++
+ freeradius (3.0.12+git) unstable; urgency=medium
+
+ * New upstream version.
+
+ -- Alan DeKok <aland@freeradius.org> Mon, 25 Jan 2016 14:00:00 -0400
+
+ freeradius (3.0.11+git) unstable; urgency=medium
+
+ * New upstream version.
+
+ -- Alan DeKok <aland@freeradius.org> Mon, 05 Oct 2015 15:00:00 -0400
+
+ freeradius (3.0.10+git) unstable; urgency=medium
+
+ * New upstream version.
+
+ -- Alan DeKok <aland@freeradius.org> Wed, 08 Jul 2015 14:00:00 -0400
+
+ freeradius (3.0.9+git) unstable; urgency=medium
+
+ * New upstream version.
+
+ -- Alan DeKok <aland@freeradius.org> Wed, 22 Apr 2015 13:30:00 -0400
+
+ freeradius (3.0.8+git) unstable; urgency=medium
+
+ * New upstream version.
+
+ -- Alan DeKok <aland@freeradius.org> Thu, 19 Feb 2015 12:00:00 -0400
+
+freeradius (3.0.7+moonshot2-2) unstable; urgency=medium
+
+ * New moonshot release
+ * Include patch for trust router to compile
+ * Include memory leak fix
+
+ -- Sam Hartman <hartmans@debian.org> Mon, 02 Mar 2015 16:16:34 -0500
+
freeradius (3.0.7+git) unstable; urgency=medium
* New upstream version.
libcap-dev,
libgdbm-dev,
libiodbc2-dev,
- libjson-c2 | libjson0,
- libjson-c-dev | libjson0-dev,
- libkrb5-dev,
- moonshot-trust-router-dev (>= 1.3),
+ libjson0 | libjson-c2,
+ libjson0-dev | libjson-c-dev,
+ libkrb5-dev | heimdal-dev,
++# moonshot-trust-router-dev (>= 1.3),
+ openssl,
+ libperl-dev,
libldap2-dev,
libpam0g-dev,
libpcap-dev,
Package: freeradius
Architecture: any
-Depends: lsb-base (>= 3.1-23.2), ${shlibs:Depends}, ${misc:Depends}, ${dist:Depends}, freeradius-common, freeradius-config, libfreeradius3 (= ${binary:Version}), ssl-cert, adduser
+Depends: lsb-base (>= 3.1-23.2), ${shlibs:Depends}, ${misc:Depends}, ${dist:Depends}, freeradius-common (>= 3.0.4), freeradius-config, libfreeradius3 (= ${binary:Version}), ssl-cert, adduser
Provides: radius-server
Recommends: freeradius-utils
- Suggests: freeradius-ldap, freeradius-postgresql, freeradius-mysql, freeradius-krb5
- Breaks: freeradius (<< 3)
- Description: a high-performance and highly configurable RADIUS server
+ Suggests: freeradius-ldap, freeradius-postgresql, freeradius-mysql, freeradius-krb5, snmp
+ Description: high-performance and highly configurable RADIUS server
FreeRADIUS is a high-performance RADIUS server with support for:
- - Many vendor-specific attributes.
+ - Authentication by local files, SQL, Kerberos, LDAP, PAM, and more.
+ - Powerful policy configuration language.
- Proxying and replicating requests by any criteria.
- - Authentication on system passwd, SQL, Kerberos, LDAP, users file, or PAM.
- - Multiple DEFAULT configurations.
+ - Support for many EAP types; TLS, PEAP, TTLS, etc.
+ - Many vendor-specific attributes.
- Regexp matching in string attributes.
and lots more.
