential overrun in functions that used fr_utf8_char
+ with a non nul terminated buffer.
+ * Fix decoding issue for Tunnel-Password type attributes
+ which were very long. Found by Denis Andzakovic.
+ * Fix radclient issue with TCP sockets on FreeBSD.
+ * The server now creates ${run_dir} and ${logdir} directories
+ in daemon mode, when running as "root".
+ * Handle tags when using maps. Fixes #1191.
+ * Fix crash when CoA packets time out.
+ * Fix parse error in rediswho
+ * Fix regex support in SQL radcheck the "users" file and radsniff.
+ * Register listen xlat earlier, so that it's available when the
+ virtual servers are being parsed.
+ * Parse Ascend-Data-Filter when given as "0x..."
+ * Print Ascend-Data-Filter correctly. Add test cases for both.
+ * Allow old-style clients again. They will be disallowed for
+ 3.1.0 and following.
+ * Complain instead of crash when "else" and "elsif" are in
+ the wrong place.
+ * Clean up memory more aggressively. This lowers the
+ maximum memory used, most typically for TLS based EAP methods.
+ * Prevent the server from unlinking the control socket of an
+ already running instance.
+ * Fallback to using the configured OCSP URL if one exists, and
+ no URL is provided in the certificate.
+ * Return CoA-NAK if proxying CoA fails. Based on patch from
+ Jorge Pereira.
+ * Lower peak memory usage by decreasing size of internal
+ memory pools.
+ * The control socket is now left in place if a second copy
+ of the server is accidentally started.
+ * Allow virtual attributes in "switch", "case", etc.
+ Fixes #1240 and #1265.
+ * Many spell check / typo fixes in comments and example
+ configuration files.
+ * Better handle multiple DHCP listeners.
+ * Don't print secrets for old-style realms. Fixes #1267.
+ * Don't fall through in empty "case" statements.
+ Fixes #1274.
+
+FreeRADIUS 3.0.9 Wed 08 Jul 2015 12:00:00 EDT urgency=medium
+ Feature improvements
+ * Make "pool" configurations more consistent, and
+ update documentation for them.
+ * Move connection pool logic to "most recently started",
+ instead of MRU. This should help with pool stability.
+ * More VSAs for 3GPP2
+ * Added examples of multi-value attributes to rlm_perl.
+ * LDAP-Group and SQL-Group attributes are now dynamically
+ allocated.
+ * Only the "sql" module registers SQL-Group. Other instances
+ register "instance-name-SQL-Group", similarly to "ldap".
+ * Unknown attributes are now complained about more often
+ when used in unlang statements. e.g. if (Foo-Bar == 3)
+ used to be a string to string comparison. It is now a
+ parse error.
+ * Rename RLM_COMPONENT_* to MOD_* in the code.
+ This makes many things easier.
+ * Move to C99 initializers for modules.
+ * Load modules in raddb/mods-enabled. This allows attributes
+ like "LDAP-Group" to be used in the "files" module,
+ without explicit ordering or listing in "instantiate".
+ * Added 'bootstrap' section to modules. Third-party modules
+ will need to be updated.
+ * When adding clients from a DB, add them to a virtual server
+ if that virtual server has a "listen" section. Otherwise,
+ add the clients to the global list.
+ * When reading dynamic clients from a file, don't expire them
+ if the underlying file is unchanged.
+ * Allow the server to originate CoA requests from the post-auth
+ stage.
+ * The server creates ${run_dir} and ${logdir} in daemon mode,
+ if they do not already exist.
+ * Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server
+ now supports all mandatory and optional attributes for this
+ specification.
+ * HUP now re-loads the configuration only if the files have
+ changed. If all files are unchanged, HUP re-opens the
+ log file, and does nothing else.
+ * Much better debug messages for EAP-TLS, including which
+ attributes are cached, and when they are retrieved.
+ * Increase default max_requests to 16384. Memory is cheap now.
+ * Added "stats memory" commands to radmin. Debug build only.
+ * Aptilo controller dictionary updates.
+ * SQL modules now use Acct-Unique-Session-Id everywhere.
+ * The redis modules are now stable.
+ * The LDAP module now supports SASL "interactive bind" method.
+ This allows Kerberos based administrator and user binds.
+ * DHCP code is now in libfreeradius-dhcp.
+ * More DHCP encoding / decoding unit tests.
+ * rlm_replicate can now be listed in the "accounting" section.
+ * Better sqlite debugging output.
+ * Remove "required" option from many sql_ippool directives.
+ * Set default CA "basic constraints" to "critical". Fixes #1073
+ * Updates to help / man pages from Jorge Pereira.
+ * Added more tests.
+
+ Bug fixes
+ * Be more careful about unused config item warnings
+ when using -Xx.
