Feature Improvements
* Updated LDAP documentation.
* Added note on DH parameters in eap.conf, and debugging messages which complain if DH is used, but not configured properly.
* Updated the Mikrotik dictionary. Added a note that the sample dictionary they supply is broken.
* Output more information on blocked threads, which should help narrow down which modules is causing the problem.
* Added more eDirectory support.
* rlm_ldap now prints out attributes in the standard format
* Enabled server-side handling of procedures in MySQL
Bug Fixes
* Added NT-Hash support for mschap_xlat.
* Corrected documentation to point to correct location of files.
* Checks for more recent FreeBSD versions.
* uses -DLDAP_DEPRECATED to avoid OpenLDAP crashes.
* Use correct value for authentication name in rlm_mschap.
* Fix over-ride for usernames when use_tunneled_reply = yes.
Feature Improvements
* Added more dictionaries
Bug Fixes
* Corrected typo in rlm_pap.c (closes#440)
* Corrected typo in src/main/auth.c (closes#437)
* Suppress SSL error messages if error is zero. (closes#436)
* Don't complain about "Error in read client certificate A" if we expect to
read it in the next packet. Fix based on patch by Dan Lukes.
* Corrected nearly 30 bugs found by Coverity See also http://scan.coverity.com
* Don't die on HUP. Instead leak memory (sorry). After a few hundred HUP's, the
server will have leaked a few megabytes of memory, and you should probably
re-start it. It's ugly, but better than dying. (Closes#426)
* Corrected a few double free's
* Corrected typo in radrelay, which prevented it from working
* Made Firebird module build
* Fixed bug in PostgreSQL module that caused server crash.
* Fixed bug in SQL module that could cause server to crash.
2006.03.05 Version 1.1.5 has been released.
The focus of this release is stability.
Feature Improvements
* Added more dictionaries
* Dictionary files now MUST NOT be globally writable.
* Configuration files now MUST NOT be globally writable.
* Be more aggressive about freeing memory on clean exit.
* Updated rlm_python.
* Added another experimental SQL IP Pool module
Bug Fixes
* Corrected base64 decoding in rlm_pap
* Don't retransmit accounting packets. The NAS should do this.
* Handle Client-Error in EAP-SIM. (Closes#419)
* Port OpenSSL locking fixes from CVS head. This makes PEAP more stable on i
some systems.
* Require Message-Authenticator in Status-Server packets.
* Correct Tunnel-Medium-Type VALUEs in dictionary.rfc2868.
* Increase buffer size for dynamic expansion, which allows longer SQL queries.
(Closes#405)
* Use correct line number when there's a parse error in one of the
configuration sections. (Closes#421)
* Terminate SSL sessions in EAP on error, rather than continuing in some cases.
* Increase buffer size to allow parsing of long octet strings,
* Fix string termination on xlat in rlm_perl.
* Major enhancements to rlm_pap, that make "encryption_scheme"
a think of the past. See "man rlm_pap" for details.
* Added SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag to use
work-arounds that enable Windows Vista clients to work.
* Added preliminary code to support Firebird.
Use at your own risk!
* Send MS-CHAP2-Success, which makes EAP-TTLS/MSCHAP work on more
platforms.
* Add a new "reply-name" directive in rlm_sqlcounter to define the
name of the reply attribute.
* Added more dictionaries and attributes
* Print ntlm_auth failure reason in Module-Failure-Message
* radsqlrelay is able to get the DB password from a file instead
of command line.
Bug fixes
* Fix a parse error in the digest module, where malformed
digest requests would result in the user being accepted. Oops...
* VALUEs can only be defined for 'integer', to catch mistakes
with setting VALUEs for type 'string'.
* Better parsing of VALUE names, so that values starting with
a digit work correctly.
* Check return from malloc
* Fix a double free() in rlm_eap_tls.c
* Check return code of malloc() during initialization.
* Fix a corner case where the proxy port isn't set either in
radiusd.conf or in proxy.conf.
This version has been released to fix build issues in 1.1.2. The build
tools (autoconf, libtool, libltld) have been upgraded to a recent version,
and the server now builds "out of the box" on more platforms. Other fixes
include:
* More dictionary updates
* Oracle support for radsqlrelay
* Security and portability fixes to rlm_otp
* Experimental module to store IP's in an SQL table.