-daily
-rotate 52
-missingok
-compress
-delaycompress
-notifempty
+ # You can use this to rotate the /var/log/freeradius/* files, simply copy
+ # it to /etc/logrotate.d/radiusd
+
+ #
+ # Global options for all logfiles
+ #
-/var/log/freeradius/radius.log {
- copytruncate
-}
++#daily
++#rotate 52
++#missingok
++#compress
++#delaycompress
++#notifempty
++
+/var/log/freeradius/*.log {
+ weekly
+ rotate 52
+ compress
+ delaycompress
+ notifempty
+ missingok
+ postrotate
+ service freeradius reload > /dev/null
+ endscript
++
+}
+
+ #
+ # The main server log
+ #
-/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log {
- nocreate
-}
++#/var/log/freeradius/radius.log {
++# copytruncate
++#}
+
+ #
+ # Session monitoring utilities
+ #
-/var/log/freeradius/radutmp /var/log/freeradius/radwtmp {
- nocreate
-}
++#/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log {
++# nocreate
++#}
+
+ #
+ # Session database modules
+ #
-/var/log/freeradius/sqllog.sql {
- nocreate
-}
++#/var/log/freeradius/radutmp /var/log/freeradius/radwtmp {
++# nocreate
++#}
+
+ #
+ # SQL log files
+ #
-/var/log/freeradius/radacct/*/detail {
- nocreate
-}
++#/var/log/freeradius/sqllog.sql {
++# nocreate
++#}
+
+ # There are different detail-rotating strategies you can use. One is
+ # to write to a single detail file per IP and use the rotate config
+ # below. Another is to write to a daily detail file per IP with:
+ # detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
+ # (or similar) in radiusd.conf, without rotation. If you go with the
+ # second technique, you will need another cron job that removes old
+ # detail files. You do not need to comment out the below for method #2.
++#/var/log/freeradius/radacct/*/detail {
++# nocreate
++#}
int tls_global_version_check(char const *acknowledged)
{
uint64_t v;
+ bool bad = false;
+ size_t i;
- return 0;
- if ((strcmp(acknowledged, libssl_defects[0].id) != 0) && (strcmp(acknowledged, "yes") != 0)) {
- bool bad = false;
- size_t i;
++ return 0; /* Painless Security customization */
++
+ if (strcmp(acknowledged, "yes") == 0) return 0;
+
+ /* Check for bad versions */
+ v = (uint64_t) SSLeay();
- /* Check for bad versions */
- v = (uint64_t) SSLeay();
+ for (i = 0; i < (sizeof(libssl_defects) / sizeof(*libssl_defects)); i++) {
+ libssl_defect_t *defect = &libssl_defects[i];
- for (i = 0; i < (sizeof(libssl_defects) / sizeof(*libssl_defects)); i++) {
- libssl_defect_t *defect = &libssl_defects[i];
+ if ((v >= defect->low) && (v <= defect->high)) {
+ /*
+ * If the CVE is acknowledged, allow it.
+ */
+ if (!bad && (strcmp(acknowledged, defect->id) == 0)) return 0;
+
+ ERROR("Refusing to start with libssl version %s (in range %s)",
+ ssl_version(), ssl_version_range(defect->low, defect->high));
+ ERROR("Security advisory %s (%s)", defect->id, defect->name);
+ ERROR("%s", defect->comment);
- if ((v >= defect->low) && (v <= defect->high)) {
- ERROR("Refusing to start with libssl version %s (in range %s)",
- ssl_version(), ssl_version_range(defect->low, defect->high));
- ERROR("Security advisory %s (%s)", defect->id, defect->name);
- ERROR("%s", defect->comment);
+ /*
+ * Only warn about the first one...
+ */
+ if (!bad) {
+ INFO("Once you have verified libssl has been correctly patched, "
+ "set security.allow_vulnerable_openssl = '%s'", defect->id);
bad = true;
}
*/
int ssl_check_consistency(void)
{
+ long ssl_linked;
++
++ return 0; /* Painless Security customization */
+
+ ssl_linked = SSLeay();
+
+ /*
+ * Status mismatch always triggers error.
+ */
+ if ((ssl_linked & 0x0000000f) != (ssl_built & 0x0000000f)) {
+ mismatch:
+ ERROR("libssl version mismatch. built: %lx linked: %lx",
+ (unsigned long) ssl_built,
+ (unsigned long) ssl_linked);
+
+ return -1;
+ }
+
+ /*
+ * Use the OpenSSH approach and relax fix checks after version
+ * 1.0.0 and only allow moving backwards within a patch
+ * series.
+ */
+ if (ssl_built & 0xf0000000) {
+ if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000) ||
+ (ssl_built & 0x00000ff0) > (ssl_linked & 0x00000ff0)) goto mismatch;
+ /*
+ * Before 1.0.0 we require the same major minor and fix version
+ * and ignore the patch number.
+ */
+ } else if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000)) goto mismatch;
+
return 0;
}