X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=ChangeLog;h=f01767e0d0b5229ef8759ece2fbefcd2eeb5e391;hb=refs%2Fheads%2Fmaint-1.6;hp=59daf5d98fcbb5ecd3207504db182c9461512d00;hpb=3f8c5eab9157cd1656bb5e70bd8f994a2618961d;p=libradsec.git diff --git a/ChangeLog b/ChangeLog index 59daf5d..f01767e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,67 +1,127 @@ -2007-09-21 1.0 -2007-10-16 1.0p1 - Fixed crash when servers were configured after first realm block -2007-12-24 1.1-alpha - Pretend option for validating configuration - Include option for including additional config files - Allows clients configured by IP prefix, dynamic clients - Server failover support - Rewriting of username attribute - Source address and port can be specified for requests -2008-05-14 1.1-beta - No longer looks for radsecproxy.conf in current directory - Rewrite block that allows removal of specified attributes - certificateNameCheck option for disabling CN/SubjectAltName check - matchCertificateAttribute now also supports CN matching - Forwarding of accounting messages, accountingServer option for realms - Supports multiple client blocks for same source address with different - certificate checks - Removed weekday from log timestamps -2008-07-24 1.1 - Logging stationid attribute - Added LoopPrevention option - Failover also without status-server - Options for RetryCount and RetryInterval - Working accounting and AccountingResponse option - CRL checking and option for enabling it -2008-10-07 1.2 - listenTCP and sourceTCP options renamed to listenTLS and sourceTLS - Old options deprecated but available for backwards compatiblity - Logging reply-message attribute from Reject messages - Contribution from Arne Schwabe - Rewrite blocks have new options addAttribute and modifyAttribute - rewriteIn (replacing rewrite) and rewriteOut in client and server - blocks for specifying rewrite on input/output. rewrite deprecated - but available as an alias for rewriteIn for backwards compatibility. - rewritein rewriteout rewrite - regular expressions in realms etc can now be more advanced, including - use of "or". - cacheExpiry option in tls blocks for specifying expiry time for the - cache of CA certificates and CRLs. This is particularly useful for - regularly updating CRLs. - Some logging has been made more informative -2008-12-04 1.3-alpha - Support for TCP and DTLS transports (type tcp, type dtls) - Listen... options can be specified multiple times - Dynamic server discovery - DuplicateInterval option in client block for specifying for how - long a request/reply shall be stored for duplicate detection - Support for RADIUS TTL (hopcount) attribute. Decrements value of - the TTL attribute if present, discards message if becomes 0. - If addTTL option is used, the TTL attribute is added with the - specified value if the forwarded message does not have one. - PolicyOID option can be used to require certain CA policies. -2009-02-18 1.3-beta - Client and Server blocks may contain multiple host options. - Configure (Makefile) options for specifying which transports - should be supported in a build. -2009-03-12 1.3 - Fixed some very minor bugs - Changed log levels for some messages, made loglevel 2 default -2009-07-22 1.3.1 - Fixed header files for FreeBSD - Fix for multiple UDP servers on same IP address, solves accounting - problems. +2013-09-06 1.6.5 + Bug fixes: + - Fix a crash bug introduced in 1.6.4. Fixes RADSECPROXY-53, + bugfix on 1.6.4. + +2013-09-05 1.6.4 + Bug fixes: + - Keeping Proxy-State attributes in all replies to clients + (RADSECPROXY-52). Reported by Stefan Winter. + +2013-09-05 1.6.3 + Enhancements: + - Threads are allocated with a 32 KB stack rather than what + happens to be the default. Patch by Fabian Mauchle. + - On systems with mallopt(3), freed memory is returned to the + system more aggressively. Patch by Fabian Mauchle. + + Bug fixes: + - radsecproxy-hash(1) no longer prints the hash four times. + Reported by Simon Lundström and jocar. + - Escaped slashes in regular expressions now works. Reported by + Duarte Fonseca. (RADSECPROXY-51) + - The duplication cache is purged properly. Patch by Fabian + Mauchle. + - Stop freeing a shared piece of memory manifesting itself as a + crash when using dynamic discovery. Patch by Fabian Mauchle. + - Closing and freeing TLS clients properly. Patch by Fabian + Mauchle. + - Timing out on TLS clients not closing the connection properly. + Patch by Fabian Mauchle. + +2012-10-25 1.6.2 + Bug fixes (security): + - Fix the issue with verification of clients when using multiple + 'tls' config blocks (RADSECPROXY-43) for DTLS too. Fixes + CVE-2012-4566 (CVE id corrected 2012-11-01, after the release of + 1.6.2). Reported by Raphael Geissert. + +2012-09-14 1.6.1 + Bug fixes (security): + - When verifying clients, don't consider config blocks with CA + settings ('tls') which differ from the one used for verifying the + certificate chain. Reported by Ralf Paffrath. (RADSECPROXY-43, + CVE-2012-4523). + + Bug fixes: + - Make naptr-eduroam.sh check NAPTR type case insensitively. + Fix from Adam Osuchowski. + +2012-04-27 1.6 + Incompatible changes: + - The default shared secret for TLS and DTLS connections change + from "mysecret" to "radsec" as per draft-ietf-radext-radsec-12 + section 2.3 (4). Please make sure to specify a secret in both + client and server blocks to avoid unwanted surprises. + (RADSECPROXY-19) + - The default place to look for a configuration file has changed + from /etc to /usr/local/etc. Let radsecproxy know where your + configuration file can be found by using the `-c' command line + option. Or configure radsecproxy with --sysconfdir=/etc to + restore the old behaviour. (RADSECPROXY-31) + + New features: + - Improved F-Ticks logging options. F-Ticks can now be sent to a + separate syslog facility and the