X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=doc%2FChangeLog;h=25a5f8a9e62da261607694110eb03a49142d79fa;hb=HEAD;hp=4bb51c7cdca6ccd4139103b58fd8405591ab5500;hpb=aab40188faccf05479f26f030fbef8020e526a17;p=freeradius.git diff --git a/doc/ChangeLog b/doc/ChangeLog index 4bb51c7..25a5f8a 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,4 +1,437 @@ -FreeRADIUS 2.0.5 ; $Date$ , urgency=medium +FreeRADIUS 2.1.10 Mon 01 Sep 8:00:00 CEST 2010, urgency=medium + Feature improvements + * Install the "radcrypt" program. + * Enable radclient to send requests containing MS-CHAPv1 + * Make the "inner-tunnel" virtual server listen on 127.0.0.1:18120 + This change makes PEAP testing much easier. + * Added more documentation and examples for the "passwd" module. + + Bug fixes + * Fix endless loop when there are multiple sub-options for + DHCP option 82. + * More debug output when sending / receiving DHCP packets. + * EAP-MSCHAPv2 should return the MPPE keys when used outside + of a TLS tunnel. This is needed for IKE. + * Added SSL "no ticket" option to prevent SSL from creating sessions + without IDs. We need the IDs, so this option should be set. + * Fix proxying of packets from inside a TTLS/PEAP tunnel. + Closes bug #25. + * Allow IPv6 address attributes to be created from domain names + Closes bug #82. + * Set the string length to the correct value when parsing double + quotes. Closes bug #88. + * No longer look users up in /etc/passwd in the default configuration. + This can be reverted by enabling "unix" in the "authorize" section. + * More #ifdef's to enable building on systems without certain + features. + * Fixed SQL-Group comparison to register only if the group + query is defined. + * Fixed SQL-Group comparison to register -SQL-Group, + just like rlm_ldap. This lets you have multiple SQL group checks. + * Fix scanning of octal numbers in "unlang". Closes bug #89. + * Be less aggressive about freeing "stuck" requests. Closes bug #35. + * Fix example in "originate-coa" to refer to the correct packet. + * Change default timeout for dynamic clients to 1 hour, not 1 day. + * Allow passwd module to map IP addresses, too. + * Allow passwd module to be used for CoA packets + * Put boot filename into DHCP header when DHCP-Boot-Filename + is specified. + * raddb/certs/Makefile no longer has certs depend on index.txt and + serial. Closes bug #64. + * Ignore NULL errorcode in PostgreSQL client. Closes bug #39 + * Made Exec-Program and Exec-Program-Wait work in accounting + section again. See sites-available/default. + * Fix long-standing memory leak in esoteric conditions. Found + by Jerry Nichols. + * Added "Password-With-Header == userPassword" to raddb/ldap.attrmap + This will automatically convert more passwords. + * Updated rlm_pap to decode Password-With-Header, if it was base64 + encoded, and to treat the contents as potentially binary data. + * Fix Novell eDir code to use the right function parameters. + Closes bug #86. + * Allow spaces to be escaped when executing external programs. + Closes bug #93. + * Be less restrictive about checking permissions on control socket. + If we're root, allow connecting to a non-root socket. + * Remove control socket on normal server exit. If the server isn't + running, the control socket should not exist. + * Use MS-CHAP-User-Name as Name field from EAP-MSCHAPv2 for MS-CHAP + calculations. It *MAY* be different (upper / lower case) from + the User-Name attribute. Closes bug #17. + * If the EAP module fails, more SSL errors are now in + Module-Failure-Message. + * Update Oracle configure scripts. Closes bug #57. + * Added text to DESC fields of doc/examples/openldap.schema + +FreeRADIUS 2.1.9 Mon 24 May 8:00:00 CEST 2010, urgency=medium + Feature improvements + * Add radmin command "stats detail " to see what + is going on inside of a detail file reader. + * Added documentation for CoA. See raddb/sites-available/coa + * Add sub-option support for Option 82. See dictionary.dhcp + * Add "server" field to default SQL NAS table, and documented it. + + Bug fixes + * Reset "received ping" counter for Status-Server checks. In some + corner cases it was not getting reset. + * Handle large VMPS attributes. + * Count accounting responses from a home server in SNMP / statistics + code. + * Set EAP-Session-Resumed = Yes, not "No" when session is resumed. + * radmin packet counter statistics are now unsigned, for numbers + 2^31..2^32. After that they roll over to zero. + * Be more careful about expanding data in PAP and MS-CHAP modules. + This prevents login failures when passwords contain '{'. + * Clean up zombie children if there were many "exec" modules being + run for one packet, all with "wait = no". + * re-open log file after HUP. Closes bug #63. + * Fix "no response to proxied packet" complaint for Coa / Disconnect + packets. It shouldn't ignore replies to packets it sent. + * Calculate IPv6 netmasks correctly. Closes bug #69. + * Fix SQL module to re-open sockets if they unexpectedly close. + * Track scope for IPv6 addresses. This lets us use link-local + addresses properly. Closes bug #70. + * Updated Makefiles to no longer use the shell for recursing into + subdirs. "make -j 2" should now work. + * Updated raddb/sql/mysql/ippool.conf to use "= NULL". Closes + bug #75. + * Updated Makefiles so that "make reconfig" no longer uses the shell + for recursing into subdirs, and re-builds all "configure" files. + * Used above method to regenerate all configure scripts. + Closes bug #34. + * Updated SQL module to allow "server" field of "nas" table + to be blank: "". This means the same as it being NULL. + * Fixed regex realm example. Create Realm attribute with value + of realm from User-Name, not from regex. Closes bug #40. + * If processing a DHCP Discover returns "fail / reject", ignore + the packet rather than sending a NAK. + * Allow '%' to be escaped in sqlcounter module. + * Fix typo internal hash table. + * For PEAP and TTLS, the tunneled reply is added to the reply, + rather than integrated via the operators. This allows multiple + VSAs to be added, where they would previously be discarded. + * Make request number unsigned. This changes nothing other than + the debug output when the server receives more than 2^31 packets. + * Don't block when reading child output in 'exec wait'. This means + that blocked children get killed, instead of blocking the server. + * Enabled building without any proxy functionality + * radclient now prefers IPv4, to match the default server config. + * Print useful error when a realm regex is invalid + * relaxed rules for preprocess module "with_cisco_vsa_hack". The + attributes can now be integer, ipaddr, etc. (i.e. non-string) + * Allow rlm_ldap to build if ldap_set_rebind_proc() has only + 2 arguments. + * Update configure script for rlm_python to avoid dynamic linking + problems on some platforms. + * Work-around for bug #35 + * Do suid to "user" when running in debug mode as root + * Make "allow_core_dumps" work in more situations. + * In detail file reader, treat bad records as EOF. + This allows it to continue working when the disk is full. + * Fix Oracle default accounting queries to work when there are no + gigawords attributes. Other databases already had the fix. + * Fix rlm_sql to show when it opens and closes sockets. It already + says when it cannot connect, so it should say when it can connect. + * "chmod -x" for a few C source files. + * Pull update spec files, etc. from RedHat into the redhat/ directory. + * Allow spaces when parsing integer values. This helps people who + put "too much" into an SQL value field. + +FreeRADIUS 2.1.8 Wed 30 Dec 16:44:50 CEST 2009, urgency=medium + Feature improvements + * Print more descriptive error message for too many EAP sessions. + This gives hints on what to do when "failed to store handler" + * Moved illegal attributes to dictionary.ascend.illegal and + dictionary.usr.illegal. You may need to manually re-enable them. + * Allow old-style dictionary formats, where the vendor name is the + last entry on a line. + + Bug fixes + * DHCP sockets now set the broadcast flag before binding to a + socket. You should set "broadcast = yes" in the DHCP listener. + * Be more restrictive on string parsing in the config files + * Fix password length in scripts/create-users.pl + * Be more flexible about parsing the detail file. Allow + operators other than "=" to be used. + * Ensure that requests read from the detail file are cleaned up + (i.e. don't leak) if they are proxied without a response. + +FreeRADIUS 2.1.7 Mon Sept 14 11:20:00 CEST 2009; , urgency=medium + Feature improvements + * Full support for CoA and Disconnect packets as per RFC 3576 + and RFC 5176. Both receiving and proxying CoA is supported. + * Added "src_ipaddr" configuration to "home_server". See + proxy.conf for details. + * radsniff now accepts -I, to read from a filename instead of + a device. + * radsniff also prints matching requests and any responses to those + requests when '-r' is used. + * Added example of attr_filter for Access-Challenge packets + * Added support for udpfromto in DHCP code + * radmin can now selectively mark modules alive/dead. + See "set module state". + * Added customizable messages on login success/fail. + See msg_goodpass && msg_badpass in log{} section of radiusd.conf + * Document "chase_referrals" and "rebind" in raddb/modules/ldap + * Preliminary implementation of DHCP relay. + * Made thread pool section optional. If it doesn't exist, + the server will run single-threaded. + * Added sample radrelay.conf for people upgrading from 1.x + * Made proxying more stable by failing over, rather than + rejecting the first request. See "response_window" in proxy.conf + * Allow home_server_pools to exist without realms. + * Add dictionary.iea (closes bug #7) + * Added support for RFC 5580 + * Added experimental sql_freetds module from Gabriel Blanchard. + * Updated dictionary.foundry + * Added sample configuration for MySQL cluster in raddb/sql/ndb + See the README file for explanations. + + Bug fixes + * Fixed corner case where proxied packets could have extra + character in User-Password attribute. Fix from Niko Tyni. + * Extended size of "attribute" field in SQL to 64. + * Fixes to ruby module to be more careful about when it builds. + * Updated Perl module "configure" script to check for broken + Perl installations. + * Fix "status_check = none". It would still send packets + in some cases. + * Set recursive flag on the proxy mutex, which enables safer + cleanup on some platforms. + * Copy the EAP username verbatim, rather than escaping it. + * Update handling so that robust-proxy-accounting works when + all home servers are down for extended periods of time. + * Look for DHCP option 53 anywhere in the packet, not just + at the start. + * Fix processing of proxy fail handler with virtual servers. + * DHCP code now prints out correct src/dst IP addresses + when sending packets. + * Removed requirement for DHCP to have clients + * Fixed handling of DHCP packets with message-type buried in the packet + * Fixed corner case with negation in unlang. + * Minor fixes to default MySQL & PostgreSQL schemas + * Suppress MSCHAP complaints in debugging mode. + * Fix SQL module for multiple instance, and possible crash on HUP + * Fix permissions for radius.log for sites that change user/group, + but which don't create the file before starting radiusd. + * Fix double counting of packets when proxying + * Make %l work + * Fix pthread keys in rlm_perl + * Log reasons for EAP failure (closes bug #8) + * Load home servers and pools that aren't referenced from a realm. + * Handle return codes from virtual attributes in "unlang" + (e.g. LDAP-Group). This makes "!(expr)" work for them. + * Enable VMPS to see contents of virtual server again + * Fix WiMAX module to be consistent with examples. (closes bug #10) + * Fixed crash with policies dependent on NAS-Port comparisons + * Allowed vendor IDs to be be higher than 32767. + * Fix crash on startup with certain regexes in "hints" file. + * Fix crash in attr_filter module when packets don't exist + * Allow detail file reader to be faster when "load_factor = 100" + * Add work-around for build failures with errors related to + lt__PROGRAM__LTX_preloaded_symbols. libltdl / libtool are horrible. + * Made ldap module "rebind" option aware of older, incompatible + versions of OpenLDAP. + * Check value of Fall-Through in attr_filter module. + +FreeRADIUS 2.1.6 Mon May 18 10:00:00 CEST 2009; urgency=medium + Feature improvements + * radclient exits with 0 on successful (accept / ack), and 1 + otherwise (no response / reject) + * Added support for %{sql:UPDATE ..}, and insert/delete + Patch from Arran Cudbard-Bell + * Added sample "do not respond" policy. See raddb/policy.conf + and raddb/sites-available/do_not_respond + * Cleanups to Suse spec file from Norbert Wegener + * New VSAs for Juniper from Bjorn Mork + * Include more RFC dictionaries in the default install + * More documentation for the WiMAX module + * Added "chase_referrals" and "rebind" configuration to rlm_ldap. + This helps with Active Directory. See raddb/modules/ldap + * Don't load pre/post-proxy if proxying is disabled. + * Added %{md5:...