X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=doc%2FChangeLog;h=25a5f8a9e62da261607694110eb03a49142d79fa;hb=HEAD;hp=b56232c9a3b1ffebd65719f951dc3541fef3e858;hpb=98735515efee1451f3f46db51e24cd257229a0ee;p=freeradius.git diff --git a/doc/ChangeLog b/doc/ChangeLog index b56232c..25a5f8a 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,739 +1,609 @@ -FreeRADIUS 2.0.0 ; $Date$, urgency=low - * Fix fd leak in rlm_otp. - * Use Cleartext-Password for "known good" password in config items, - rather than "User-Password". This should solve a lot of problems. - * Define Password-With-Header for LDAP-style "{crypt}...." passwords, - to avoid overloading User-Password. - * Permit per-socket list of clients in "listen" directives - * Faster client lookups, to permit scaling to 10^6 or more clients. - * Removed radrelay and radsqlrelay. See "man radrelay.conf" for - details. - * Full IPv6 support. The server can listen on IPv6 sockets, - and send/receive IPv6 packets. - * rlm_ns_mta_md5 is deprecated. rlm_pap does everything it does, - and more. - * The command-line options "-i ipaddr" and "-p port" now work. - * rlm_unix no longer reads /etc/passwd (etc.) directly. See - "man rlm_unix" for details. Also see the "authorize" section - of "radiusd.conf". - * Configuration files now use binary trees, which means that - arbitrary amounts of information can be stored in them. - * Fixed xlat's for %{config:...}. Dynamic expanstion now works - better, so %{config:section.subsection.%{User-Name}.item" works, - even if the User-Name contains periods. This is a cheap way - of getting in-memory databases, as anything can be put into - the configuration files. - * Fix locking issues for radrelay. - * Add radsqlrelay, which works like radrelay, but reads data - from an SQL database. - * rlm_ldap now auto-discovers password headers. See the "ldap" - subsection of "modules", in "radiusd.conf" for details. - * rlm_pap now auto-discovers password encryption/hash methods. - See "man rlm_pap" and the "authorize" section of "radiusd.conf". - * Don't call exit() if module instantiation files. - * "virtual" modules can now be used. See the last bit of the - "instantiate" section in "radiusd.conf". - * Fix problems with Exec-Program-Wait & forking issues. - * Configuration files can now "$INCLUDE directory/", to automatically - load all files in that directory. Use with caution! - * Fix for log_dest = stdout/stderr. - * New "policy" module, which has none of the limitations of the - "users" file. See "man rlm_policy" for details. - * rlm_sql can now behave more like the "users" file. - * New rlm_caching module. - * Now uses autoconf 2.5x, and the various associated tools. - * Include ucd-snmp-config.h, fixing use of net-snmp's - ucd-snmp backwards compatibility mode. - * Modules can now be load-balanced. See "doc/configurable_failover" - * Move the Login-Time,Current-Time,Expiration attribute handling - to new modules rlm_logintime and rlm_expiration. - * Added %{mschap:NT-Hash } and %{mschap: LM-Hash }, - and update rlm_pap to handle NT/LM-hashed passwords. - * New rlm_protocol_filter, which permits/denies requests containing - certain attributes. - * Don't escape printed strings during xlat's, to avoid the - infinite expansion of backslashes.. - * Add Message-Authenticator to rlm_digest sample. - * Correct handling of post-auth REJECT stanza to include externally and - proxy-received rejections. (Bugzilla bug #149) - * Fix building SNMP support on Solaris 9, which needs -lkstat - * Fix bug in calling checkrad script with NAS port > 9999999 - * Fix long-standing bug when both crypt and pthreads are in use +FreeRADIUS 2.1.10 Mon 01 Sep 8:00:00 CEST 2010, urgency=medium + Feature improvements + * Install the "radcrypt" program. + * Enable radclient to send requests containing MS-CHAPv1 + * Make the "inner-tunnel" virtual server listen on 127.0.0.1:18120 + This change makes PEAP testing much easier. + * Added more documentation and examples for the "passwd" module. -FreeRADIUS 1.0.1 ; Date: 2004/09/02 10:52:03, urgency=high - Denial-of-Service Security Fix - * Fix two remote crashes and a memory leak in RADIUS packet - decoding. - - Bug fixes. - * Fix premature "success" during EAP/TLS handshake. - * Dictionary handling now complains about identically named - values with different values, and rejects dictionary - entries with bad data - * Update dictionaries to deal with the above change. - -FreeRADIUS 1.0.0 ; Date: 2004/07/17 06:31:32, urgency=low - pre3 -> release - * Fix LDAP dictionary map loading. - * Check login time allowance to packet timestamp where available. - * Compilation fix for machines without . - * Man page improvements. - * Grab latest config.sub and config.guess (2004-03-12). - - pre2 -> pre3 - * Make IPv6 support work better. - * Updated 3com dictionary. - * Fixed MD5 code to be more portable. + Bug fixes + * Fix endless loop when there are multiple sub-options for + DHCP option 82. + * More debug output when sending / receiving DHCP packets. + * EAP-MSCHAPv2 should return the MPPE keys when used outside + of a TLS tunnel. This is needed for IKE. + * Added SSL "no ticket" option to prevent SSL from creating sessions + without IDs. We need the IDs, so this option should be set. + * Fix proxying of packets from inside a TTLS/PEAP tunnel. + Closes bug #25. + * Allow IPv6 address attributes to be created from domain names + Closes bug #82. + * Set the string length to the correct value when parsing double + quotes. Closes bug #88. + * No longer look users up in /etc/passwd in the default configuration. + This can be reverted by enabling "unix" in the "authorize" section. + * More #ifdef's to enable building on systems without certain + features. + * Fixed SQL-Group comparison to register only if the group + query is defined. + * Fixed SQL-Group comparison to register -SQL-Group, + just like rlm_ldap. This lets you have multiple SQL group checks. + * Fix scanning of octal numbers in "unlang". Closes bug #89. + * Be less aggressive about freeing "stuck" requests. Closes bug #35. + * Fix example in "originate-coa" to refer to the correct packet. + * Change default timeout for dynamic clients to 1 hour, not 1 day. + * Allow passwd module to map IP addresses, too. + * Allow passwd module to be used for CoA packets + * Put boot filename into DHCP header when DHCP-Boot-Filename + is specified. + * raddb/certs/Makefile no longer has certs depend on index.txt and + serial. Closes bug #64. + * Ignore NULL errorcode in PostgreSQL client. Closes bug #39 + * Made Exec-Program and Exec-Program-Wait work in accounting + section again. See sites-available/default. + * Fix long-standing memory leak in esoteric conditions. Found + by Jerry Nichols. + * Added "Password-With-Header == userPassword" to raddb/ldap.attrmap + This will automatically convert more passwords. + * Updated rlm_pap to decode Password-With-Header, if it was base64 + encoded, and to treat the contents as potentially binary data. + * Fix Novell eDir code to use the right function parameters. + Closes bug #86. + * Allow spaces to be escaped when executing external programs. + Closes bug #93. + * Be less restrictive about checking permissions on control socket. + If we're root, allow connecting to a non-root socket. + * Remove control socket on normal server exit. If the server isn't + running, the control socket should not exist. + * Use MS-CHAP-User-Name as Name field from EAP-MSCHAPv2 for MS-CHAP + calculations. It *MAY* be different (upper / lower case) from + the User-Name attribute. Closes bug #17. + * If the EAP module fails, more SSL errors are now in + Module-Failure-Message. + * Update Oracle configure scripts. Closes bug #57. + * Added text to DESC fields of doc/examples/openldap.schema + +FreeRADIUS 2.1.9 Mon 24 May 8:00:00 CEST 2010, urgency=medium + Feature improvements + * Add radmin command "stats detail " to see what + is going on inside of a detail file reader. + * Added documentation for CoA. See raddb/sites-available/coa + * Add sub-option support for Option 82. See dictionary.dhcp + * Add "server" field to default SQL NAS table, and documented it. - pre1 -> pre2 - * Updated SQL onoff query - * Updated Nomadix, RedBack and Valemont dictionaries. - * MD4/MD5 fixes. - * Don't complain about ports we're listening on when HUP'd. - * Permit -i to work for radclient. - * Fix bug in new proxy code. - * rlm_passwd is now a little friendlier. + Bug fixes + * Reset "received ping" counter for Status-Server checks. In some + corner cases it was not getting reset. + * Handle large VMPS attributes. + * Count accounting responses from a home server in SNMP / statistics + code. + * Set EAP-Session-Resumed = Yes, not "No" when session is resumed. + * radmin packet counter statistics are now unsigned, for numbers + 2^31..2^32. After that they roll over to zero. + * Be more careful about expanding data in PAP and MS-CHAP modules. + This prevents login failures when passwords contain '{'. + * Clean up zombie children if there were many "exec" modules being + run for one packet, all with "wait = no". + * re-open log file after HUP. Closes bug #63. + * Fix "no response to proxied packet" complaint for Coa / Disconnect + packets. It shouldn't ignore replies to packets it sent. + * Calculate IPv6 netmasks correctly. Closes bug #69. + * Fix SQL module to re-open sockets if they unexpectedly close. + * Track scope for IPv6 addresses. This lets us use link-local + addresses properly. Closes bug #70. + * Updated Makefiles to no longer use the shell for recursing into + subdirs. "make -j 2" should now work. + * Updated raddb/sql/mysql/ippool.conf to use "= NULL". Closes + bug #75. + * Updated Makefiles so that "make reconfig" no longer uses the shell + for recursing into subdirs, and re-builds all "configure" files. + * Used above method to regenerate all configure scripts. + Closes bug #34. + * Updated SQL module to allow "server" field of "nas" table + to be blank: "". This means the same as it being NULL. + * Fixed regex realm example. Create Realm attribute with value + of realm from User-Name, not from regex. Closes bug #40. + * If processing a DHCP Discover returns "fail / reject", ignore + the packet rather than sending a NAK. + * Allow '%' to be escaped in sqlcounter module. + * Fix typo internal hash table. + * For PEAP and TTLS, the tunneled reply is added to the reply, + rather than integrated via the operators. This allows multiple + VSAs to be added, where they would previously be discarded. + * Make request number unsigned. This changes nothing other than + the debug output when the server receives more than 2^31 packets. + * Don't block when reading child output in 'exec wait'. This means + that blocked children get killed, instead of blocking the server. + * Enabled building without any proxy functionality + * radclient now prefers IPv4, to match the default server config. + * Print useful error when a realm regex is invalid + * relaxed rules for preprocess module "with_cisco_vsa_hack". The + attributes can now be integer, ipaddr, etc. (i.e. non-string) + * Allow rlm_ldap to build if ldap_set_rebind_proc() has only + 2 arguments. + * Update configure script for rlm_python to avoid dynamic linking + problems on some platforms. + * Work-around for bug #35 + * Do suid to "user" when running in debug mode as root + * Make "allow_core_dumps" work in more situations. + * In detail file reader, treat bad records as EOF. + This allows it to continue working when the disk is full. + * Fix Oracle default accounting queries to work when there are no + gigawords attributes. Other databases already had the fix. + * Fix rlm_sql to show when it opens and closes sockets. It already + says when it cannot connect, so it should say when it can connect. + * "chmod -x" for a few C source files. + * Pull update spec files, etc. from RedHat into the redhat/ directory. + * Allow spaces when parsing integer values. This helps people who + put "too much" into an SQL value field. + +FreeRADIUS 2.1.8 Wed 30 Dec 16:44:50 CEST 2009, urgency=medium + Feature improvements + * Print more descriptive error message for too many EAP sessions. + This gives hints on what to do when "failed to store handler" + * Moved illegal attributes to dictionary.ascend.illegal and + dictionary.usr.illegal. You may need to manually re-enable them. + * Allow old-style dictionary formats, where the vendor name is the + last entry on a line. - Non source-code changes - * Preliminary tests indicate that the server builds and runs on - Interix (SFU on Windows XP). - * EAP module configuration is now in "raddb/eap.conf", as it was - getting large. - * Updated GPL boilerplate in the source. - * Added new RFC's to doc/rfc/ - * Added more "man" pages for many of the modules. Many of the - 'doc/rlm_*' files have been deleted, and replaced with 'man' pages. - * Added many new dictionaries: 3GPP, 3GPP2, Propel, Karlnet, - Sonicwall, Navini, Bristol University, Valemont, Mikrotik. - * doc/configurable_failover is now understandable by mere humans. - * Update scripts/rc.radiusd with examples of how to deal with - shared library issues. - * Added demo certs. - * Updates to configure scripts for MySQL. - * Updated doc/tuning_guide, with comments about SQL. - - Core feature improvements - * Many, many minor bug fixes and feature enhancements. - * Added "reject" action in configurable failover for modules - * Added a "listen" directive, which supersedes the old - "bind_address" and "port" directives. "listen" allows much - finer-grained control over what IP's, ports, and packets the - server pays attention to. - * The proxy code has been updated to work properly, and to - allocate new sockets for proxying packets when there are more - than 256 requests outstanding to a home server. Many thanks - to Stephen Jaeger for help in debugging the new feature. - * Regular expression matches in brackets can now be referenced - as in Perl, via %{1}, %{2}, etc. - * added ability for mschap module to use ntlm_auth, to perform - MS-CHAPv1 and MS-CHAPv2 authentication against a Windows - Domain Controller. - * Check return value from registered xlat functions. If return - value is 0, treat the attribute as not found. This lets things - like %{sql: select... :-FAILED} work. - * Realms can now be configured to ignore DEFAULT and NULL - realms. This makes prefix/suffix realms co-exists a little - better. - * Added red-black tree implementation to src/lib. The - dictionaries now use it, rather than singly linked lists. Tests - indicate that the server is up to 30% faster. - * Updated MSCHAP module to be able to better deal with Windows - machines which put a username with domain into User-Name, but - which use only the username to create the MS-CHAP-Response. - * Made "hints" file more generic and flexible, without changing - old functionality. - * Enhanced configuration file variable handling. See - doc/variables.txt for details. - * Checks for OpenSSL now enforce version number, and are common - across all modules, rather than being duplicated. - * Implement "udpfromto", which allows the server to work better in - LVS. Code from Jan Berkel and Miquel van Smoorenburg. To use - it, do: ./configure --with-udpfromto=yes - * Re-arranged "walk over cached requests" code for clarity. - * The server now keeps more SNMP statistics about the packets it - has processed. - * De-coupled the queue of input requests from the pool of threads. - This allows "spikes" of requests to be queued, even though all - threads are busy. This change significantly increases the - servers ability to process large numbers of requests on a - multi-CPU machine. - * Re-arranged the internal "core" request handling code, to - make a little more sense. - * Removed support for Replicate-To-Realm. Use radrelay. - * Print & parse unknown attributes as Attr-%d, Vendor-%d-Attr-%d, - or VendorName-Attr-%d. - * rlm_passwd is now marked "stable", and has many bugs fixed. - * More flexible configuration for rlm_ldap. - * New implementation of parser for Ascend's data filter - attributes, that is now thread-safe and GPL'd. - * Preliminary (not entirely complete) support for IPv6 attributes, - including IFID. - * Added support for rejected packets to run an Post-Auth-Type REJECT - stanza instead of skipping post-auth entirely. - * Added support for %{*:Packet-Type} translation. (Not for %{check:}) - * Added support for %{check:Attribute-Name} to go with - %{request:Attribute-Name} and the like. - * Add support to rlm_sql for post-authentication query execution. - * Add support to rlm_sql for accounting_update_query_alt - * Add support for supplementary groups of switched-to user - * Add support for xlat-ing backquoted reply values from SQL queries. - * Add Public Domain MD5 implementation by Colin Plumb - * Add Public Domain MD4 implementation by Colin Plumb and - Todd C. Miller - * Remove smbdes.c from libradius, and add to rlm_mschap and - rlm_eap_leap - * Replace GPL'd snprintf.c in libradius with LGPL'd snprintf.