X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=doc%2FChangeLog;h=c42aace9481674d91a80fe2007e8127481f3b8d6;hb=d253cf86d79b024ff68378e146775aa6975b887a;hp=deade9e7188201222c728dec8d194e1482df99d0;hpb=230375c9f1272ba9655431bdd72e38a097052b63;p=freeradius.git diff --git a/doc/ChangeLog b/doc/ChangeLog index deade9e..c42aace 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,13 +1,281 @@ -FreeRADIUS 3.0.12 Mon 25 Jan 2016 14:00:00 EST urgency=medium +FreeRADIUS 3.0.15 Mon 17 Jul 2017 09:00:00 EDT urgency=high + Feature improvements + * Provide HOSTNAME in default systemd files. + * Incorporate RedHat specific files + * Update dictionary.starent, dictionary.ruckus + * Allow builds without TCP or DHCP + + Bug fixes + * Fix multiple issues. See this web page for details: + http://freeradius.org/security/fuzzer-2017.html + * Pass correct statement length into sqlite3_prepare[_v2] + * Bind the lifetime of program name and python path to the module + * Check input / output length in make_secret(). + FR-GV-201 + * Fix read overflow when decoding DHCP option 63 + FR-GV-206 + * Fix write overflow in data2vp_wimax() + FR-GV-301 + * Fix infinite loop and memory exhaustion with 'concat' attributes + FR-GV-302 + * Fix infinite read in dhcp_attr2vp() + FR-GV-303 + * Fix buffer over-read in fr_dhcp_decode_suboptions() + FR-GV-304 + * Decode 'signed' attributes correctly. + FR-GV-305 + * use strncmp() instead of memcmp() for bounded data + FR-AD-001 + * Bind the lifetime of program name and python path to the module + FR-AD-002 + * Pass correct statement length into sqlite3_prepare[_v2] + FR-AD-003 + * print messages when we see deprecated configuration + items + * show reasons why we couldn't parse a certificate + expiry time + * be more accepting about truncated ASN1 times. + * Fix OpenSSL API issue which could leak small amounts + of memory. Issue reported by Guido Vranken. + * For Access-Reject, call rad_authlog() after running + the post-auth section, just like for Access-Accept. + * don't crash when reading corrupted data from session + resumption cache. Fixes #1999. + * Parse port in dhcpclient. Fixes #2000. + * Don't leak memory for OpenSSL. + Patch from Guido Vranken. + * Portability fixes taken from OpenBSD port collection. + * run rad_authlog after post-auth for Access-Reject. + * Don't process VMPS packets twice. + * Fix attribute truncation in rlm_perl + * Fix bug when processing huntgroups. + +FreeRADIUS 3.0.14 Fri 26 May 2017 13:00:00 EDT urgency=medium + Feature improvements + * Enforce TLS client certificate expiration on + session resumption, and Session-Timeout. + See CVE-2017-9148. + * Updated dictionary.cisco.vpn3000, dictionary.patton + * Added dictionary.dellemc + * Lowered the log output for failed PEAP sessions. + * ALlow utc in rlm_date. Patch from + Peter Lambrechtsen. + * The internal OpenSSL session cache has been + disabled. Please see mods-available/eap + * Update detail reader documentation. + Patch from Matthew Newton. Fixes #1973. + * Make outgoing RadSec connections non-blocking. + * Add SQL backing to Moonshot-*-TargetedId + generation. Patch from Stefan Paetow. + + Bug fixes + * radtest uses Cleartext-Password for EAP, not + User-Password. + * Update documentation for mods-enabled/ linking. + * Enhanced checks for moonshot salt. Fixes #1933. + * Allow session resumption for RadSec connections. + Fixes #1936. + * Update "huntgroups" file to note that port ranges + are not supported. + * Fix OpenSSL permissions issues on default key files. + Fixes #1941. + * Certificates are not required when PSK is used. + * Allow SubjectAltName as first extension in cert. + Fixes #1946. + * Fixed talloc issue with TLS session resumption. + Fixes #1980. + * "&Attr-26 := 0x01" now produces useful error messages. + * Handle connection error in rlm_ldap_cacheable_groupobj. + Fixes #1951. + * Fix endian issues in DHCP. + * Multiple minor