++freeradius (3.0.15+moonshot1-0) unstable; urgency=medium
++
++ * Merged from upstream release_3.0.15
++
++ -- Painless Security <build@painless-security.com> Mon, 17 Jul 2017 18:54:00 -0500
++
+ freeradius (3.0.15+git) unstable; urgency=medium
+
+ * New upstream version.
+
+ -- Alan DeKok <aland@freeradius.org> Mon, 29 May 2017 12:00:00 -0400
+
+freeradius (3.0.14+moonshot4-1) unstable; urgency=medium
+
+ * Merged from release_3.0.14
+
+ -- Painless Security <build@painless-security.com> Mon, 05 Jun 2017 19:03:00 -0400
+
freeradius (3.0.14+git) unstable; urgency=medium
* New upstream version.
-- Alan DeKok <aland@freeradius.org> Tue, 07 Mar 2017 12:00:00 -0400
+freeradius (3.0.13+moonshot3-6) unstable; urgency=medium
+
+ * Disabled session caching in EAP in response to CVE-2017-9148.
+
+ -- Painless Security <build@painless-security.com> Fri, 02 Jun 2017 15:29:00 -0400
+
+freeradius (3.0.13+moonshot3-5) unstable; urgency=medium
+
+ * Fixed deleted links when upgrading to 3.0.13 on debian/ubuntu
+
+ -- Painless Security <build@painless-security.com> Wed, 10 May 2017 21:26:00 -0400
+
+freeradius (3.0.13+moonshot3-4) unstable; urgency=medium
+
+ * Bumped version number
+
+ -- Painless Security <build@painless-security.com> Tue, 09 May 2017 15:00:00 -0400
+
+freeradius (3.0.13+moonshot3-3) unstable; urgency=medium
+
+ * Removed some leftover cruft from debian/freeradius-postgresql.postinst
+
+ -- Painless Security <build@painless-security.com> Mon, 08 May 2017 21:44:00 -0400
+
+freeradius (3.0.13+moonshot3-2) unstable; urgency=medium
+
+ * Standard freeradius 3.0.13 + Painless Security signing key.
+
+ -- Painless Security <build@painless-security.com> Fri, 05 May 2017 18:24:00 -0400
+
freeradius (3.0.13+git) unstable; urgency=medium
* New upstream version.
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
- Version: 3.0.14
+ Version: 3.0.15
Release: 2%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.freeradius.org/
Source0: ftp://ftp.freeradius.org/pub/radius/freeradius-server-%{version}.tar.bz2
+ %if %{?_unitdir:1}%{!?_unitdir:0}
+ Source100: radiusd.service
+ %else
Source100: freeradius-radiusd-init
+ %define initddir %{?_initddir:%{_initddir}}%{!?_initddir:%{_initrddir}}
+ %endif
+
Source102: freeradius-logrotate
Source103: freeradius-pam-conf
- Source104: radiusd.service
Obsoletes: freeradius-devel
Obsoletes: freeradius-libs
BuildRequires: gdbm-devel
BuildRequires: libtool
BuildRequires: libtool-ltdl-devel
- BuildRequires: openssl-devel
+ BuildRequires: openssl, openssl-devel
BuildRequires: pam-devel
BuildRequires: zlib-devel
BuildRequires: net-snmp-devel
# For systemd based systems, that define _unitdir, install the radiusd unit
%if %{?_unitdir:1}%{!?_unitdir:0}
- install -D -m 755 %{SOURCE104} $RPM_BUILD_ROOT/%{_unitdir}/radiusd.service
+ install -D -m 755 redhat/radiusd.service $RPM_BUILD_ROOT/%{_unitdir}/radiusd.service
# For SystemV install the init script
%else
- install -D -m 755 %{SOURCE100} $RPM_BUILD_ROOT/%{initddir}/radiusd
+ install -D -m 755 redhat/freeradius-radiusd-init $RPM_BUILD_ROOT/%{initddir}/radiusd
%endif
- install -D -m 644 %{SOURCE102} $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/radiusd
- install -D -m 644 %{SOURCE103} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/radiusd
+ install -D -m 644 redhat/freeradius-logrotate $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/radiusd
+ install -D -m 644 redhat/freeradius-pam-conf $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/radiusd
# remove unneeded stuff
rm -rf doc/00-OLD
%preun
if [ $1 = 0 ]; then
- /sbin/service radiusd stop > /dev/null 2>&1
+ %if %{?_unitdir:1}%{!?_unitdir:0}
+ /bin/systemctl disable radiusd
+ %else
/sbin/chkconfig --del radiusd
+ %endif
fi
-
%postun
if [ $1 -ge 1 ]; then
/sbin/service radiusd condrestart >/dev/null 2>&1 || :
return ssn;
}
-
/** Create a new TLS session
*
* Configures a new TLS session, configuring options, setting callbacks etc...