[ch] - - EAP-module feature improvements - * Allow checking of EAP identity against certificate. - * EAP-TLS now checks Certificate Revocation List - * Added EAP-TTLS support in rlm_eap. Tested with many clients, - and with tunneled PAP, CHAP, MS-CHAP, MSCHAPv2, EAP-MD5, - EAP-MSCHAPv2, and EAP-GTC. - * Added EAP-PEAP support, with tunneled EAP-MSCHAP-V2, and EAP-GTC. - Patch from Masao Nishiku. (Many, many thanks!) - * Added EAP-SIM. - * Enabled proxying of the authentication request which is tunneled - inside of PEAP and TTLS. - - Utility improvements - * Add support to checkrad.pl for mikrotik-brand NASs over SNMP - * Added rlm_ippool_tool, by Edwin Groothuis. - * Updates to radclient, so that you can specify multiple '-f' - options, and it will send those packets in parallel. This - allows for significantly higher packet rates when load testing. - Bug fixes - * Fix a bug in the attr_filter module, which would throw away - the tag from tagged attributes. - * Bug fixes to thread handling from Malcolm Caldwell. - * Fixed a bug in libltdl which printed the wrong error message - when trying to link to a library. Found by Paul Stewart. - * Correct error condition in rlm_krb5. Patch from Jon Moore. - * Updates for 64-bit systems. - * Patch to make ctime_r work on non-compliant platforms. - Patch from Oliver Graf. - * Updates to rlm_ippool for stability. - * Catch packets which are just about 4K in size. - Bug found by Nils-Henner Krueger. - * Many fixes to the SQL module & sub-modules. - -FreeRADIUS 0.9.3 ; Date: 2003/11/20 20:15:48, urgency=high - - * Change rlm_eap to not log an error if given a non-EAP packet - * Fix rlm_ippool's call to pod2man for perl versions before 5.6 - * Fix a remote DoS and due to mis-handling of tagged attributes, - and Tunnel-Password attribute. + * DHCP sockets now set the broadcast flag before binding to a + socket. You should set "broadcast = yes" in the DHCP listener. + * Be more restrictive on string parsing in the config files + * Fix password length in scripts/create-users.pl + * Be more flexible about parsing the detail file. Allow + operators other than "=" to be used. + * Ensure that requests read from the detail file are cleaned up + (i.e. don't leak) if they are proxied without a response. + +FreeRADIUS 2.1.7 Mon Sept 14 11:20:00 CEST 2009; , urgency=medium + Feature improvements + * Full support for CoA and Disconnect packets as per RFC 3576 + and RFC 5176. Both receiving and proxying CoA is supported. + * Added "src_ipaddr" configuration to "home_server". See + proxy.conf for details. + * radsniff now accepts -I, to read from a filename instead of + a device. + * radsniff also prints matching requests and any responses to those + requests when '-r' is used. + * Added example of attr_filter for Access-Challenge packets + * Added support for udpfromto in DHCP code + * radmin can now selectively mark modules alive/dead. + See "set module state". + * Added customizable messages on login success/fail. + See msg_goodpass && msg_badpass in log{} section of radiusd.conf + * Document "chase_referrals" and "rebind" in raddb/modules/ldap + * Preliminary implementation of DHCP relay. + * Made thread pool section optional. If it doesn't exist, + the server will run single-threaded. + * Added sample radrelay.conf for people upgrading from 1.x + * Made proxying more stable by failing over, rather than + rejecting the first request. See "response_window" in proxy.conf + * Allow home_server_pools to exist without realms. + * Add dictionary.iea (closes bug #7) + * Added support for RFC 5580 + * Added experimental sql_freetds module from Gabriel Blanchard. + * Updated dictionary.foundry + * Added sample configuration for MySQL cluster in raddb/sql/ndb + See the README file for explanations. -FreeRADIUS 0.9.2 ; Date: 2003/10/14 19:00:09, urgency=low - - * New rlm_ippool code to fix IP leaks - * New rlm_ippool_tool for manipulation of rlm_ippool databases - - * Change radrelay to reject records without an Acct-Status-Type attribute - * Change rlm_counter to reject packets which predate last server reset - * Change version output to include GNU GPL information - * Change rlm_ldap to output bad search filters - - * Fix compilation of various modules when not building with pthreads - * Fix segfault due to poorly initialised value in rlm_mschap - * Fix to only reject packets once - * Fix rlm_exec to work when wait=no - * Fix rlm_attr_filter to work in post-proxy (as intended) - * Fix rlm_sql to only try to load SQL drivers - * Fix to orrectly limit size of RADIUS packets - * Fix usage information to output to stdout when used with -h flag - * Fix configure to assume gethostbyname is BSD-Style on FreeBSD - -FreeRADIUS 0.9.1 ; Date: 2003/09/04 14:56:34, urgency=low - - * Replicate-To-Realm is deprecated, and hence no longer documented - * Document rlm_detail support for authorize and post-auth sections - * Improve slightly MySQL accounting record SQL query - * Opaquefied CHAP-Challenge - * Add attributes to Nomadix dictionary - * Fix rlm_exec's parsing of non-attribute return values - * Fix for a segfault while reading config files - * Fix for a segfault regarding hostname lengths - * Fix for a segfault while reading deprecated config files - * Fix compilation of radiusd.c when threads are disabled - * Recover from inability to relay - * Stop complaining in error log when a system call is interrupted. - * Don't print binary CHAP-Passwords into the logs - * Successfully detect GNU dbm >= 1.8.1's dbm compatibility library - * Fix rlm_unix to deal with requests without a username - * Fix "uninmplemented function" crash in postgresql driver on -HUP - * Revert INTERVAL types to BIGINT in postgresql example schema - * Fix radrelay to notice when it's out of IDs - * Fix radrelay to correctly skip bad attributes - * Fix radrelay to not leak IDs when discarding packets - * Fix configure to correctly identify systems without SYSV or GNU-style - gethostby{addr,name}_r. - -FreeRADIUS 0.9.0 ; Date: 2003/07/04 21:01:29, urgency=low + Bug fixes + * Fixed corner case where proxied packets could have extra + character in User-Password attribute. Fix from Niko Tyni. + * Extended size of "attribute" field in SQL to 64. + * Fixes to ruby module to be more careful about when it builds. + * Updated Perl module "configure" script to check for broken + Perl installations. + * Fix "status_check = none". It would still send packets + in some cases. + * Set recursive flag on the proxy mutex, which enables safer + cleanup on some platforms. + * Copy the EAP username verbatim, rather than escaping it. + * Update handling so that robust-proxy-accounting works when + all home servers are down for extended periods of time. + * Look for DHCP option 53 anywhere in the packet, not just + at the start. + * Fix processing of proxy fail handler with virtual servers. + * DHCP code now prints out correct src/dst IP addresses + when sending packets. + * Removed requirement for DHCP to have clients + * Fixed handling of DHCP packets with message-type buried in the packet + * Fixed corner case with negation in unlang. + * Minor fixes to default MySQL & PostgreSQL schemas + * Suppress MSCHAP complaints in debugging mode. + * Fix SQL module for multiple instance, and possible crash on HUP + * Fix permissions for radius.log for sites that change user/group, + but which don't create the file before starting radiusd. + * Fix double counting of packets when proxying + * Make %l work + * Fix pthread keys in rlm_perl + * Log reasons for EAP failure (closes bug #8) + * Load home servers and pools that aren't referenced from a realm. + * Handle return codes from virtual attributes in "unlang" + (e.g. LDAP-Group). This makes "!