FreeRADIUS 3.0.20 Thu 14 Nov 2019 12:00:00 EDT urgency=medium
Feature improvements
* Add Jenkins continuous integration.
Used to build http://packages.networkradius.com/
* Added Force10 dictionary.
* Update dictionary.hp with new attributes.
* Update dictionary.aruba with new attributes.
* Update logrotate settings to rotate as non-root user.
* Fix side-channel leak in EAP-PWD. Patch from Mathy Vanhoef.
* Relax OpenSSL version checks, now that their API is both
public, and stable.
* Note that tls_min_version/tls_max_version also support "1.3"
Since there is no standard yet for EAP with TLS 1.3, it
will not work.
* Added tripplite dictionary.
* Switch to the async interface for rlm_sql_postgresql so that
we can enforce query_timeout.
* Added new LDAP option 'allow_dangling_group_ref'.
* Updated documentation and functionality for EAP session caching.
See "cache" section of mods-available/eap.
* Tighten systemd unit file security.
* Disable TLS 1.0 and TLS 1.1 support in the default configuration.
We STRONGLY recommend doing this for all installations.
* Add expansions for *outgoing* Radsec connections.
"%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-*
attributes.
* Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS
connections.
* Update dictionary.lancom with new attributes.
* Added rlm_sql_mongo. See raddb/mods-available/sql. Note that
this module is experimental.
* Added more documentation in sites-available/robust-proxy-accounting
* sqlippool now re-allocates unexpired leases, to prevent IP pool
exhaustion when clients perform multiple reauthentication attempts.
Patch from Terry Burton.
* Add support to radmin keep the history in ~/.radmin_history
* Add support for ENV and LD_PRELOAD in radiusd.conf. See the new
ENV sub-section of radiusd.conf.
* Update dictionary.aptilo.
* Update dictionary.airespace.
* Add sites-available/coa-relay, which makes CoA easier.
Patch from Terry Burton.
* Add example stored procedure for IP Pools in MySQL.
See mods-config/sql/ippool/mysql/procedure.sql
Patch from Terry Burton.
* Update dictionary.dhcp dictionary with the recent hardware types.
* Add experimental rlm_python3. This should largely work the same
as rlm_python, which was Python2 only.
* Add Dockerfiles for Debian10 and CentOS8.
* Add RPM spec file compatibility for RHEL/CentOS 8.
* Notes on iOS 13 certificate issues. See
https://support.apple.com/en-us/HT210176.
* Notes on certificate constraints. See raddb/certs/server.cnf.
* Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585.
Bug fixes
* Allow listen.ipaddr to reference an IPv6-only host.
* ERX-Acct-Request-Reason is "integer".
* Fix a slow memory leak in the file management code.
* Try to fix file permissions if they get modified while
the server is running.
* Fix slow memory leak with clients.
* Fix request and connection timeouts in rlm_rest.
* Fix systemd issues. Patches from Daniele Rondina.
* Fixes from clang analyzer.
* Fix missing include for the dictionaries: alcatel.esam,
altiga,alvarion.wimax.v2_2,aptis,asn,audiocodes,avaya,bristol,
columbia_university,freedhcp,garderos,infoblox,motorola.illegal,
starent.vsa1, telkom, wimax.wichorus.
* Fix internal sanity check when running with "-Xx"
* Allow "inner-tunnel" virtual servers to work better with
"accept" and "reject" policies.
* Fix dictionary.huawei data types for Huawei-DNS-Server-IPv6-address
and Huawei-Framed-IPv6-Address.
* Framed-Interface-ID in postgresql/queries.conf is string, not inet
* Fix rlm_cache to complain on unknown attributes in the
"update" section of its configuration.
* Add configure checks for -latomic. This helps on armel, mips
and mipsel.
* Add support to Oracle 19 and 18.
* Add support for decoding tags in rlm_rest.
* Use correct passwords when updating CRLs in raddb/certs/
* Properly separate "originate-coa" packets when accounting packets
are read from the detail file reader.
* Use the correct virtual server for pre/post-proxy.
* radsqlrelay fixes backported from "master" branch.
Patches from Terry Burton.
* Fix DoS issues due to multithreaded BN_CTX access.
Patch from Mathy Vanhoef. CVE-2019-17185
2018.01.11 Version 3.0.16 has been released.
The focus of this release is stability.
Feature Improvements
* rlm_python now supports multiple lists. From #2031.
* Add trust router re-keying. From #2007.
* Add support for Samba / AD LDAP schema See doc/schemas/ldap/samba/README.txt
and doc/schemas/ldap/samba/.
* Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL
issues.
* Better documentation for client certificates in PEAP and TTLS: it usually
doesn't work. Fixes#2068.
* Distinguish login failure from AD unavailable. Fixes#2069.
* Update RH spec files. Fixes#2070.
* Run Post-Proxy-Type if all home servers are dead Fixes#2072.
* Print offending IP addresses when EAP sessions come from two upstream home
servers, and rate-limit the messages.
* Minor packaging updates.
* Better documentation for rlm_rest.
* EAP-FAST now has it's own "cipher_list", so that it is easier to configure.
* EAP-FAST now forcibly disables TLS1.2, until such time as we implement
the new keying mechanism from TLS1.2.