* Miscellaneous bug fixes
* Updated dictionaries (as always),
* Extended Ascend "abinary" support for Juniper,
* Configurable "cipher_list" for EAP methods that use TLS,
* Additional checks on cert issuer validation for EAP methods that use TLS,
* SQL IODBC bug fixes,
* Updates to the LDAP module,
* Better catching of errors in the config files,
* Miscellaneous other fixes
In addition to this add an extra option to options.mk which is
"freeradius-simul-use". This will enable Simultaneous-Use and is
enabled by default. If you disable it freeradius can be built without
depending on the net-snmp package. Original idea from John Nemeth.
for libtool archives, remove the .a and .so entries. Bump revision.
Add DragonFly detection for shared libraries. Always try to find -lssl
with -lcrypto, unbreaking the test at least on DragonFly, but should
not harm elsewhere.
Use our libtool
Update to 1.1.1
Fixes security issue (DoS):
http://secunia.com/advisories/19300/
> Security fixes
> * Additional state checking in the EAP-MSCHAPv2 module.
> Bug found by Steffen Schuster.
>
> Feature improvements
> * More dictionary updates
> * Additional tests and fixes for Digest module from Phillipe Sultan.
> * Add new "phone" response mode to rlm_otp/cryptocard.
> * Put the eap sessions into a tree, so that looking them up is very
> fast, and no longer O(n) in the number of sessions.
> * Install the schema examples for a set of backends with the rest
> of the documentation.
> * Add support for xlat expansion of attributes from LDAP.
>
> Bug fixes
> * Fix rlm_perl crash. (closes: #348)
> * Fix handling of CoA-Request packets (close#344). Also correct
> name of CoA packets.
> * Fix an error on x86_64 machines when reading dictionaries.
> (closes: #312)
> * Fix compilation errors on FreeBSD and NetBSD because of rlm_otp
> module. (closes: #314#328)
> * Workaround Cisco bug in State attribute handling in rlm_otp.
> * Support LP64 for async mode in rlm_otp.
> * Fix libtool problems on Debian with rlm_eap_peap and rlm_eap_ttls
> modules. (closes: #75)
> * Make "use_tunneled_reply" work properly for PEAP.
> * Copy the whole string when getting a one-to-one-mapped attribute
> from LDAP (closes: #261)
> * Fix net-snmp's ucd-snmp compatibility mode.
> FreeRADIUS 1.1.0 ; $Date: 2006/01/04 05:55:19 $, urgency=low
> Feature improvements
> * rlm_ldap has "set_auth_type" configuration option, which should
> address some configuration problems when using it.
> * Fix MIT Kerberos bug
> * Modules can be load balanced, both in isolation and redundantly.
> See doc/load-balance.txt for more information.
> * rlm_perl is now marked "stable"
> * N-tier certificate patch from Mohammed Petiwala.
> * Copied dictionaries from the CVS head (many, many, more vendors)
> * Enabled support for weird VSA formats, like Lucent and Starent.
> * Support encrypted IP address and integers, for Juniper clients.
> * Add PEAP machine authentication support in module "rlm_mschap".
> * Support User-Password field encryption in digest mode.
> * rlm_x99_token has become rlm_otp (with lots of changes).
> * Add rlm_sqlcounter to the list of stable modules.
> * Read MySQL specific options in sections [freeradius] and [client]
> from file "my.cnf".
> * Support the ${Cisco-AVPair[n]} syntax.
> * Execute modules in {Pre,Post}-Proxy-Type stanzas.
> * Add new options to radclient to run stress tests on the server.
> * New module "rlm_sql_log" to postpone the storage of accounting data
> in a SQL database. See rlm_sql_log(5) manpage.
> * New program "radsqlrelay" which sends the SQL logfile according to
> the SQL server's capabilities.
>
> Bug fixes
> * 306 (HUP when built with threads, but executed with -s)
> * 285 (more attributes in dictionary.cisco.vpn3000)
> * rlm_digest has a number of bug fixes to authentication types.
> * Don't leak memory in module "rlm_sql".
> * Update the dictionaries, so that VALUEs with the same name,
> but different numbers, aren't allowed.
> * Queue the request before looking for available threads.
> * Don't free the check items after we received the proxy reply.
> * Expand config variables in included files, too.
> * Check the return value of accounting modules and don't proxy
> invalid requests.
> * In rlm_passwd, don't close a file stream more than once.
> * Fix format string errors in rlm_sql.c, spotted by Primoz Bratanic.
> * Walk the whole string in when escaping strings in rlm_ldap.
> * Include crypt.h if it is available so we get a prototype for crypt(),
> spotted by Konstantin Kubatkin.
> * Removed (for almost all uses) length restrictions on vendor names
> and VALUE names.
> * Don't leak memory when proxying an Access-Challenge response.
> * Make the sleep time user-defined, so radrelay can send more than
> 7 requests/s.