(expr)" work for them. + * Enable VMPS to see contents of virtual server again + * Fix WiMAX module to be consistent with examples. (closes bug #10) + * Fixed crash with policies dependent on NAS-Port comparisons + * Allowed vendor IDs to be be higher than 32767. + * Fix crash on startup with certain regexes in "hints" file. + * Fix crash in attr_filter module when packets don't exist + * Allow detail file reader to be faster when "load_factor = 100" + * Add work-around for build failures with errors related to + lt__PROGRAM__LTX_preloaded_symbols. libltdl / libtool are horrible. + * Made ldap module "rebind" option aware of older, incompatible + versions of OpenLDAP. + * Check value of Fall-Through in attr_filter module. + +FreeRADIUS 2.1.6 Mon May 18 10:00:00 CEST 2009; urgency=medium + Feature improvements + * radclient exits with 0 on successful (accept / ack), and 1 + otherwise (no response / reject) + * Added support for %{sql:UPDATE ..}, and insert/delete + Patch from Arran Cudbard-Bell + * Added sample "do not respond" policy. See raddb/policy.conf + and raddb/sites-available/do_not_respond + * Cleanups to Suse spec file from Norbert Wegener + * New VSAs for Juniper from Bjorn Mork + * Include more RFC dictionaries in the default install + * More documentation for the WiMAX module + * Added "chase_referrals" and "rebind" configuration to rlm_ldap. + This helps with Active Directory. See raddb/modules/ldap + * Don't load pre/post-proxy if proxying is disabled. + * Added %{md5:...}, which returns MD5 hash in hex. + * Added configurable "retry_interval" and "poll_interval" + for "detail" listeners. + * Added "delete_mppe_keys" configuration option to rlm_wimax. + Apparently some WiMAX clients misbehave when they see those keys. + * Added experimental rlm_ruby from + http://github.com/Antti/freeradius-server/tree/master + * Add Tunnel attributes to ldap.attrmap + * Enable virtual servers to be reloaded on HUP. For now, only + the "authorize", "authenticate", etc. processing sections are + reloaded. Clients and "listen" sections are NOT reloaded. + * Updated "radwatch" script to be more robust. See scripts/radwatch + * Added certificate compatibility notes in raddb/certs/README, + for compatibility with different operating systems. (i.e. Windows) - * Many, many, bug fixes and feature enhancements. - * radrelay now updates packet 'id' on retransmissions. - * More checks for thread-safe functions. - * Fix CHAP related buffer overflow (ouch!), thanks to Masao NISHIKU. - * Issue warnings if deprecated configuration files are used. - * rlm_passwd can now add items to the reply, request, or config items. - * The rlm_digest, rlm_exec, and rlm_ippool modules are now marked - as 'stable', and included in the default build. - * Removed 'raduse'. No one has used it for years. - * Massive fixes for Debian packaging. - * radclient can now send "disconnect" packets, to NASes which - support it. The server, however, CANNOT send disconnect packets. - * Made Auth-Type, Acct-Type, etc. names consistent across - dictionary files and radiusd.conf. The old (inconsistent) names - are still allowed for backwards compatibility. - * Cleaned up problems with the rlm_sql module. - * Updates to the rlm_ldap module. - * rlm_mschap no longer reads SMB password files. See rlm_passwd, - instead. - * Changed default entry in the 'users' file to 'Auth-Type = System', - to allow EAP and Digest authentication to work automagically. - * Support for Cisco LEAP. - * Added many new dictionaries (Extreme, Wispr, ERX, Netscreen...) - * Removed support for ATTRIB_NMC. It is now handled (better) - in a different manner. - * Dictionaries have been moved from /etc/raddb to /usr/share/freeradius - * Many documentation updates - * Ignore whitespace-only lines in the 'users' file. - * Patch to fix 'rlm_realm' from returning the DEFAULT entry when - we are looking for the NULL entry and it doesn't exist. Bug - noted by Nathan Miller. - * Disable child process spawning if we don't have threads. - The code doesn't work, so it's better to force the server - to run in single-process mode. - * New rlm_exec module, which allows a more generic way of - executing external programs. - * Preliminary large file support in 'configure' and in the server, - to support 2G+ detail files. - * Install documentation into /usr/local/share/doc/freeradius - * New/updated dictionaries for RedCreek, Bintec, Alcatel, - ITK, Telebit, and Cabletron. - * Updates to allow building on MAC OSX. - * Add support for Acct-Type,Session-Type and PostAuth-Type - * Removed builddbm. It hasn't been used for ages. - * Added new post_proxy section, based on patch from Chris Brotsos. - * rlm_counter shouldn't reset the counters on instantiation, - if the reset is set to 'never'. - * Significant updates to the rlm_python and rlm_perl modules - * Fix the rlm_pap module to handle password lengths properly. - * Do SQL 'close' on bad sockets, to prevent descriptor leaks - * Case insensitivity option for rlm_radutmp - * New pseudo-round-robin load balancing for realms. - * Suppress empty SQL queries. - * Include strong PRNG - * Create 'snmp' configuration directive, so that we can disable - SNMP at run time, even if it's built into the server. - * Refresh realm as 'active' when we see a response from it, - Based on a patch by Angelos Karageorgiou. - * Don't core dump if Status-Server is received, but it's disabled. - * Support more variants of character fields in Oracle. - Patch from Stocker Gernot. - * Better parsing of dictionary files. - * Alteon web switch dictionary, from Thomas Linden + Bug fixes + * Minor changes to allow building without VQP. + * Minor fixes from John Center + * Fixed raddebug example + * Don't crash when deleting attributes via unlang + * Be friendlier to very fast clients + * Updated the "detail" listener so that it only polls once, + and not many times in a row, leaking memory each time... + * Update comparison for Packet-Src-IP-Address (etc.) so that + the operators other than '==' work. + * Did autoconf magic to work around weird libtool bug + * Make rlm_perl keep tags for tagged attributes in more situations + * Update UID checking for radmin + * Added "include_length" field for TTLS. It's needed for RFC + compliance, but not (apparently) for interoperability. + +FreeRADIUS 2.1.5 Sun Jan 1 1:1:00 CEST 2009; , urgency=medium + * Release number skipped due to procedural issues. + +FreeRADIUS 2.1.4 Tue Mar 10 17:05:00 CEST 2009; , urgency=medium + Feature improvements + * Permit multiple "-e" in radmin. + * Add support for originating CoA-Request and Disconnect-Request. + See raddb/sites-available/originate-coa. + * Added "lifetime" and "max_queries" to raddb/sql.conf. + This helps address the problem of hung SQL sockets. + * Allow packets to be injected via radmin. See "inject help" + in radmin. + * Answer VMPS reconfirmation request. Patch from Hermann Lauer. + * Sample logrotate script in scripts/logrotate.freeradius + * Add configurable poll interval for "detail" listeners + * New "raddebug" command. This prints debugging information from + a running server. See "man raddebug. + * Add "require_message_authenticator" configuration to home_server + configuration. This makes the server add Message-Authenticator + to all outgoing Access-Request packets. + * Added smsotp module, as contributed by Siemens. + * Enabled the administration socket in the default install. + See raddb/sites-available/control-socket, and "man radmin" + * Handle duplicate clients, such as with replicated or + load-balanced SQL servers and "readclients = yes" -FreeRADIUS 0.8 ; Date: 2002/11/18 15:37:24, urgency=low + Bug fixes + * Clean up control sockets when they are closed, so that we don't + leak memory. + * Define SUN_LEN for systems that don't have it. + * Correct some boundary conditions in the conditional checker ("if") + in "unlang". Bug noted by