fixes for Coverity complaints. + * Handle unexpected regex. Fixes #1959. + * Fix minor issues in dictionaries. + * Fix typos and grammar. Patches from Alan Buxey. + * Fix erroneous VP creation in rlm_preproces. + * Fix MIB. Patch from Jeff Gehlbach. + * Trust router updates from Alejandro Perez. + * Allow build with LibreSSL. Fixes #1989 + * Use correct packet for channel bindings. Fixes #1990. + * Many fixes found by PVS-Studio. Thanks to PVS-Studio + for giving us a test license. Please see the git commit + history for more information. + * Fix incorrect length check in EAP-PWD. This may + be exploitable. + +FreeRADIUS 3.0.13 Mon 06 Mar 2017 13:00:00 EDT urgency=medium + Feature improvements + * Add dictionary.rfc7930. Note that we do not implement + the RFC. + * Added 'cipher_server_preference' to mods-available/eap + Patch from #1797. + * OpenSSL 1.1.0 compatibility fixes. + * rlm_perl: radiusd::xlat to evaluate xlat string + within perl script + * Allow authentication retry in winbind. Patch from + Herwin Weststrate. See raddb/mods-available/mschap. + * Added "recv-coa" method to rlm_rest. It behaves the + same as "authorize". + * Document Trust Router tr_port option. Patch from + Stefan Paetow. + * Update elasticsearch/logstash examples so that they work + with elastic stack v5. Patch from Matthew Newton. + * Print information about packets, replies, and contents + in the detail file reader. + * Update abfab-tr policy. Pull request #1893 + from Stefan Paetow. + * Reject packets which contain User-Password and + EAP-Message. + * Add example for filtering Access-Challenge. + See sites-enabled/default. + * Pull symlink fixes from v4.0.x. Fixes #1859. + * Add systemd reload. Not everything is reloaded, but + some is. Fixes #1662. + * Better documentation for listen "ipaddr". Fixes #1921 + * Add dictionary.cnergee, updated dictionary.nomadix. + * radclient no longer needs -x to print statistics with -s. + + Bug fixes + * Minor typos. Fixes #1763 + * Fix typo in RPM build. Closes #1767. + * rlm_mschap check for password expiry only + if password was correct. Fixes #1762. + * Update debian build. + * update rlm_counter "man" page. Fixes #1775. + * Remove erroneous assert. Fixes #1778. + * fix mschap password change test. Fixes #1792. + * Cleanup config file on data remove. Fixes #1795. + * passwd module returns "notfound" if not found. + * Check for old OpenSSL, and don't build rlm_eap_fast + if it necessary. Fixes #1803 + * Cleanup memory better after ldap version query. + Patch from Aleksey Katargin. + * Rename lt_* functions to avoid linker issues with + libtool. Fixes #1277 + * Many miscellaneous fixes and typos. + * Allow long strings in %{%{foo} bar:-%{baz} blah". + Fixes #1866 + * Fix filtering operators, along with more documentation and + more tests for them. + * Fix OpenSSL fixes. Fixes #1876. + * Finish SQL select queries even when SELECT returns no rows. + Fixes #1879. + * Set Module-Failure-Message for more EAP errors. + * Correct typo in dictionary.rfc5580. Fixes #1882 + * Remove obselete systemd syslog.target. + * Client-Port-Balance load-balancing now uses client port. + * Radrelay examples fixed from Alex Clouter. + * Update systemd target. Pull request #1896. + * Trim starting whitespace in xlat strings. + * Get MySQL result lengths using normal API. + * suid down after fchown(). Fixes #1914. + * Fix cases of comparing pointer to NUL character. Fixes #1915. + * OpenSSL v1.1 fixes. Pull request #1921. + * Better Handle v4/v6 host names. Pull request #1919. + * Remove "Auth-Type = System" from docs and examples. + * Don't crash on malformed %{home_server}. Fixes #1922 + * fix erroneous use of talloc destructor in rlm_eap + * Issue trigger modules.sql.fail. Fixes #1923 + * Document python_path gotcha's. Fixes #1845 + * dlopen() the specific version of Python. Fixes #1592 + +FreeRADIUS 3.0.12 Thur 29 Sep 2016 13:00:00 EDT urgency=medium Feature improvements * Add support for =~ and !