> Security Fixes
> * SQL injection attack in the module "rlm_sqlcounter".
> * Buffer overflows in the module "rlm_sqlcounter".
> * Expansion of variable %t may write 26 bytes beyond the buffer
> bound. Primoz Bratanic is credited with the discovery of these
> three bugs.
>
> Bug fixes
> * Don't de-reference a NULL pointer if the auth-type is unknown
> in the function rad_check_password().
> * Escape more characters in the LDAP queries.
> Bug found by Suse engineers.
> * In rlm_sql_unixodbc, don't call rad_malloc from sql_error(),
> it leaks memory.
> * Fix an off-by-one error in the module rlm_sql_unixodbc.
> Bug found by Suse engineers.
> * In rlm_sql, resize the buffer for the value of SQL-User-Name.
> * Initialize memory for a new SQL socket in the module rlm_sql.
> * Don't add too many attributes after running an external program.
> Bug found by Suse engineers.
> * Fix an off-by-one error in the function getthing().
> * snprintf() and vsnprintf() replacements were not compiled if
> the autoconf tests didn't find the functions.
> * Don't use vsprintf() anymore, but the replacement for vsnprintf()
> in libradius instead.
> * The function decode_attribute() may write beyond buffer bounds.
> Bug found by Suse engineers.
> * Fix a memset() in the function request_enqueue() which was
> begining at the wrong address. Bug found by Matthias Ruttman.
> * Fix an off-by-one error in the function xlat_copy().
> Bug found by Primoz Bratanic.
> * Fix other off-by-one errors in module "rlm_unix", too.
> Bug found by Allan Bazinet.
> * Fix a 2-byte over-run read in function rad_decode().
> * Update thread pool queue properly.
> * Autonconf tests try first any user-specified directory,
> otherwise they may pick up the wrong version.
> * Delete the autoconf tests for the libldap dependancies.
> * Install all the regular files under the "doc" directory.
> * Distinguish between exit code <0 (failure) and >0 (reject)
> in Exec-Program-Wait. Patch from Thor Spruyt.
> * Make Expiration work.
> * Clean up the code for opening a proxy socket.
> * When finding a realm to proxy to, if all are dead, wake them
> if wake_all_if_all_dead is true.
> * In radwho, print the NAS-Port as unsigned int.
> * Use extended regex instead of basic regex in rlm_attr_filter.
> * Catch the case where someone deletes a directory that rlm_detail
> is using.
> * Use the variable $(LDFLAGS) when linking a module.
> * Ignore the Stripped-User-Name when a realm has the "nostrip"
> directive.
> * Add support for NT-Password in rlm_pap.
> * In rlm_sqlcounter, use the time left to the next reset if it's
> inferior to the time left in the counter.
> * Calculate Message-Authenticator correctly for Accounting-Request
> and Accounting-Response. Bug found by Paolo Rotela.
> * Build on MAC OS X. Still need --disable-shared, though.
> * Fix bug #255 (crash with expired CRL's, etc.)
> * Fix quote removal of the values from a SQL database.
> * Reap the zombie process after a command run from "Exec-Program".
> * Allow to cancel proxy of accounting with "Proxy-To-Realm := LOCAL".
> * Don't copy VSA's to an Access-Reject packet.
a builtin Berkeley DB 1.8x can now be used with option "bdb -gdbm"; no
dbm support at all can be selected with "-gdbm".)
- Specify --with/--without exactly once per option.
- Merge postgresql support to a single option (pgsql), and correspondingly
use pgsql.buildlink3.mk to pick the builder's desired implementation.
This aligns freeradius with the rest of pkgsrc, wrt pgsql support.
around at either build-time or at run-time is:
USE_TOOLS+= perl # build-time
USE_TOOLS+= perl:run # run-time
Also remove some places where perl5/buildlink3.mk was being included
by a package Makefile, but all that the package wanted was the Perl
executable.
- The security issues mentioned in this update were incorporated
into patch-ak previously and a security advisory was already
made in regards to this.
> FreeRADIUS 1.0.4 ; Date: 2005/06/11 22:46:52, urgency=medium
>
> * Fix installation problem.
> * Increase a buffer size, so radrelay doesn't truncate values.
> * Updates in the documentation. Patches from Thor Spruyt.
>
> FreeRADIUS 1.0.3 ; Date: 2005/06/03 17:15:11, urgency=high
> Security Fixes
> * Always escape the strings in the SQL module.
> * Check buffer bound when input character needs escaping in
> the SQL module. Bug found by Primoz Bratanic.
>
> Bug fixes
> * Return EAP-Fail in Access-Reject, rather than an empty Access-Reject
> * Don't send Proxy-State from home server in TTLS.
> * Fixes for forking external programs, so the server doesn't
> suddenly stop processing requests, or stop forking programs.
> * radzap now works, but it's command-line options have changed
> completely, and it's a shell script.
> * radwho has updated command-line options, and no longer reads
> Unix "utmp" files.
> * Fix bug in calling checkrad script with NAS port > 9999999
> * Fix long-standing bug when both crypt and pthreads are in use
> * Don't SEGV when rlm_sql gets 'NULL' value from request.
> * Re-arrange code in radrelay to not duplicate accounting packets.
> * In rlm_attr_rewrite, change the value when the attribute type
> is different from string.
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
- Fix for PR #29437 opened by luiszuccolo(at)ciudad.com.ar, thanks for the PR !
> FreeRADIUS 1.0.2 ; $Date: 2005/02/13 01:03:20 $, urgency=medium
> * Novell eDirectoty support. Patch from Novell.