Arran Cudbard-Bell. + * Work around minor building issues in gmake. This should only + have affected developers. + * Change how we manage unprivileged user/group, so that we do not + create control sockets owned by root. + * Fixed more minor issues found by Coverity. + * Allow raddb/certs/bootstrap to run when there is no "make" + command installed. + * In radiusd.conf, run_dir depends on the name of the program, + and isn't hard-coded to "..../radiusd" + * Check for EOF in more places in the "detail" file reader. + * Added Freeswitch dictionary. + * Chop ethernet frames in VMPS, rather than droppping packets. + * Fix EAP-TLS bug. Patch from Arnaud Ebalard + * Don't lose string for regex-compares in the "users" file. + * Expose more functions in rlm_sql to rlm_sqlippool, which + helps on systems where RTLD_GLOBAL is off. + * Fix typos in MySQL schemas for ippools. + * Remove macro that was causing build issues on some platforms. + * Fixed issues with dead home servers. Bug noted by Chris Moules. + * Fixed "access after free" with some dynamic clients. + +FreeRADIUS 2.1.3 Fri Dec 5 17:40:00 CEST 2008; , urgency=medium + Feature improvements + * Allow running with "user=radiusd" and binding to secure + sockets. + * Start sending Status-Server "are you alive" messages earlier, + which helps with proxying multiple realms to a home server. + * Removed thread pool code from rlm_perl. It's not necessary. + * Added example Perl configuration to raddb/modules/perl + * Force OpenSSL to support certificates with SHA256. + This seems to be necessary for WiMAX certs. - * Added Oracle-specific queries. - * Updated SQL queries to match schema. - * PostGreSQL reconnect patch. - * Added documentation on how to build on MAC OSX. - * Allowed SQL module to ignore unknown Acct-Status-Type values. - * Updated PostGreSQL queries and schema. - * Updated the log rotation configuration files. - * Colubris and updated Nomadix dictionaries, from Marko Myllynen. - * Normalized error messages from the SQL modules, so that they're - more informative. - * Added Suse specific directory and configuration files, from - Peter Nixon - * SQL fail-over patch, so that the module returns FAIL if - the back-end database is down. Based on a patch from - Thomas Jalsovsky. - * Cleaned up the internal handling of the configuration - information, in preparation for better handling SIGHUP. - * Updated rlm_krb5 configuration to better find it's libraries - and include files. - * radclient now complains if it receives a reply from a machine - other than the one to which it sent the request. - * Updated Postgresql SQL queries to get the operator, too. - * Added Juniper dictionary. - * Added Cisco VPN3000, VPN5000, and BBSM dictionaries. - * New platform-neutral 'rc.radiusd' - * Configuration files with private information get chmod'd - 0600 after installation. - * Preliminary support for clean shutdowns when a SIGTERM is - received. - * SNMP timeouts for checkrad, so there will be fewer situations - where it hangs for 30 seconds... - * Added code to clean up modules and memory when asked to exit - via SIGTERM. - * Removed all need for the old-style 'naslist' and 'client' files, - and noted that they are deprecated. - * Added support for Status-Server packets, stolen shamelessly - from Cistron RADIUSD. This is despite the RFC's saying such - things are wrong. - * Bug fixes to rlm_dbm. - * Updates for checkrad, max40xx routine, from Aleksandr Kuzminsky. - * Disable caching of passwords for the Unix module. It was - causing too much confusion. - * Fix a memory leak when proxying Authentication-Request's - * Attributes which are not found in the dictionary are now of - type 'octets', instead of 'string'. - * Support for "round-robin" load balancing, when proxying requests - to multiple servers for one realm. - * Minor changes for better HPUX support. - * Updated the documentation and README's - * Made FreeTDS build ONLY after hand-editing, as the FreeTDS - libraries are in a state of flux, due to active development. - * Fixes to help build the server on MAC OSX - * Cisco VPN 3000 dictionary, as posted to the list by Chris Deramus. - * Fix EAP problems with retransmission, from Rainer Weikusat. - * Updates to the Oracle module, from Andrea Gabellini. - * In xlat, Unix timestamps are unsigned ints. - * Security fixes for the Kerberos Module. - * New 'post-auth' section, to do additional processing of - requests after they've been authenticated. - * doc/aaa.txt describes how the server works. - * More uniform encoding/decoding of passwords, so that they will - be seen as clear-text where possible. - * radwho and radzap now read 'radiusd.conf' to discover where the - radutmp files are located. Patch from Andrea Gabellini. - * Preliminary 'expression' module, to allow you to do cool things - like: Session-Timeout = `%{expr:3600 - %{sql:SELECT ...}}` - * Added ability to do xlat on check items, and reply items, - so that the value of the reply attributes can be dynamically - generated. - * Added MIBs, taken from the RFC's. This makes SNMP queries to - the server a little easier to set up. - * Don't SEGV when we receive a packet which is larger than the - size claimed in the RADIUS portion. Patch from Vaughn Skinner. - * SNMP patches from Harrie Hazewinkel. - * Added Altiga dictionary, from Calum - * New Rewrite-Rule for rlm_attr_rewrite, to selectively choose - which rewrite rule is performed, and when. - * Minor bug fixes for radrelay. - * Bug fixes in SQL and sub-modules. - * Major updates to dialup_admin. - * Fixed handling of tagged string attributes, so that the server - doesn't go off into never-never land. - * Cleaned up experimental rlm_smb, so that it builds on more + Bug fixes + * Fix Debian patch to allow it to build. + * Fix potential NULL dereference in debugging mode on certain + platforms for TTLS and PEAP inner tunnels. + * Fix uninitialized memory in handling of vendor definitions + * Fix parsing of quoted (but non-string) attributes in the "users" + file. + * Initialize uknown NAS IP to 255.255.255.255, rather than 0.0.0.0 + * use SUN_LEN in control socket, to avoid truncation on some platforms. - * Don't over-write request->reply->vps with the Reply-Message, - when doing authentication rejects with Exec-Program-Wait. - * Added 'instantiate' section, so that modules like 'expr', - with only an 'xlat' function can be registered. - * Allow '{' and '}' in xlat'd strings. - * C++ compatibility patch from Andrey Kotrekhov, for libradius. - * Automatically decrypt/encrypt User-Password, so that debugging - mode will print out the text password, and not the random - garbage it previously showed. - * Cleaned up header files and function prototypes for the SQL - sub-modules. - -FreeRADIUS 0.7 ; Date: 2002/07/26 18:01:50 , urgency=high - - * Allow attributes of type 'date' to be sent in outgoing packets. - Bug found by Loh John Wu - * Add 'Realm' attribute, even if it's a LOCAL realm. - Bug noted by Chris Brotsos. - * Added experimental SMB authentication module, which uses - PAP passwords to authenticate against an NT-Domain. - NT/LM-passwords are not currently supported. - * More documentation for rlm_passwd, rlm_mschap, and rlm_digest. - * 'configure' changes to better find sem_init and friends. - * Allow the use of previously installed libtool, and libltdl. - This appears to help a lot on FreeBSD. - * Fixes to work on non-threaded builds. - Patch from Rainer Weikusat. - * SQL now re-connects to the server, if the connection is lost. - Currently only MySQL is fixed, but other patches will follow. - Patch from Todd T. Fries. - * Added experimental use of dynamicly translated variables, - CallBack-Number = `%{request:Calling-Station-Id}` - sets the value of the CallBack-Number attribute to the value of - the Calling-Station-Id in the original request. - * Cute hack: Allow regex matching on IP addresses, by placing - the string representation of the IP address (1.2.3.4) into - the internal data structure. This allows things like - NAS-IP-Address =~ "^192\.168", which may be useful. - * Add documentation for experimental rlm_dbm module. - * Added experimental Perl module. - * Added