1 FreeRADIUS 2.2.9 Thursday 09 Jul 2015 11:00:00 EDT, urgency=medium
6 * Fix Tunnel-Password crash from home server.
7 Found by Denis Andzakovic.
8 * Fix timer issue when proxying.
9 * Update EAP-TTLS for TLSv1.2
10 * Always delete MS-MPPE-* from the TTLS inner tunnel.
11 This allows TTLS / EAP-MSCHAPv2 to work.
12 * Don't fall through in empty "case" statements.
15 FreeRADIUS 2.2.8 Thursday 09 Jul 2015 11:00:00 EDT, urgency=medium
20 * Fixes for clients tied to virtual servers. If there is
21 no "listen" section there, clients use the main "listen"
23 * Remove compiler warnings
24 * Print out correct filenames in debug mode
25 * Allow post-auth section to return "reject". This turns
26 the response into Access-Reject.
27 * Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl"
28 to eap.conf. Fixes oCert CVE-2015-4680.
30 FreeRADIUS 2.2.7 Wednesday 22 Apr 2015 14:00:00 EST, urgency=medium
32 * Allow "eap" to be listed in Post-Auth-Type Reject
33 so that it sends EAP-Fail and Message-Authenticator.
36 * Fix typo in code checking for blocked threads.
38 * Added more $(EXEEXT) to module utilities so that it
39 builds on Cygwin. Closes #875.
40 * Note that we don't need to generate ephemeral RSA keys.
41 * Port detail file fixes from v3.
42 * Use correct destination port for replies to DHCP relay.
43 * rlm_perl can store multiple tagged attributes of the
45 * Update EAP-TLS methods for TLSv1.2
46 * Fix load-balance sections. Closes #945
48 FreeRADIUS 2.2.6 Tuesday 18 Nov 2014 15:00:00 EST, urgency=medium
50 * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2
54 * Fix redundant-load-balance blocks to try other modules in
55 the group if one fails.
56 * Fix potential read into uninitialised memory in rlm_pap
57 when normalising octet type attributes containing password
58 hashes. This is very unlikely to happen in the wild.
59 * Don't stop decoding DHCP options if we find a padding
61 * Define sig_t on systems which don't have it. Closes #765
62 * When clients are loaded from SQL, allow them to be tied
64 * Prevent race conditions between fork and wait for child.
65 Patch from James Rouzier.
66 * Allow UTF-8 characters in SQL.
67 * Back-port udpfromto fixes from v3
69 FreeRADIUS 2.2.5 Monday 28 Apr 2014 15:20:00 EDT, urgency=medium
71 * Update dictionary.terena.
72 * expose server version via %v. Patch from Alan Buxey.
73 * Forbid running with vulnerable versions of OpenSSL.
74 See "allow_vulnerable_openssl" in the "security"
75 subsection of "radiusd.conf"
76 * Catch underlying "heartbleed" problem, so that nothing bad
77 happens even when using a vulnerable version of OpenSSL.
81 * Minor changes to build on Sun.
82 * Print non-ASCII characters as octal in linelog. Closes #578
83 * close stdout in daemon mode.
84 * Fix zombie period calculation. Closes #579
86 FreeRADIUS 2.2.4 Wednesday 19 Mar 2014 13:20:00 EDT, urgency=medium
88 * A "panic_action" can be set to have the server dump a gdb
89 log on SEGV or other fatal error.
90 * allow radmin command "set module status <module> <code>"
91 which can be used to forcibly enable/disable modules.
94 * If the server fails to bind() after fork(), that is now
95 reported to the parent, which exits with an error.
96 * Session / delay times in MySQL are unsigned int.
97 * Use --tag=CC for libtool. Closes #497. Because libtool
98 is too stupid to notice that compiling means compilation.
99 * Fix bug when copying attributes for vendors > 32767
100 * Fix behaviour on FreeBSD where sending packets from an interface
101 bound to an IP address would fail when the server was built with
103 * Don't fail config check if were listening on an IP which is
104 also a home server. Some deployments have valid reasons
105 to loop packets back to another virtual server.
106 * Use correct port when DHCP relaying.
107 * Set source IP address for DHCP packets from DHCP-Server-IP-Address,
108 or DHCP-DHCP-Server-Identifier, if we're unable to otherwise
109 determine the source IP.
111 FreeRADIUS 2.2.3 Wednesday 11 Dec 2013 15:00:00 EST, urgency=medium
113 * Added dictionary.efficientip, dictionary.alcatel-lucent-aaa
114 * Allow zero length DN strings in rlm_ldap.
115 * If Password-With-Header has no header, assume it is
119 * Make the server build when DHCP is enabled
120 * Don't crash if there's no Post-Proxy-Type Reject.
121 * Use correct fields for X509 attributes in certificates
122 * Install threads.h making it possible to link against the
123 installed headers again.
124 * Initialize SSL once in "main", instead of rlm_eap_tls.
125 Some client libraries may need SSL.
127 FreeRADIUS 2.2.2 Wednesday 30 Oct 2013 9:30:00 DST, urgency=medium
129 * Add "timeout" to exec, and "ntlm_auth_timeout" to mschap.