VISINST label can now be + configured explicitly. This was implemented by Maja + Gorecka-Wolniewicz and Paweł Gołaszewski. (RADSECPROXY-29) + - New config option PidFile. (RADSECPROXY-32) + - Preliminary support for DynamicLookupCommand added. It's for + TLS servers only at this point. Also, beware of risks for memory + leaks. In addition to this, for extra adventurous users, there's + a new configure option --enable-experimental-dyndisc which enables + even more new code for handling of dynamic discovery of TLS + servers. + - Address family (IPv4 or IPv6) can now be specified for clients + and servers. (RADSECPROXY-37) + + Bug fixes: + - Stop the autoconfery from warning about defining variables + conditionally and unconditionally. + - Honour configure option --sysconfdir. (RADSECPROXY-31) + - Don't crash on failing DynamicLookupCommand scripts. Fix made + with help from Ralf Paffrath. (RADSECPROXY-33) + - When a DynamicLookupCommand script is failing, fall back to + other server(s) in the realm. The timeout depends on the kind of + failure. + - Other bugs. (RADSECPROXY-26, -28, -34, -35, -39, -40) + +2011-10-08 1.5 + New features: + - Support for F-Ticks logging. + - New binary radsecproxy-hash. + - A DynamicLookupCommand script can now signal "server not found" + by exiting with code 10. The scripts in the tools directory now + do this. + + Incompatible changes: + - catgconf renamed to radsecproxy-conf. + + Bug fixes: + - All compiler warnings removed. Now compiling with -Werror. + +2011-07-22 1.4.3 + Notes: + - The default secret for TLS and DTLS will change in a future + release. Please make sure to specify a secret in both client and + server blocks to avoid surprises. + + Bug fixes: + - Debug printout issue. + +2010-11-23 1.4.2 + Bug fixes: + - Don't disable OpenSSL session caching for 0.9.8p and newer in + the 0.9.x track. + - Detect OpenSSL version at runtime rather than at compile time. + +2010-11-17 1.4.1 + Bug fixes: + - OpenSSL session caching is disabled when built against OpenSSL + older than 1.0.0b to mitigate possible effects of + http://openssl.org/news/secadv_20101116.txt (RADSECPROXY-14). + - Crash bug when reading improper config file fixed. + 2010-06-12 1.4 Incompatible changes: - Log level 4 used to be DBG_DBG but is now DBG_NOTICE. In order @@ -81,13 +141,78 @@ - Build on Solaris when compiling with gcc. - A bug in pwdencrypt() with passwords of a length greater than 16 octets. -2010-11-17 1.4.1 - Bug fixes: - - OpenSSL session caching is disabled when built against OpenSSL - older than 1.0.0b to mitigate possible effects of - http://openssl.org/news/secadv_20101116.txt (RADSECPROXY-14). - - Crash bug when reading improper config file fixed. -2010-11-18 1.4-dev - Bug fixes: - - Don't disable OpenSSL session caching for 0.9.8p and newer in - the 0.9.x track. + +2009-07-22 1.3.1 + Fixed header files for FreeBSD + Fix for multiple UDP servers on same IP address, solves accounting + problems. + +2009-03-12 1.3 + Fixed some very minor bugs + Changed log levels for some messages, made loglevel 2 default + +2009-02-18 1.3-beta + Client and Server blocks may contain multiple host options. + Configure (Makefile) options for specifying which transports + should be supported in a build. + +2008-12-04 1.3-alpha + Support for TCP and DTLS transports (type tcp, type dtls) + Listen... options can be specified multiple times + Dynamic server discovery + DuplicateInterval option in client block for specifying for how + long a request/reply shall be stored for duplicate detection + Support for RADIUS TTL (hopcount) attribute. Decrements value of + the TTL attribute if present, discards message if becomes 0. + If addTTL option is used, the TTL attribute is added with the + specified value if the forwarded message does not have one. + PolicyOID option can be used to require certain CA policies. + +2008-10-07 1.2 + listenTCP and sourceTCP options renamed to listenTLS and sourceTLS + Old options deprecated but available for backwards compatiblity + Logging reply-message attribute from Reject messages + Contribution from Arne Schwabe + Rewrite blocks have new options addAttribute and modifyAttribute + rewriteIn (replacing rewrite) and rewriteOut in client and server + blocks for specifying rewrite on input/output. rewrite deprecated + but available as an alias for rewriteIn for backwards compatibility. + rewritein rewriteout rewrite + regular expressions in realms etc can now be more advanced, including + use of "or". + cacheExpiry option in tls blocks for specifying expiry time for the + cache of CA certificates and CRLs. This is particularly useful for + regularly updating CRLs. + Some logging has been made more informative + +2008-07-24 1.1 + Logging stationid attribute + Added LoopPrevention option + Failover also without status-server + Options for RetryCount and RetryInterval + Working accounting and AccountingResponse option + CRL checking and option for enabling it + +2008-05-14 1.1-beta + No longer looks for radsecproxy.conf in current directory + Rewrite block that allows removal of specified attributes + certificateNameCheck option for disabling CN/SubjectAltName check + matchCertificateAttribute now also supports CN matching + Forwarding of accounting messages, accountingServer option for realms + Supports multiple client blocks for same source address with different + certificate checks + Removed weekday from log timestamps + +2007-12-24 1.1-alpha + Pretend option for validating configuration + Include option for including additional config files + Allows clients configured by IP prefix, dynamic clients + Server failover support + Rewriting of username attribute + Source address and port can be specified for requests + +2007-10-16 1.0p1 + Fixed crash when servers were configured after first realm block + +2007-09-21 1.0 +