> * Fix a memory leak in rlm_checkval.
> * radclient doesn't resend countless times packets with invalid
> signature.
> * Fix segfault and mem leak in rlm_pam.
> Security Fixes
> * SQL injection attack in the module "rlm_sqlcounter".
> * Buffer overflows in the module "rlm_sqlcounter".
> * Expansion of variable %t may write 26 bytes beyond the buffer
> bound. Primoz Bratanic is credited with the discovery of these
> three bugs.
>
> Bug fixes
> * Don't de-reference a NULL pointer if the auth-type is unknown
> in the function rad_check_password().
> * Escape more characters in the LDAP queries.
> Bug found by Suse engineers.
> * In rlm_sql_unixodbc, don't call rad_malloc from sql_error(),
> it leaks memory.
> * Fix an off-by-one error in the module rlm_sql_unixodbc.
> Bug found by Suse engineers.
> * In rlm_sql, resize the buffer for the value of SQL-User-Name.
> * Initialize memory for a new SQL socket in the module rlm_sql.
> * Don't add too many attributes after running an external program.
> Bug found by Suse engineers.
> * Fix an off-by-one error in the function getthing().
> * snprintf() and vsnprintf() replacements were not compiled if
> the autoconf tests didn't find the functions.
> * Don't use vsprintf() anymore, but the replacement for vsnprintf()
> in libradius instead.
> * The function decode_attribute() may write beyond buffer bounds.
> Bug found by Suse engineers.
> * Fix a memset() in the function request_enqueue() which was
> begining at the wrong address. Bug found by Matthias Ruttman.
> * Fix an off-by-one error in the function xlat_copy().
> Bug found by Primoz Bratanic.
> * Fix other off-by-one errors in module "rlm_unix", too.
> Bug found by Allan Bazinet.
> * Fix a 2-byte over-run read in function rad_decode().
> * Update thread pool queue properly.
> * Autonconf tests try first any user-specified directory,
> otherwise they may pick up the wrong version.
> * Delete the autoconf tests for the libldap dependancies.
> * Install all the regular files under the "doc" directory.
> * Distinguish between exit code <0 (failure) and >0 (reject)
> in Exec-Program-Wait. Patch from Thor Spruyt.
> * Make Expiration work.
> * Clean up the code for opening a proxy socket.
> * When finding a realm to proxy to, if all are dead, wake them
> if wake_all_if_all_dead is true.
> * In radwho, print the NAS-Port as unsigned int.
> * Use extended regex instead of basic regex in rlm_attr_filter.
> * Catch the case where someone deletes a directory that rlm_detail
> is using.
> * Use the variable $(LDFLAGS) when linking a module.
> * Ignore the Stripped-User-Name when a realm has the "nostrip"
> directive.
> * Add support for NT-Password in rlm_pap.
> * In rlm_sqlcounter, use the time left to the next reset if it's
> inferior to the time left in the counter.
> * Calculate Message-Authenticator correctly for Accounting-Request
> and Accounting-Response. Bug found by Paolo Rotela.
> * Build on MAC OS X. Still need --disable-shared, though.
> * Fix bug #255 (crash with expired CRL's, etc.)
> * Fix quote removal of the values from a SQL database.
> * Reap the zombie process after a command run from "Exec-Program".
> * Allow to cancel proxy of accounting with "Proxy-To-Realm := LOCAL".
> * Don't copy VSA's to an Access-Reject packet.
- The security issues mentioned in this update were incorporated
into patch-ak previously and a security advisory was already
made in regards to this.
> FreeRADIUS 1.0.4 ; Date: 2005/06/11 22:46:52, urgency=medium
>
> * Fix installation problem.
> * Increase a buffer size, so radrelay doesn't truncate values.
> * Updates in the documentation. Patches from Thor Spruyt.
>
> FreeRADIUS 1.0.3 ; Date: 2005/06/03 17:15:11, urgency=high
> Security Fixes
> * Always escape the strings in the SQL module.
> * Check buffer bound when input character needs escaping in
> the SQL module. Bug found by Primoz Bratanic.
>
> Bug fixes
> * Return EAP-Fail in Access-Reject, rather than an empty Access-Reject
> * Don't send Proxy-State from home server in TTLS.
> * Fixes for forking external programs, so the server doesn't
> suddenly stop processing requests, or stop forking programs.
> * radzap now works, but it's command-line options have changed
> completely, and it's a shell script.
> * radwho has updated command-line options, and no longer reads
> Unix "utmp" files.