130 So that run-away child processes are caught earlier.
131 * Print out thread number for "unresponsive child".
134 * Fix erroneous fall-through in "case" statements
135 * Fix priority handling in new module handling code
136 * Fix threading issue with Perl. Closes #436
137 * Fix EAP-TLS check_cert_issuer when X509v2 extensions
138 existed. Patch from David Wood.
139 * Fix pointer references in rlm_python.
140 * Fix "unresponsive child" issue when proxying.
141 * Set log output correctly when using -l.
142 Fix ported from 3.0.0.
143 * Buffer debug output when threaded, so that text from
144 different threads isn't interspersed.
145 * Fix SEGV in rlm_perl when using dynamic expansions.
146 * Fix build for OSX Mavericks, which hid the header files
148 * Port DHCP fixes from 3.0.
150 FreeRADIUS 2.2.1 Tuesday 17 Sep 2013 12:00:00 CEST, urgency=medium
152 * Updated dictionaries for alcatel, broadsoft, bskyb, dlink, meru,
153 telkom, trapeze, proxim, zeus, rfc6677, 6911, and rfc6930.
154 * Added %{randstr:..} support. Creates random strings in a
156 * Added operator support to rlm_python
157 * Added %{hex:...} for hex version of raw attribute data
158 * Added %{sha1:...} for SHA1 hashing of data
159 * Added %{base64:...} for raw attribute data (e.g. 32-bit IP addr),
160 and %{tobase64:...} for the printable string form (e.g. 1.2.3.4),
161 and %{base64tohex:...} to convert a base64 string to a hex string.
162 * rlm_expr is now responsible for registering many of the xlat
163 expansions. This is cleaner than bundling them all in the server
164 core. You should ensure 'expr' is listed in instantiate to ensure
165 correct operation of xlat expansions.
166 * Use correct terminology when printing errors regarding request/
167 response/message authenticators.
168 * Added keytab support to Heimdal Kerberos. Patch from Ryan Steinmetz.
169 * radsqlrelay does multiple INSERTs in one transaction.
170 Patch from Uwe Meyer-Gruhl.
171 * Run Post-Proxy-Type Reject {} if the upstream server rejected the
173 * On startup, the server checks if it was linked with the correct
174 OpenSSL libraries. If not, it errors out. This prevents later
175 crashes in OpenSSL, due to library incompatibilities.
176 * Added radmin command "hup main.log", to re-open the log files,
177 without HUPing any other part of the server.
178 * Added support for EAP-Key-Name. See raddb/sites-available/default,
179 and look for comments mentioning EAP-Key-Name. MacSec now works.
180 * Added support for hex numbers (0x...) to %{expr: ...}
181 * Backported TLS client certificate validation from 3.0.0.
182 * Run Post-Auth for EAP inner-tunnel methods.
184 * Added "show config <path>" to radmin. You can now examine any
185 configuration item in a running server.
186 * Added TLS-Client-Cert-X509v3-Extended-Key-Usage for TLS-based EAP
187 methods. It is set automatically from the fields in the certificate.
188 * Add CRLCP attribute in certificate creation script. Windows phones
189 require it. Patch from Alan Buxey.
192 * Skip OCSP if there's no host / port / url, with soft_fail
193 * Properly decode AT_IDENTITY in EAP-SIM. Patch from Iliya Peregoudov
194 * Thread max_queue_size has better bounds checking.
195 * Use correct variable for warning message if the user misconfigures
197 * radtest is more generous about parsing ppphint
198 * radeapclient now accepts -4 and -6, just like radclient.
199 Patch from John Dennis.
200 * Ignore ".rpmnew" and a bunch of other files when loading config
201 files from a directory.
202 * Wait for child threads before exiting. This prevents errors on
203 exit, but may increase exit time if databases are blocked!
204 Patch from Iliya Peregoudov.
205 * Wrap rbtree calls in mutexes in rlm_cache to prevent memory
206 corruption. Patch from Phil Mayers.
207 * Port fix for %{3GPP-*} expansion from master branch.
208 * Fix sample certificate scripts when multiple client certs are
210 * Track return code priorities across if/else/elsif in unlang.
212 * In debug mode, print out DHCP options when sending a DHCP packet.
213 * Fixes to the redis modules from Brian Candler
214 * Print better debug message for LDAP "operations error"
215 * Fix a number of minor issues as found by Coverity
216 * Frees module config in order to prevent occasional crash on exit
217 * Update DHCP debugging messages to make it clearer what's
219 * Print multiple DHCP options the correct number of times in
221 * On debug builds, don't dlclose() modules when '-m' is used.
222 This allows valgrind to show module symbols.
223 * Don't count Status-Server packets in Access-Request statistics
224 * Minor cleanups to debug output
225 * Be more careful handling module configurations to avoid crash
226 on otherwise clean exit.
227 * For raddebug, correctly set the group of the output file.
228 * renamed dhclient to dhcpclient. People who install it
229 shouldn't have their systems broken.
230 * for EAP-TLS methods, random_file is no longer required.