+ * Move more defines to be auto-generated.
+ * Allow virtual servers in proxy fallback.
+ * Allow %{module:} to work.
+ * Don't crash in RadSec. Closes #980.
+ * Return better errors when a unix group / user
+ is not found.
+ * Re-enable detail module "locking" parameter.
+ * Don't crash when logging replies from Status-Server packets.
+ * The couchbase module now uses "update" instead of "map",
+ for consistent with the rest of the server. See
+ raddb/mods-available/couchbase
+ * Don't require NT-Password for MS-CHAP password changes.
+ * Be a bit more careful about decrypting MS-CHAP-MPPE-Key
+ attributes. Closes #1013. There is no perfect fix, tho.
+ * Fix security issues with EAP-PWD.
+ See http://freeradius.org/security.html#eap-pwd-2015
+ * Fix dynamic clients read from SQL in non-debug mode
+ * MS-CHAP now allows retries (i.e. password change) when
+ passwords are expired.
+ * Allow "user=radiusd" when the server is already user
+ "radiusd"
+ * suid up/down works on non-Linux systems. This means
+ that the control socket should have the correct
+ ownership.
+ * Fix issue which caused the server to sometimes have problems
+ when a home server was marked zombie.
+ * Fix format.pl because Perl is now more picky.
+ * Fix proxy to Packet-Dst-IP-Address, so that it uses the
+ correct destination port.
+ * Fix corner case with cursor functions and removal.
+ * OpenDirectory fixes and documentation.
+ * Fix leaks in rlm_redis.
+ * RFC 6929 "evs" attributes are now encoded / decoded
+ properly.
+ * Fix talloc pool leaks when receiving malformed or
+ retransmitted Accounting/CoA requests.
+ * Printed attributes again use double quotes instead of
+ single quotes.
+ * Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl"
+ to eap.conf. Fixes oCert CVE-2015-4680.
+ * rlm_expr now errors out correctly on malformed attribute
+ references instead of triggering an assert.
+ * Make "break" work in "foreach" loops
+ * Allow dynamic expansions to work again in the "hints" file.
+ * Correct minor typos in comments and examples from Alan Buxy.
+ * Re-urlencode the path portion of ldapi:// urls before
+ passing it to ldap_initialise.
+
+FreeRADIUS 3.0.8 Wed 22 Apr 2015 13:30:00 EDT urgency=medium
Feature improvements
* Allow syslog_severity to be set in rlm_linelog.
* Allow defaults to be set for bulk clients in LDAP and couchbase.
* Updates to dhcpclient. Patches from Nicolas C.
* rlm_mschap now supports direct connections to winbind, which
- is faster than ntlm_auth. See raddb/mods-available/mschap
+ is faster than ntlm_auth. See raddb/mods-available/mschap.
+ Patch from Matthew Newton.
* Recommend /dev/urandom for TLS randomness, instead of
${certdir}/random
+ * Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}.
+ * Allow Expanded EAP types where vendor is 0 (IETF) and
+ type is normal EAP type. Supplicants sending Expanded
+ EAP types like this are broken.
+ * Add support for server side sort controls when searching for
+ user objects in rlm_ldap.
Bug fixes
* Don't complain about "authorize" in "server {}" blocks, but
systemd, and didn't like the SystemV init script.
* radwho and radlast now have a -D option to load dictionaries
* DHCP packets are no longer checked for duplicates.
+ * Don't crash in sql module group comparisons in corner case.
+ * Calculate MPPE keys correctly when using TLS 1.2.
+ * Fix load-balance sections. Closes #945
+ * TLS certificates are available again in the post-auth section.
+ They are not available for session resumption.
+ * radclient encodes CHAP-Password properly when using -c.
+ Closes #955.
+ * Fix issue in rlm_cache_memcached driver that caused variable
+ length values to be truncated.
+ * Fix track functionality in detail reader, so it no longer
+ fails with a "Failed marking detail request as done: Bad file
+ descriptor" error.
+ * Actually add the peer identity (as User-Name) to the inner
+ tunnel in EAP-PWD requests, so it's available for lookups.
+ * Fixes to PostgreSQL queries. Patches from Santiago Gimeno.
FreeRADIUS 3.0.7 Thu 19 Feb 2015 12:00:00 EDT urgency=medium
Feature improvements
* Added EAP-PWD implementation from Dan Harkins
* Added connection pools for modules. This unifies connection
management which was previously different for different modules.
- * SQL now uses the connection pool. See mods-available/sql
+l * SQL now uses the connection pool. See mods-available/sql
* SQL now supports arbitrary Acct-Status-Types.
These changes are not compatible with 2.x.
* SQL now has full support for SQLite. See raddb/sql/main/sqlite/