}, which returns MD5 hash in hex. + * Added configurable "retry_interval" and "poll_interval" + for "detail" listeners. + * Added "delete_mppe_keys" configuration option to rlm_wimax. + Apparently some WiMAX clients misbehave when they see those keys. + * Added experimental rlm_ruby from + http://github.com/Antti/freeradius-server/tree/master + * Add Tunnel attributes to ldap.attrmap + * Enable virtual servers to be reloaded on HUP. For now, only + the "authorize", "authenticate", etc. processing sections are + reloaded. Clients and "listen" sections are NOT reloaded. + * Updated "radwatch" script to be more robust. See scripts/radwatch + * Added certificate compatibility notes in raddb/certs/README, + for compatibility with different operating systems. (i.e. Windows) + + Bug fixes + * Minor changes to allow building without VQP. + * Minor fixes from John Center + * Fixed raddebug example + * Don't crash when deleting attributes via unlang + * Be friendlier to very fast clients + * Updated the "detail" listener so that it only polls once, + and not many times in a row, leaking memory each time... + * Update comparison for Packet-Src-IP-Address (etc.) so that + the operators other than '==' work. + * Did autoconf magic to work around weird libtool bug + * Make rlm_perl keep tags for tagged attributes in more situations + * Update UID checking for radmin + * Added "include_length" field for TTLS. It's needed for RFC + compliance, but not (apparently) for interoperability. + +FreeRADIUS 2.1.5 Sun Jan 1 1:1:00 CEST 2009; , urgency=medium + * Release number skipped due to procedural issues. + +FreeRADIUS 2.1.4 Tue Mar 10 17:05:00 CEST 2009; , urgency=medium + Feature improvements + * Permit multiple "-e" in radmin. + * Add support for originating CoA-Request and Disconnect-Request. + See raddb/sites-available/originate-coa. + * Added "lifetime" and "max_queries" to raddb/sql.conf. + This helps address the problem of hung SQL sockets. + * Allow packets to be injected via radmin. See "inject help" + in radmin. + * Answer VMPS reconfirmation request. Patch from Hermann Lauer. + * Sample logrotate script in scripts/logrotate.freeradius + * Add configurable poll interval for "detail" listeners + * New "raddebug" command. This prints debugging information from + a running server. See "man raddebug. + * Add "require_message_authenticator" configuration to home_server + configuration. This makes the server add Message-Authenticator + to all outgoing Access-Request packets. + * Added smsotp module, as contributed by Siemens. + * Enabled the administration socket in the default install. + See raddb/sites-available/control-socket, and "man radmin" + * Handle duplicate clients, such as with replicated or + load-balanced SQL servers and "readclients = yes" + + Bug fixes + * Clean up control sockets when they are closed, so that we don't + leak memory. + * Define SUN_LEN for systems that don't have it. + * Correct some boundary conditions in the conditional checker ("if") + in "unlang". Bug noted by Arran Cudbard-Bell. + * Work around minor building issues in gmake. This should only + have affected developers. + * Change how we manage unprivileged user/group, so that we do not + create control sockets owned by root. + * Fixed more minor issues found by Coverity. + * Allow raddb/certs/bootstrap to run when there is no "make" + command installed. + * In radiusd.conf, run_dir depends on the name of the program, + and isn't hard-coded to "..../radiusd" + * Check for EOF in more places in the "detail" file reader. + * Added Freeswitch dictionary. + * Chop ethernet frames in VMPS, rather than droppping packets. + * Fix EAP-TLS bug. Patch from Arnaud Ebalard + * Don't lose string for regex-compares in the "users" file. + * Expose more functions in rlm_sql to rlm_sqlippool, which + helps on systems where RTLD_GLOBAL is off. + * Fix typos in MySQL schemas for ippools. + * Remove macro that was causing build issues on some platforms. + * Fixed issues with dead home servers. Bug noted by Chris Moules. + * Fixed "access after free" with some dynamic clients. + +FreeRADIUS 2.1.3 Fri Dec 5 17:40:00 CEST 2008; , urgency=medium + Feature improvements + * Allow running with "user=radiusd" and binding to secure + sockets. + * Start sending Status-Server "are you alive" messages earlier, + which helps with proxying multiple realms to a home server. + * Removed thread pool code from rlm_perl. It's not necessary. + * Added example Perl configuration to raddb/modules/perl + * Force OpenSSL to support certificates with SHA256. + This seems to be necessary for WiMAX certs. + + Bug fixes + * Fix Debian patch to allow it to build. + * Fix potential NULL dereference in debugging mode on certain + platforms for TTLS and PEAP inner tunnels. + * Fix uninitialized memory in handling of vendor definitions + * Fix parsing of quoted (but non-string) attributes in the "users" + file. + * Initialize uknown NAS IP to 255.255.255.255, rather than 0.0.0.0 + * use SUN_LEN in control socket, to avoid truncation on some + platforms. + * Correct internal handling of "debug condition" to prevent it + from being over-written. + * Check return code of regcomp in "unlang", so that invalid + regular expressions are caught rather than mishandled. + * Make rlm_sql use . Addresses bug #610. + * Document list "type = status" better. Closes bug #580. + * Set "default days" for certificates, because OpenSSL won't + do it. This closes bug #615. + * Reference correct list in example raddb/modules/ldap. + Closes #596. + * Increase default schema size for Acct-Session-Id to 64. + Closes #540. + * Fix use of temporary files in dialup-admin. Closes #605 + and addresses CVE-2008-4474. + * Addressed a number of minor issues found by Coverity. + * Added DHCP option 150 to the dictionary. Closes #618. + +FreeRADIUS 2.1.2 Thurs Dec 3 10:47:00 CEST 2008; , urgency=medium + Due to packaging issues, 2.1.2 has been pulled from the net. + +FreeRADIUS 2.1.1 Thu Sep 25 11:03:00 CEST 2008; , urgency=medium + Feature improvements + * Many more options and features in radmin. See "man radmin" and + raddb/sites-available/control-socket + * Many more commands available via the control socket. Connect + via "radmin", and type "help" for more information. + * Added dictionary.networkphysics and dictionary.lancom. + * Calculate WiMAX MIP keys, and added sample WiMAX SQL tables. + + Bug fixes + * Fixed bug that made radmin not work + * Fixed Suse && Debian package scripts + * Fixed issues with dynamic clients + * Fixed configure checks for -lreadline + * rlm_sqlippool no longer needs to be linked to rlm_sql. + * Add statistics for detail file listeners. This closes bug #593. + * Fixed printing of some WiMAX attributes. + * Fix double free on exit() in rlm_attr_filter + * Fixed build issues on Solaris. + * Fixed fast session resumption for EAP-TLS + +FreeRADIUS 2.1.0 Fri Sep 5 13:20:01 CEST 2008; , urgency=medium + Feature improvements + * Clients may now be defined dynamically, based on IP address. + See raddb/sites-available/dynamic-clients. + * SNMP support is now available through an experimental Perl script. + See scripts/snmp-proxy/README + * SNMP statistics are available through Status-Server packets. + See raddb/sites-available/status + * Added more Microsoft attributes from bug #568. + * The "linelog" module has more functionality and flexibility. + See raddb/modules/linelog. + * The debugging output has been sanitized. It should be much + more readable. + * Debug logs can now be turned on/off while the server is running, for + a user, group, realm, etc. See the "log" section of radiusd.conf. + * Added support for WiMAX Forum attributes. The dynamic keys + are not yet calculated. See share/dictionary.wimax + * Added session resumption for PEAP and TTLS. + See raddb/eap.conf, "cache" sub-section. + * Added "radmin" command-line tool for administering a running server. + See "man radmin" and raddb/sites-available/control-socket. + + Bug fixes + * Double escaping of '\\' in the "users" (and some other) files + has been fixed. If you have '\\' in the "users" file, your + configuration WILL NEED TO BE CHECKED, AND FIXED! + * Parse "security" section in radiusd.conf. This was accidentally + deleted in 2.0.5. Closes bug #566. + * Bind to interface before IP, which allows DHCP sockets to + listen on "*" for multiple interfaces. + * Fix handling of giaddr in DHCP responses. + * Corrected parsing of status_check in home_server so that it works. + * Fix hints so that "Puser" works again. + * Removed length restrictions on attribute names in the dictionaries. + * Update socket code to avoid C compiler optimizations. + +FreeRADIUS 2.0.5 ; Date: 2008/06/07 17:17:00 , urgency=medium Feature improvements * Permit SQL authorize_reply_query to be empty. * Allow setting response packet type in Post-Proxy-Type Fail @@ -7,10 +440,17 @@ FreeRADIUS 2.0.5 ; $Date$ , urgency=medium make RADMIN=radmin RGROUP=radius install-chown * Support for LDAP-Group and other dynamic comparison attributes in unlang. Developed from a patch by Jason Alderfer. + * Added chroot support. See radiusd.conf for comments. + * Allow clients of 0/0. We do not recommend using this, though. + * Moved many module configurations into raddb/modules/* Bug fixes * Allow proxying to virtual servers for accounting packets, too. * Added "num fields" function to PostgreSQL client. + * Updated proxy fallback mechanism to validate fallback servers, + and to process fallback requests in a child thread. + * rlm_realm returns "ok" for LOCAL realms, not "noop". + * Fixed some DHCP code handling. The examples should now work. FreeRADIUS 2.0.4 ; Date: 2008/04/30 08:56:40 , urgency=medium Feature improvements