231 OpenSSL already reads /dev/urandom.
232 * Fix Suse and Redhat scripts. Patches from Fajar Nugraha.
233 * Minor bug fix for base64 decoding.
234 * Allow two consecutive WiMAX TLVs of the same number.
235 * Remove requirement that User-Name has to match MS-CHAP-User-Name.
236 I18n issues means that the character sets could be different.
237 * Don't use ephemeral thread states from PyGILState_Ensure(), use
238 our own, generated one per thread and stored in TLS.
239 * Port module processing fixes from v3. The code is simpler,
240 and one or two esoteric bugs are now gone.
241 * update code handling max_requests_per_server. It should now
243 * wrap ASCTIME_R for systems not supporting the standard API.
245 FreeRADIUS 2.2.0 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium
247 * 100% configuration file compatible with 2.1.x.
248 The only fix needed is to disallow "hashsize=0" for rlm_passwd
249 * Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware,
250 Redback, and Mikrotik dictionaries
251 * Switch to using SHA1 for certificate digests instead of MD5.
252 See raddb/certs/*.cnf
253 * Added copyright statements to the dictionaries, so that we know
254 when people are using them.
255 * Better documentation for radrelay and detail file writer.
256 See raddb/modules/radrelay and raddb/radrelay.conf
257 * Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
258 * Added -F <file> to radwho
259 * Added query timeouts to MySQL driver. Patch from Brian De Wolf.
260 * Add /etc/default/freeradius to debian package.
261 Patch from Matthew Newton
262 * Finalize DHCP and DHCP relay code. It should now work everywhere.
263 See raddb/sites-available/dhcp, src_ipaddr and src_interface.
264 * DHCP capabilitiies are now compiled in by default.
265 It runs as a DHCP server ONLY when manually enabled.
266 * Added one letter expansions: %G - request minute and %I request
268 * Added script to convert ISC DHCP lease files to SQL pools.
269 See scripts/isc2ippool.pl
270 * Added rlm_cache to cache arbitrary attributes.
271 * Added max_use to rlm_ldap to force connection to be re-established
272 after a given number of queries.
273 * Added configtest option to Debian init scripts, and automatic
274 config test on restart.
275 * Added cache config item to rlm_krb5. When set to "no" ticket
276 caching is disabled which may increase performance.
279 * Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12,
280 and 802.1X should upgrade immediately.
281 * Fix typo in detail file writer, to skip writing if the packet
282 was read from this detail file.
283 * Free cached replies when closing resumed SSL sessions.
284 * Fix a number of issues found by Coverity.
285 * Fix memory leak and race condition in the EAP-TLS session cache.
286 Thanks to Phil Mayers for tracking down OpenSSL APIs.
287 * Restrict ATTRIBUTE names to character sets that make sense.
288 * Fix EAP-TLS session Id length so that OpenSSL doesn't get
290 * Fix SQL IPPool logic for non-timer attributes. Closes bug #181
291 * Change some informational messages to DEBUG rather than error.
292 * Portability fixes for FreeBSD. Closes bug #177
293 * A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols
295 * Safely handle extremely long lines in conf file variable expansion
296 * Fix for Debian bug #606450
297 * Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
298 * The passwd module no longer permits "hashsize = 0". Setting that
299 is pointless for a host of reasons. It will also break the server.
300 * Fix proxied inner-tunnel packets sometimes having zero authentication
301 vector. Found by Brian Julin.
302 * Added $(EXEEXT) to Makefiles for portability. Closes bug #188.
303 * Fix minor build issue which would cause rlm_eap to be built twice.
304 * When using "status_check=request" for a home server, the username
305 and password must be specified, or the server will not start.
306 * EAP-SIM now calculates keys from the SIM identity, not from the
307 EAP-Identity. Changing the EAP type via NAK may result in
308 identities changing. Bug reported by Microsoft EAP team.
309 * Use home server src_ipaddr when sending Status-Server packets
310 * Decrypt encrypted ERX attributes in CoA packets.
311 * Fix registration of internal xlat's so %{mschap:...} doesn't
312 disappear after a HUP.
313 * Can now reference tagged attributes in expansions.
314 e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
315 * Correct calculation of Message-Authenticator for CoA and Disconnect
316 replies. Patch from Jouni Malinen
317 * Install rad_counter, for managing rlm_counter files.
318 * Add unique index constraint to all SQL flavours so that alternate
319 queries work correctly.
320 * The TTLS diameter decoder is now more lenient. It ignores
321 unknown attributes, instead of rejecting the TTLS session.
322 * Use "globfree" in detail file reader. Prevents very slow leak.
324 * Operator =~ shouldn't copy the attribute, like :=. It should
325 instead behave more like ==.
326 * Build main Debian package without SQL dependencies
327 * Use max_queue_size in threading code
328 * Update permissions in raddb/sql/postgresql/admin.sql
329 * Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL
330 wouldn't use methods it knew about.
331 * Add more sanity checks in dynamic_clients code so the server won't
332 crash if it attempts to load a badly formated client definition.
projects / freeradius.git / blob