> * Fix bug in calling checkrad script with NAS port > 9999999
> * Fix long-standing bug when both crypt and pthreads are in use
> * Don't SEGV when rlm_sql gets 'NULL' value from request.
> * Re-arrange code in radrelay to not duplicate accounting packets.
> * In rlm_attr_rewrite, change the value when the attribute type
> is different from string.
- Fix for PR #29437 opened by luiszuccolo(at)ciudad.com.ar, thanks for the PR !
> FreeRADIUS 1.0.2 ; $Date: 2005/02/13 01:03:20 $, urgency=medium
> * Novell eDirectoty support. Patch from Novell.
> * localweb & Trapeze dictionary updates.
> * EAP-SIM fixes.
> * Make "Strip-User-Name = No" work.
> * Don't declare zero-length arrays in rlm_passwd
> * Bug fix to make udpfromto code work
> * radrelay shouldn't dump core if it can't read a VP from the
> detail file.
> * Only initialize the random pool once.
> * In rlm_sql, don't escape characters twice.
> * Fix MD4 calculation on big-endian machines.
> * In rlm_ldap, only claim Auth-Type if a plain text password is present.
> * Treat Quintium VSAs like Cisco VSAs
> * Locking fixes in threading code
> * rlm_krb5 includes /usr/include/et for Fedora Core
> * Fix post-auth REJECT stanza processing for rejections from external
> processes or home RADIUS servers
> * Fix building on gcc-4.0 by not trying to access static auth_port from
> other files.
> * Fix building SNMP support on Solaris 9, which needs -lkstat
- Add a fix for crashes when processing EAP-PEAP requests
PR 28095 Konstantin.Kabassanov (at) lip6.fr
- Fix pthreads enabled builds on NetBSD systems < 2.0
- Replace patch-ai, patch-aj and patch-ak with SUBST_* (suggested by juan@)
- Move to options.mk framework to support SNMP, OpenLDAP, PostgreSQL and
mySQL modules
- Add patches/patch-aj and patches/patch-ak for OpenLDAP and PostgreSQL builds
- Add extra PLIST's for OpenLDAP, PostgreSQL and mySQL modules
- Fix builds on 1.6 and 2.0_BETA
- ok'ed wiz@
- Addresses PR 26987 opened by Rui Paulo, thanks.
- Fix startup script using the wrong options
- Lots of changes including
- Denial-of-Service Security Fix.
- Make IPv6 support work better.
- Many, many minor bug fixes and feature enhancements.
- EAP-module feature improvements.
- Install all configuration files under the examples directory.
- Copy configuration files to PKG_SYSCONFDIR using CONF_FILES.
- Honour PKG_SYSCONFDIR.
- Use OWN_DIRS to handle the /var/run/radiusd status directory.
- Use RCD_SCRIPTS to handle the rc.d script automatically.
As a result, bump PKGREVISION to 3.
that libtool-base puts down. Also, fix one place in the freeradius code
where a config.h should have been emitted but wasn't.
Also, for NetBSD < 1.6N disable threads as this requires threads and
the posix semaphore headers which pth/etc don't provide and didn't appear
until 1.6N
variables.
Added CONLICTS line to show conflict with radius-cistern. I will also add
a CONFLICTS line to radius-cistern although I will send a PR to have this
situation fixed so that both can coexist.
for putting this package together. Closes PR pkg/20013.
I had originally requested this package even though we already had the
Cistern RADIUS package because some terminal servers won't work with
one or the other of these packages. This increases the number of terminal
servers that can work with NetBSD.
from the DESCR file:
All code in this server was written from scratch.
The server is mostly compatible with livingston radiusd-2.01
(no menus or s/key support though) but with more feautures, such as:
o Can limit max. number of simultaneous logins on a per-user basis!
o Multiple DEFAULT entries, that can optionally fall-through.
o In fact, every entry can fall-through
o Deny/permit access based on huntgroup users dials into
o Set certain parameters (such as static IP address) based on huntgroup
o Extra "hints" file that can select SLIP/PPP/rlogin based on
username pattern (Puser or user.ppp is PPP, plain "user" is rlogin etc).
o Can execute an external program when user has authenticated (for example
to run a sendmail queue).
o Can use `$INCLUDE filename' in radiusd.conf, users, and dictionary files
o Can act as a proxy server, relaying requests to a remote server
o Supports Vendor-Specific attributes
o No good documentation at all, just like the original radiusd 1.16!
Then of course for general RADIUS questions, especially if you are using
Livingston / Lucent RABU equipment, there is the portmaster-radius mailing
list. Send mail to portmaster-radius-request@livingston.com to find
out how to subscribe.