~ in update sections. See "man unlang" + * Add dictionary.checkpoint. + * Simultaneous-Use prints out more information. + * Print WARNING in debug mode when packets may be + truncated. + * Added expansions %{home_server:state} and + %{home_server_pool:state}, which show the + state of the server / pool. + * Mark rlm_sql_freetds as stable. + * Make rlm_perl less fragile. Patch from + Herwin Weststrate. + * Allow extended attributes to have "encrypt=2" + * Update dictionary.aruba. + * Add support for EAP-FAST. This is an isolated + feature which does not affect anything else. + * Update OpenSSL vulnerability list. Use a version + of OpenSSL released after September 20, 2016. + * EAP certificate verification is now done when + "verify" is enabled and "ocsp" is disabled. + * New dhcpclient and rlm_rad_counter man pages. + * Minor abfab and moonshot additions. + * Pass CFLAGS through from environment in RPM builds. + Allows more custom builds. + * Build with Heimdal in addition to libkrb5. Bug fixes * Use correct typedef for older versions of sqlite. * Update mssql schema to add priority - * don't complain on /dev/urandom in ldap - * fix == operator in update sections + * Don't complain on /dev/urandom in ldap + * Fix == operator in update sections + * Don't create DHCP strings with many trailing zeros. + Patch from Nicolas C. Fixes #1526. + * Allow MS-CHAP change passwords instead of complaining + on large buffer. + * Allow assignment or equality operator on SQL. + * Update aclocal tests for FreeBSD 10. Patches from + Mathieu Simon. + * Remove occasional hang in rlm_linelog. + * Copy VSAs to inner tunnel for TTLS and PEAP. + Fixes #1544 + * A few minor bugfixes caught in v3.1.x cleanup, and + back-ported to v3.0.x. + * do_not_respond again works in post-proxy + * Allow realm "~^.*$" {} and User-Name with no realm. + * Fix leak when creating unknown attributes + * Fix Debian / logrotate. + * Make OpenSSL error functions thread-safe. + * Fix crash with rlm_sql and updating SQL-User-Name. + * Debian build updates. + * Allow regular expression comparisons in radclient + fixes #1574. + * Fix memory leak on unknown attributes in detail file + reader. + * Update example paths in "man" pages when installing + them + * Build fixes for rlm_mschap. Fixes #1489. + * BSD build fixes. Patch from issue #1583. + * Be more careful about /lib/ when building. + Fixes #1585. + * Correct ifdef placement error. Fixes #1572. + * Allow for more files in internal "exfile" API + So it will be possible to open more than 64 + "detail" files at the same time. + * Remove support for statically built EAP modules. + Fixes #1591. + * Many fixes to rlm_python from Guillaume Pannatier. + * Use correct week adjustment in SQLcounter. + Fixes #1608 + * Minor fixes to allow compilation without DHCP, + VMPS, or TCP. + * Fix checks for module / config file change on HUP. + * Compile regex comparisons when sent via + "debug condition". Fixes #1632. + * Update filenames in documentation and examples. + Patch from Alan Buxey, #1655. + * Don't crash if SQL connection becomes unavailable. + Fixes #1640. + * Disallow originate_coa when proxy_requests = no + Fixes #1684. + * Free rad_perlconf_hv in correct perl context. + Fixes #1675. + * Multiple fixes for Debian builds. #1510, among + others. + * Set OpenSSL FIPS compatibility flag when necessary. + * Pulled fixes for the build system over from other + branches. + * Fix OCSP for RADIUS over TLS. + * Fix skip_if_ocsp_ok behavior. + * Better fixes for systems without closefrom() but + which have /proc. Fixes #1757. + * Minor build fixes back-ported from v4.0.x. + * build --whout-ascend-binary. Fixes #1761. + * Be more aggressive about not opening new connections + in debug mode after CTRL-C. Address #1604. FreeRADIUS 3.0.11 Mon 25 Jan 2016 14:00:00 EST urgency=medium Feature improvements