* Add documentation for allow_expired_crl.
* Update Debian logrotation. #2093 and #2101.
* DHCP relay can now drop responses. #2095.
* rlm_sqlippool can now assign Delegated-IPv6-Prefix It also now can assign
any IPv4 or IPv6 address Based on patches from maximumG. #2094 See
raddb/mods-available/sqlippool for changes.
* radeapclient can now use EAP-SIM-Ki to dynamically create the necessary
triplets.
* Explain why many LDAP connections are closed Fixes#1969.
* Debian build / package issues fixed by Matthew Newton.
* dictionary.patton updates from Brice Schaffner. Fixes#2137.
* Added scripts to build "inner-server.pem", and updated mods-config/inner-eap
and certs/README to match.
* Added provisions for using an external CA. See raddb/certs/.
* Include dhcpclient binary in freeradius-dhcp debian packge.
Bug Fixes
* Bind the lifetime of program name and python path to the module FR-AD-002
(redone).
* Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone).
* Allow 100-Continue responses with additional headers in rlm_rest.
* fix corner case where detail files were not being locked correctly.
* Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group Fixes#1947.
* Clean up exfile code. Which should help to avoid issues with reading / writing
100's of detail files.
* Fix build for winbind. Patch from Alex Clouter.
* Fix checkrad for Mikrotik. Patch from Muchael Ducharme.
* Fix home server stats lookup. Patch from Phil Mayers.
* Add libjson-c3 as an optional dependency.
* Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS,
which breaks the server. Fixes#2040.
* rlm_python fixes. Fixes#2041.
* Typos in "man" pages. Fixes#2045.
* Expand "next" in %{%{...}:-%{...}}. Fixes#2048.
* Don't add TLS attributes twice. Fixes#2050.
* Fix memory allocation in rlm_rest. Fixes#2051.
* Update trustrouter for new API. Fixes#2059.
* Fix SQLite issues on FreeBSD. Fixes#2060.
* Don't do debug logging of bad passwords. Fixes#2064.
* More graceful handling of "die" in rlm_perl. Fixes#2073.
* Fix occasional crash when using cisco_accounting_username_bug = yes.
* EAP-FAST fixes from Isaac Boukris #2078, #2076, and #2082, #2126.
* DHCP fixes, relay, #2092, add run-time check, #2028.
* Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106.
* TunnelPassword is not "single value" in LDAP schema Fixes#2061.
* sql log now opens the expanded filename, not the input one This was
a regression introduced in 3.0.15.
* Remove unnecessary UNIQUE constrain in Oracle schemas.
* Fix SSL thread and locking issues when modules also use SSL Fixes#2125 and
#2129.
* Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and
Matthew Newton. Fixes#2155.
Based on a PR from @coyhile
(https://github.com/joyent/pkgsrc/issues/18). Splits modules with
external dependencies into separate packages.
The 1.1.x branch was EOL'd in 2008. No upgrade guide from 1.1.x to 3.0.x
seem to exist.
Summary of improvements in 3.x:
- Moved configuration entries in radiusd.conf to make more sense.
- Added the "integer64" and "ipv4prefix" data types.
- Added RADIUS over TLS (i.e. RadSec). See raddb/sites-available/tls.
- Updated internal API to support new attributes and formats.
- Added code to send SNMP Traps. See raddb/trigger.conf.
- Added preliminary support for Apple's Grand Central Dispatch.
- Added provisions for raddb/dictionary.local, for local changes See
raddb/dictionary for more details.
- Added packet/s tracking. See max_pps in the "listen" section.
- The %{} expansions and "unlang" conditions are now parsed at server
start. Descriptive errors are produced for syntax and format errors.
- Casting is now supported for "unlang" comparisons. See "man unlang"
e.g. <ipaddr>127.0.0.1 == Framed-IP-Address.
- Direct comparison of attribute references is now supported e.g. &Foo
== &Bar. This avoids stringification of the attributes.
- Direct assignment of attributes is now supported e.g. Foo := &Bar. It
also works for "octets" data types.
- Comparisons of IPv4 and IPv6 prefixes are now supported The "<"
operator means "within the prefix" for comparisons.
- New sha1 xlat expansion (thanks to Alan Buxey).
- Colourised log messages when logging to stdout. Look for yellow
warnings and red errors. Doing this will save you a LOT of grief.
- If the PCRE library is available, use it (insted of the POSIX
functions) to process regular expressions (thanks to Phil Mayers).
- -xv now displays all the features the server was built with, and the
versions of the core libraries (libtalloc, libssl).
Summary of improvements in 2.x:
- simple policy language (see "man unlang")
- virtual servers ("raddb/sites-available/README")
- IPv6 support
- better proxy support ("raddb/proxy.conf")
- More EAP types
- Debugging output should be <em>much</em> easier to understand
- VMPS support
- More modules have been moved to "stable" status (python, etc.)
- SQL configuration has been cleaned up (see "raddb/sql/*")
- limited support for HUP. (The configuration for some modules is
re-loaded on HUP. Nothing else is reloaded.)
- check configuration and exit ("radiusd -C")
- Server core is now event based (simpler, more powerful)
adam
nonaka
fhajny