the relevant IETF RFC's (standards documents) to 'doc/rfc', - along with some simple perl scripts to convert them to cross- - referenced HTML. - * Updated the experimental Python module. - * Added Cisco SSG VSA's - * When rejecting authentication due to external Exec-Program, do - NOT free the reply pairs, as the server core will take care of - doing that. Bug noted by Thomas Jalsovsky - * New experimental module: rlm_cram - Supports APOP, CRAM-MD5, CRAM-MD4, CRAM-SHA1 with it's own - VSA's. This module may be used for SMTP/POP3/IMAP4 server - authentication. - * Make Exec-Program and Exec-Program-Wait work in debugging mode. - * Finalize the radrelay additions, based on Cistron RADIUS - Patches from Simon - * Fix issues with linking, by making libradius shared. - * Fix issues with MD4, MD5, SHA1, and use of OpenSSL - * Update rlm_x99_token module to compile. + * Correct internal handling of "debug condition" to prevent it + from being over-written. + * Check return code of regcomp in "unlang", so that invalid + regular expressions are caught rather than mishandled. + * Make rlm_sql use . Addresses bug #610. + * Document list "type = status" better. Closes bug #580. + * Set "default days" for certificates, because OpenSSL won't + do it. This closes bug #615. + * Reference correct list in example raddb/modules/ldap. + Closes #596. + * Increase default schema size for Acct-Session-Id to 64. + Closes #540. + * Fix use of temporary files in dialup-admin. Closes #605 + and addresses CVE-2008-4474. + * Addressed a number of minor issues found by Coverity. + * Added DHCP option 150 to the dictionary. Closes #618. + +FreeRADIUS 2.1.2 Thurs Dec 3 10:47:00 CEST 2008; , urgency=medium + Due to packaging issues, 2.1.2 has been pulled from the net. + +FreeRADIUS 2.1.1 Thu Sep 25 11:03:00 CEST 2008; , urgency=medium + Feature improvements + * Many more options and features in radmin. See "man radmin" and + raddb/sites-available/control-socket + * Many more commands available via the control socket. Connect + via "radmin", and type "help" for more information. + * Added dictionary.networkphysics and dictionary.lancom. + * Calculate WiMAX MIP keys, and added sample WiMAX SQL tables. -FreeRADIUS 0.6.0 ; Date: Date: 2002/07/03 14:16:33 , urgency=high + Bug fixes + * Fixed bug that made radmin not work + * Fixed Suse && Debian package scripts + * Fixed issues with dynamic clients + * Fixed configure checks for -lreadline + * rlm_sqlippool no longer needs to be linked to rlm_sql. + * Add statistics for detail file listeners. This closes bug #593. + * Fixed printing of some WiMAX attributes. + * Fix double free on exit() in rlm_attr_filter + * Fixed build issues on Solaris. + * Fixed fast session resumption for EAP-TLS + +FreeRADIUS 2.1.0 Fri Sep 5 13:20:01 CEST 2008; , urgency=medium + Feature improvements + * Clients may now be defined dynamically, based on IP address. + See raddb/sites-available/dynamic-clients. + * SNMP support is now available through an experimental Perl script. + See scripts/snmp-proxy/README + * SNMP statistics are available through Status-Server packets. + See raddb/sites-available/status + * Added more Microsoft attributes from bug #568. + * The "linelog" module has more functionality and flexibility. + See raddb/modules/linelog. + * The debugging output has been sanitized. It should be much + more readable. + * Debug logs can now be turned on/off while the server is running, for + a user, group, realm, etc. See the "log" section of radiusd.conf. + * Added support for WiMAX Forum attributes. The dynamic keys + are not yet calculated. See share/dictionary.wimax + * Added session resumption for PEAP and TTLS. + See raddb/eap.conf, "cache" sub-section. + * Added "radmin" command-line tool for administering a running server. + See "man radmin" and raddb/sites-available/control-socket. - * Many bug fixes. For explicit details, see: - http://www.freeradius.org/cvs-log/ - * Change to the user/group specified in the config file in all - modes ( debug and daemon ). - * SQL sockets are rotated so that all are used, to prevent the - SQL server timing out and closing unused sockets. Patch from - Todd T. Fries - * Sybase driver from mattias@nogui.se. - * Modules are now versioned. - * Delete garbage Proxy-Reply attributes sent by the home server - before performing our own reply. - * Fix race conditions when duplicate packets resulted in a request - being processed by two threads, at the same time. - * Add '-d' command-line option to radwho - Bug noted by Matthew Schumacher - * Corrected issue that when a home server never replied to a - proxied request, the server may die. - * In SQL, look in radcheck, if not found there, try radgroupcheck. - Patch from Thomas Jalsovsky. - * Set sql user name for ALIVE accounting packets, too. - Patch from Simon . - * Use port-specific checking for realms, now that we can proxy to - different auth/acct servers for the same realms. - Patch from Eddie Stassen. - * Minor updates to encrypted tunnel passwords. - * Default 'run_dir' is now /var/run/radiusd, not var/run. - /var/run is writeable only by root, and radiusd may be run suid. - * Modules are now versioned, so that upgrading the server - ensures that the new modules are installed. - * Fix sql code, so that magic SQL characters don't get the - SQL server excited. - * Remove references to "UNKNOWN-NAS" in log messages. - * Properly handle fork() and obtaining child processes exit - status when using threads. (pthread is broken w.r.t. signals) - * Correct code which would send erroneous reject, when the reject - was delayed, and a new request came in. - * Fix race condition where proxied requests would sometimes never - be re-sent. Bug noted by Eddie Stassen. - * Corrected LDAP3 schema - * Implemented Digest authentication, as per IETF document - draft-sterman-aaa-sip-00.txt, to perform authentication against - a Cisco SIP server. - * If no password or group files have been specified in the config, - use the standard system calls to find them, rather than giving - up. Patch from Steve Langasek. - * Return Proxy-State attributes in a delated Access-Reject - * Corrected 'session zap' logic, when an old and unused session - is deleted from the databases. Accounting packets with garbage - Client-IP-Address attributes should no longer be a problem. - * Bug fixed in LDAP attribute map, for MS-CHAP related attributes. - * Fixes to the EAP module to work better with XP. - * Support for MS-SQL, using the FreeTDS library, - from Dmitri Ageev - * New operators =* and !*. See 'man 5 users' for details. - * Added translation for %{config:section.subsection.item}, to - allow run-time translation of internal configuration parameters. - * New rlm_sqlcounter module, to keep counters based on SQL data. - * Fix rlm_realm, to allow seperate proxying of accounting and - authentication requests. - * Bug fixes in PostgreSQL back-end, from Andrew Kukhta. - * Increase internal buffers, to allow large SQL query strings. - * Added debug level 3 (-xxx), where debug messages have time stamps. - * Fix 'radwho' to use the correct radutmp file, as found by - 'configure' (but radwho still doesn't read radiusd.conf) - * Fix bugs in tunnel (tagged attribute) code, which would prevent - tagged attributes from being generated correctly in a packet. - * Build only 'stable' modules by default. Experimental modules - require --with-experimental-modules to be passed to 'configure' - * New module rlm_ippool, to do server-side IP pooling. - * Fix rlm_eap module for portability, to work on non-x86 platforms. - * Re-connect to the LDAP server if the connection idles out - * Increased the visibility of the warning messages when doing - 'make install' - * Fixed EAP module to use 16-bit integers, so that it will - work on big-endian architectures. + Bug fixes + * Double escaping of '\\' in the "users" (and some other) files + has been fixed. If you have '\\' in the "users" file, your + configuration WILL NEED TO BE CHECKED, AND FIXED! + * Parse "security" section in radiusd.conf. This was accidentally + deleted in 2.0.5. Closes bug #566. + * Bind to interface before IP, which allows