> * localweb & Trapeze dictionary updates.
> * EAP-SIM fixes.
> * Make "Strip-User-Name = No" work.
> * Don't declare zero-length arrays in rlm_passwd
> * Bug fix to make udpfromto code work
> * radrelay shouldn't dump core if it can't read a VP from the
> detail file.
> * Only initialize the random pool once.
> * In rlm_sql, don't escape characters twice.
> * Fix MD4 calculation on big-endian machines.
> * In rlm_ldap, only claim Auth-Type if a plain text password is present.
> * Treat Quintium VSAs like Cisco VSAs
> * Locking fixes in threading code
> * rlm_krb5 includes /usr/include/et for Fedora Core
> * Fix post-auth REJECT stanza processing for rejections from external
> processes or home RADIUS servers
> * Fix building on gcc-4.0 by not trying to access static auth_port from
> other files.
> * Fix building SNMP support on Solaris 9, which needs -lkstat
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
- Add a fix for crashes when processing EAP-PEAP requests
PR 28095 Konstantin.Kabassanov (at) lip6.fr
- Fix pthreads enabled builds on NetBSD systems < 2.0
- Replace patch-ai, patch-aj and patch-ak with SUBST_* (suggested by juan@)
so that we'd not force dependance on specific MySQL version, and instead pick
the currently installed mysql*-client (or install the default if there
is no mysql-client package installed yet)
this makes package buildable with arbitrary MySQL version, such as 3.23.x,
4.0.x or 4.1.x
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
- Move to options.mk framework to support SNMP, OpenLDAP, PostgreSQL and
mySQL modules
- Add patches/patch-aj and patches/patch-ak for OpenLDAP and PostgreSQL builds
- Add extra PLIST's for OpenLDAP, PostgreSQL and mySQL modules
- Fix builds on 1.6 and 2.0_BETA
- ok'ed wiz@
- Addresses PR 26987 opened by Rui Paulo, thanks.
- Fix startup script using the wrong options
- Lots of changes including
- Denial-of-Service Security Fix.
- Make IPv6 support work better.
- Many, many minor bug fixes and feature enhancements.
- EAP-module feature improvements.
All library names listed by *.la files no longer need to be listed
in the PLIST, e.g., instead of:
lib/libfoo.a
lib/libfoo.la
lib/libfoo.so
lib/libfoo.so.0
lib/libfoo.so.0.1
one simply needs:
lib/libfoo.la
and bsd.pkg.mk will automatically ensure that the additional library
names are listed in the installed package +CONTENTS file.
Also make LIBTOOLIZE_PLIST default to "yes".
the RCD_SCRIPTS rc.d script(s) to the PLIST.
This GENERATE_PLIST idea is part of Greg A. Woods'
PR #22954.
This helps when the RC_SCRIPTS are installed to
a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later,
the default RCD_SCRIPTS_EXAMPLEDIR will be changed
to be more clear that they are the examples.)
These patches also remove the etc/rc.d/ scripts from PLISTs
(of packages that use RCD_SCRIPTS). (This also removes
now unused references from openssh* makefiles. Note that
qmail package has not been changed yet.)
I have been doing automatic PLIST registration for RC_SCRIPTS
for over a year. Not all of these packages have been tested,
but many have been tested and used.
Somethings maybe to do:
- a few packages still manually install the rc.d scripts to
hard-coded etc/rc.d. These need to be fixed.
- maybe remove from mk/${OPSYS}.pkg.dist mtree specifications too.
- Install all configuration files under the examples directory.
- Copy configuration files to PKG_SYSCONFDIR using CONF_FILES.
- Honour PKG_SYSCONFDIR.
- Use OWN_DIRS to handle the /var/run/radiusd status directory.
- Use RCD_SCRIPTS to handle the rc.d script automatically.
As a result, bump PKGREVISION to 3.
that libtool-base puts down. Also, fix one place in the freeradius code
where a config.h should have been emitted but wasn't.
Also, for NetBSD < 1.6N disable threads as this requires threads and
the posix semaphore headers which pth/etc don't provide and didn't appear
until 1.6N
variables.
Added CONLICTS line to show conflict with radius-cistern. I will also add
a CONFLICTS line to radius-cistern although I will send a PR to have this
situation fixed so that both can coexist.
for putting this package together. Closes PR pkg/20013.
I had originally requested this package even though we already had the
Cistern RADIUS package because some terminal servers won't work with
one or the other of these packages. This increases the number of terminal
servers that can work with NetBSD.
from the DESCR file:
All code in this server was written from scratch.
The server is mostly compatible with livingston radiusd-2.01
(no menus or s/key support though) but with more feautures, such as:
o Can limit max. number of simultaneous logins on a per-user basis!
o Multiple DEFAULT entries, that can optionally fall-through.
o In fact, every entry can fall-through
o Deny/permit access based on huntgroup users dials into
o Set certain parameters (such as static IP address) based on huntgroup
o Extra "hints" file that can select SLIP/PPP/rlogin based on
username pattern (Puser or user.ppp is PPP, plain "user" is rlogin etc).
o Can execute an external program when user has authenticated (for example
to run a sendmail queue).
o Can use `$INCLUDE filename' in radiusd.conf, users, and dictionary files
o Can act as a proxy server, relaying requests to a remote server
o Supports Vendor-Specific attributes
o No good documentation at all, just like the original radiusd 1.16!
Then of course for general RADIUS questions, especially if you are using
Livingston / Lucent RABU equipment, there is the portmaster-radius mailing
list. Send mail to portmaster-radius-request@livingston.com to find
out how to subscribe.