memset(&t, 0, sizeof(t));
- if ((end - p) <= 12) {
+ if ((end - p) <= 13) {
if ((end - p) < 2) {
fr_strerror_printf("ASN1 date string too short, expected 2 additional bytes, got %zu bytes",
end - p);
t.tm_year -= 1900;
}
- if ((end - p) < 10) {
+ if ((end - p) < 4) {
fr_strerror_printf("ASN1 string too short, expected 10 additional bytes, got %zu bytes",
end - p);
return -1;
t.tm_mon += (*(p++) - '0') - 1; // -1 since January is 0 not 1.
t.tm_mday = (*(p++) - '0') * 10;
t.tm_mday += (*(p++) - '0');
+
+ if ((end - p) < 2) goto done;
t.tm_hour = (*(p++) - '0') * 10;
t.tm_hour += (*(p++) - '0');
+
+ if ((end - p) < 2) goto done;
t.tm_min = (*(p++) - '0') * 10;
t.tm_min += (*(p++) - '0');
+
+ if ((end - p) < 2) goto done;
t.tm_sec = (*(p++) - '0') * 10;
t.tm_sec += (*(p++) - '0');
/* Apparently OpenSSL converts all timestamps to UTC? Maybe? */
+ done:
*out = timegm(&t);
return 0;
}
/* not safe to un-persist a session w/o VPs */
RWDEBUG("Failed loading persisted VPs for session %s", buffer);
SSL_SESSION_free(sess);
+ sess = NULL;
goto error;
}
time_t expires;
if (ocsp_asn1time_to_epoch(&expires, vp->vp_strvalue) < 0) {
- RDEBUG2("Failed getting certificate expiration, removing cache entry for session %s", buffer);
+ RDEBUG2("Failed getting certificate expiration, removing cache entry for session %s - %s", buffer, fr_strerror());
SSL_SESSION_free(sess);
+ sess = NULL;
goto error;
}
if (expires <= request->timestamp) {
RDEBUG2("Certificate has expired, removing cache entry for session %s", buffer);
SSL_SESSION_free(sess);
+ sess = NULL;
goto error;
}
char cn_str[1024];
char buf[64];
X509 *client_cert;
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
const STACK_OF(X509_EXTENSION) *ext_list;
#else
STACK_OF(X509_EXTENSION) *ext_list;
}
}
if (names != NULL)
- sk_GENERAL_NAME_free(names);
+ GENERAL_NAMES_free(names);
}
/*
SSL_CTX_set_verify_depth(ctx, conf->verify_depth);
}
+ #ifndef LIBRESSL_VERSION_NUMBER
/* Load randomness */
if (conf->random_file) {
if (!(RAND_load_file(conf->random_file, 1024*10))) {
return NULL;
}
}
+ #endif
/*
* Set the cipher list if we were told to
* Only check for certificate things if we don't have a
* PSK query.
*/
+ #ifdef PSK_MAX_IDENTITY_LEN
if (conf->psk_identity) {
if (conf->private_key_file) {
WARN(LOG_PREFIX ": Ignoring private key file due to psk_identity being used");
WARN(LOG_PREFIX ": Ignoring certificate file due to psk_identity being used");
}
- } else {
+ } else
+ #endif
+ {
if (!conf->private_key_file) {
ERROR(LOG_PREFIX ": TLS Server requires a private key file");
goto error;
Name: freeradius-server
- Version: 3.0.14
+ Version: 3.0.15
Release: 0
License: GPLv2 ; LGPLv2.1
Group: Productivity/Networking/Radius/Servers