DHCP sockets to + listen on "*" for multiple interfaces. + * Fix handling of giaddr in DHCP responses. + * Corrected parsing of status_check in home_server so that it works. + * Fix hints so that "Puser" works again. + * Removed length restrictions on attribute names in the dictionaries. + * Update socket code to avoid C compiler optimizations. + +FreeRADIUS 2.0.5 ; Date: 2008/06/07 17:17:00 , urgency=medium + Feature improvements + * Permit SQL authorize_reply_query to be empty. + * Allow setting response packet type in Post-Proxy-Type Fail + handler. + * Added install-chown target to set correct permission and ownership + make RADMIN=radmin RGROUP=radius install-chown + * Support for LDAP-Group and other dynamic comparison attributes + in unlang. Developed from a patch by Jason Alderfer. + * Added chroot support. See radiusd.conf for comments. + * Allow clients of 0/0. We do not recommend using this, though. + * Moved many module configurations into raddb/modules/* -FreeRADIUS 0.5.0 ; Date: 2002/03/14 22:18:22, urgency=medium - - * Many bug fixes. For explicit details, see: - http://www.freeradius.org/cvs-log/ - * Added Foundry dictionary, from Thomas Keitel - * Fix a logic bug in the 'walk over request list' code, which - would sometimes result in a request being deleted while it - was still being processed. Found by Rainer Clasen - * New 'tuning' guide, for optimizing the server's speed. - * The default ports are now 1812/1813, which is the standard. - * Fix a bug which would hang the server when many SQL connections - were open. Found by Cvetan Ivanov - * Updated MySQL schema, with sanity checks, based on a schema from - Thomas Huehn - * Added 'Aptis' (Nortel CVX) dictionary. - * Added Ipv6 attributes (as 'octets' type for now) - * 'xlat' capability for SQL, so other modules can do SQL queries. - * We don't need a shared secret for LOCAL realms. - * Added better description of internal variables. - * Configurable fail-over to DEFAULT realm. Sometimes we don't - want to use the DEFAULT realm, if all configured realms are - marked dead. From Rainer Clasen. - * new configuration items 'max_attributes' and 'reject_delay' - If the packet contains too many attributes, it can be rejected. - We can also delay sending an Access-Reject, which slows down - certain DoS attacks. - * Updates to redhat scripts and spec file, from Marko Myllynen. - * Python module (EXPERIMENTAL) from migs paraz - * Add ability to find *best* match when comparing attributes. - If there is more than one attribute in a request and the first - one doesn't match, go check the second one, instead of failing. - * unixODBC support for SQL, from Dmitri Ageev - * Use thread-safe versions of library calls. This work is still - on-going. - * New rlm_passwd module, to allow general parsing of passwd-style - files. - * Preliminary EAP-TLS support. - * Updated LDAPv3 schema - * Correct checks for Odbc, and fix bugs in the module. - Andreas Kainz - * MAN page fixes and updates - * Added PHP web interface 'dialup_admin' - * Password = "UNIX" or "PAM" backwards compatibility removed. - * Use the operators in the SQL schema and queries, and bug - fixes in the SQL module. - Randy Moore - * fgetpwent() compatibility, for systems without it, - from Daniel Carroll - * Added PAP authentication module, as a step to removing - most authentication handlers in other modules. - * Send a Access-Reject after max_request_time - * Multiple fixes in the LDAP module. - * Quintum dictionary by Jeremy McNamara - * Preliminary EAP Module with MD5 support - Contributed by Raghu - * Better sanity checking for bad VSA's when receiving a packet - * new 'xlat register' so that attribute values may be pulled - out of configurable databases at run-time. - e.g. %{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u} - * Minor fixes to debian package rules - * Attribute 'Password' deprecated in favor of 'User-Password'. - * MS-CHAP and MS-CHAPv2 MPPE support added. - Contributed by Takahiro Wagatsuma . - * X9.9 token enhancements (several). - - -- Alan DeKok - -FreeRADIUS 0.4.0 ; urgency=low - - * Allow the MS-CHAP module to work, and to read /etc/smbpass - 3APA3A <3APA3A@SECURITY.NNOV.RU> - * Remove the server requirement that one of User-Password - or CHAP-Password exist when doing authentication. These - checks should be handled by the modules. This change - also prepares us for EAP. - Patch from Raghu - * Make NAS-Port-ID in radwho, raduse, etc. unsigned, - instead of signed. - Patch from John Morrissey - * Allow \t and \n inside of configuration strings. - Frank Cusack - * X9.9 Challenge-Response token card support. - For now, only CRYPTOCard tokens are supported. - Frank Cusack - * Fix core dump on Solaris in radwho.c - Patch from Eddie Stassen - * Fix leak / core dump in Oracle module. - * Fix memory leak in rlm_counter - Kostas Kalevras - * "LOCAL" realms do not need to have an entry in the 'clients' - file. Philippe Levan - - -- Alan DeKok - -FreeRADIUS 0.3.0 ; urgency=low + Bug fixes + * Allow proxying to virtual servers for accounting packets, too. + * Added "num fields" function to PostgreSQL client. + * Updated proxy fallback mechanism to validate fallback servers, + and to process fallback requests in a child thread. + * rlm_realm returns "ok" for LOCAL realms, not "noop". + * Fixed some DHCP code handling. The examples should now work. + +FreeRADIUS 2.0.4 ; Date: 2008/04/30 08:56:40 , urgency=medium + Feature improvements + * Allow "virtual_server" in "realm" and "home_server" sections. + See raddb/proxy.conf and raddb/sites-available/virtual.example.com. + * Allow "passwd" module to be listed in "accounting" and "post-auth". + * Added "fallback" to "home_server_pool" configuration, to handle + the case of all home servers being dead. See raddb/proxy.conf. + * Added sample text to raddb/sites-available/inner-tunnel which + can simplify debugging of inner tunnel configurations. + * Added regular expression matching in realm names. See + raddb/proxy.conf for examples. + * Added simple DHCP server functionality. For comments, see + raddb/sites-available/dhcp. + * Added file globbing capabilities to detail file reader + * Added sample raddb/sites-available/robust-proxy-accounting + * Clients in SQL can now refer to a virtual server. + Patch from Michael Bretterklieber. + * Added some examples of creating RADIUS administrator in SQL, + and assigning appropriate access rights. + + Bug fixes + * Install all files in raddb/sites-available + * Allow non-threaded builds. + * Don't treat '0x' as special for known attributes that are not + of type "octets". + * Fix log error in rlm_pap. + * Remove documentation about non-existent functionality. + * Updated warning messages in debug output. + * Fix handling of timeouts in rlm_ldap that affected 64-bit systems. + This fix was supposed to go into 2.0.3, but did not make it. + * Fix event handling in debug mode for failed proxy requests. + * Fix memleak in fifos. Closes #537. + * Fix memleak on blocked threads. Closes #538. + * Perform additional checks on NULL realms. Closes #541. + * Fix handling of "clients" in "listen" section. + * When detail file cannot process a packet, sleep for longer + to let the rest of the server do something. + * Add missing table to raddb/sql/mssql/schema.sql. Closes #545. + * Updated rlm_sql_postgresql to build with PostgreSQL 7.x. + Closes #533. + * Fix "postauth" of rlm_ldap to look for LDAP-UserDn in the + correct place. + * Update rlm_attr_filter for some corner cases. Closes #543. + * Fixed memory leak in libfreeradius event handler. + * In the SQL Accounting on/off queries, remove the restriction + that the session time had to be zero. + +FreeRADIUS 2.0.3 ; Date: 2008/03/17 09:22:17 , urgency=medium + Feature improvements + * Updated raddb/certs/ca.cnf with extensions to allow ca.der + to be imported as a CA on Symbian and Windows Mobile devices. + Closes bug #524 + * Enable multiple matches in "hints" via Fall-Through = Yes. + Closes bug #477 + * Added preliminary SQLite driver, contibuted by Apple. + Untested, with no sample configuration. This address bug #470. + * Updated logging sub-system so that log messages from libfreeradius + can go to the log file, and not stdout. + * Added dictionary.rfc5176 + * EAP module now checks for instance name, and uses that for + authentication. This avoids the need to set Auth-Type when + there are multiple instances of the EAP module. + * Added Module-Return-Code attribute, which contains the value + returned by the previous module (ok/fail/update/etc.) - * Added ability to send debug messages to the log file, when - running in daemon mode. - * Miscellaneous fixes to get Debian packaging working. - * When trapping a signal, don't SIGKILL children on a SIGTERM, - SIGTERM them, instead. This allows Exec-Program scripts to - catch the signal, and finish processing, instead of dying. - Bug noted by Michael Chernyakhovsky - * Increased limit on length of user name read from /etc/passwd, - to match the maximum allowed by RADIUS. - Bug noted by "Gonzalez B., Fernando" - * Configurable fail-over when proxying packets. If the - home server doesn't respond to a repeated proxied request, - it's marked as 'dead', and the next one in the list is used. - Patch by Eddie Stassen and - * Pass Access-Challenge attributes through the server, in - preparation for EAP. - Raghu - * More fixes for RFC compliance on the Message-Authenticator - Raghu - * Merged OSFC2/OSFSIA authentication patches from Cistron. - (Bug # 104) The patches are not well tested, however. - * IBM DB2 UDB V7.1 SQL driver, contributed by - Joerg Wendland - * Fix the IP + Port address assignment. - Bug found by "John Padula" - * Patch to avoid smashing the contents of Ascend binary filters. - Michael Chernyakhovsky - * Create and Validate Message-Authenticator attribute, in - preparation for EAP. - * Initialize variables properly in rlm_attr_filter. - Patch from Andriy I Pilipenko - * Renamed RedHat init script from 'radiusd.init' to 'radiusd'. - This allows it to work properly with the RedHat rc system. - Patch from Christian Vogel - * Fix the configure script checks for PostgreSQL, so that - they use the 'test' command properly. - Bug found by Robert Haskins - * Change instances of 'assert' to 'rad_assert', so that it - can log the error to the standard radius log files. - Patch from Vesselin Atanasov - * Patch to prevent segv when freeing results, from - Tomas Heredia - * Added support for Exec-Program to acct. Bug found by - - * Corrected rlm_files so that raddb/acct_users works - * When doing synchronous proxying, update proxy next try - entries, so that the server doesn't eat CPU time. - Raghu - * Add primitive dictionary.nomadix - * Log messages to console, if the logger hasn't been - initialized. - * Log invalid user for proxy rejects, too. - * Fixed Expiration attribute handling. - * Added code to handle Ascend-Send-Secret and Ascend-Receive-Secret - * Removed non thread-pool code. If we have threads, we now force - the use of thread pools. - * Update version number - * correct bug where proxied accounting packets would never have a - reply sent back to the NAS, or the reply would be sent twice. + Bug fixes + * Corrected typos in rlm_dbm. Closes bugs #521 and #522. + * Detail file "listen" sections now work much better. + * Don't allow old "log_*" to over-ride new format. Closes bug #525 + * Initialize allocated memory in Oracle SQL driver. This fixes + occasional crashes on some systems. Closes bug #518 + * Call correct function in rlm_protocol_filter. This enables the + module to build. Closes bug #512. + * Added deprecated flag to build for rlm_krb5. This allows it to + run on 64-bit systems. Closes bug #491 + * Corrected error message when parsing invalid configurations + so it doesn't crash. Closes bug #527 + * Fix handling of timeouts in rlm_ldap that affected 64-bit systems. + * Handle $INCLUDE's in "instantiate" section. Closes #528. + * Format updates to "man" pages from Stephen Gran. + +FreeRADIUS 2.0.2 ; Date: 2008/02/14 11:13:48 , urgency=medium + Feature improvements + * Added notes on how to debug the server in radiusd.conf + * Moved all "log_*" in radiusd.conf to log{} section. + The old configurations are still accepted, though. + * Added ca.der target in raddb/certs/Makefile. This is + needed for importing CA certs into Windows. + * Added ability send raw attributes via "Raw-Attribute = 0x0102..." + This is available only debug builds. It can be used + to create invalid packets! Use it with care. + * Permit "unlang" policies inside of Auth-Type{} sub-sections + of the authenticate{} section. This makes some policies easier + to implement. + * "listen" sections can now have "type = proxy". This lets you + control which IP is used for sending proxied requests. + * Added note on SSL performance to raddb/certs/README - -- Alan DeKok + Bug fixes + * Fixed reading of "detail" files. + * Allow inner EAP tunneled sessions to be proxied. + * Corrected MySQL schemas + * syslog now works in log{} section. + * Corrected typo in raddb/certs/client.cnf + * Updated raddb/sites-available/proxy-inner-tunnel to + permit authentication to work. + * Ignore zero-length attributes in received packets. + * Correct memcpy when dealing with unknown attributes. + * Corrected debugging messages in attr_rewrite. + * Corrected generation of State attribute in EAP. This + fixes the "failed to remember handler" issues. + * Fall back to DEFAULT realm if no realm was found. + Based on a patch from Vincent Magnin. + * Updated example raddb/sites-available/proxy-inner-tunnel + * Corrected behavior of attr_filter to match documentation. + This is NOT backwards compatible with previous versions! + See "man rlm_attr_filter" for details. + +FreeRADIUS 2.0.1 ; Date: 2008/01/22 13:29:37 , urgency=low + Feature improvements + * "unlang" has been expanded to do less run-time expansion, + and to have better handling of typed data. See "man unlang" + for documentation and new examples. -FreeRADIUS Alpha 0.2.0, July 30, 2001. - - * call openlog() again when using PAM, to get the correct log - facility. - * Update child thread code, to minimize race conditions. - * Make thread pools the default. Using plain child threads is NOT - recommended. - * Ignore SIGPIPE to get ride of crashes when using ldap. - * Update proxying code to work better. - * Platform independent pthread_cancel()ling - * Fix 'unresponsive child pid' erroneous warning messages. - * Many changes to get various SQL modules working. - Note that there may still be some issues with Oracle. - * Added configure options 'with-rlm-FOO-include/lib-dir', so that - lower-level rlm_FOO modules can be configured via the top-level - configuration file. This isn't completely done yet. - * Fix check for shared library using libtool info, instead of - assuming extension being ".so". - * Fixes for HPUX. We probably need more. - * Many additional bug fixes and changes. + Bug fixes + * The 'acct_unique' module has been updated to understand + the deprecated (but still used) Client-IP-Address attribute. + * The EAP-MSCHAPv2 module no longer leaks MS-CHAP2-Success in + packets. + * Fixed crash in rlm_dbm. + * Fixed parsing of syslog configuration. + +FreeRADIUS 2.0.0 ; Date: 2007/11/24 08:33:09 , urgency=low + Feature improvements + * Debugging mode is much clearer and easier to read. + * A new policy language makes many configurations trivial. + See "man unlang" for a complete description. + * Virtual servers are now supported. This permits clear separation + of policies. See raddb/sites-available/README + * EAP-TLS (PEAP, EAP-TTLS) and OpenSSL certificates "just work". + See raddb/certs/README for details. + * Proxying is much more configurable than before. + See proxy.conf for documentation on pools, and new config items. + * Full support for IPv6. + * Much more complete support for the RADIUS SNMP MIBs. + * HUP now works. Only some modules are re-loaded, + and the server configuation is *not* reloaded. + * "check config" option now works. See "man radiusd" + * radrelay functionality is now included in the server core. + See raddb/sites-available/copy-acct-to-home-server + * VMPS support. It is minimal, but functional. + * Cleaned up internal API's and names, including library names. + + Bug fixes + * Many.