Hide Forgot
There is a high impact bug that will increasingly impact TLS-based EAP users in FreeRADIUS 3.0.7, such as 802.1X deployments, when FreeRADIUS is used with a TLS 1.2 capable version of OpenSSL. It would be wise not to update to this release and to go for a newer one. This occurs because FreeRADIUS miscalculates the MPPE keys meaning that client auth cannot complete when a client negotiates with TLS 1.2. See: https://github.com/FreeRADIUS/freeradius-server/commit/254c61cfadd20f100a7eb4a43254e71e23508c4f iOS 9 and OS X El Capitan, currently in beta, are examples of clients that use TLS 1.2 by default for EAP purposes. Users find that they cannot associate to networks that use WPA2-Enterprise. This bug was resolved starting with FreeRADIUS 3.0.8 I suggest that you consider upgrading this package to 3.0.9 and not 3.0.7. The supplicant in Windows 7 and newer support TLS 1.2 for the TLS-based EAP types offered such as EAP-PEAP if the machine is fully patched via Windows Update. TLS 1.1 and 1.2 are however, for the moment, disabled by default. See the second More Information section of: https://support.microsoft.com/en-us/kb/2977292
Here's the full ChangeLog from the version we have up to the latest stable 3.0.11: FreeRADIUS 3.0.11 Mon 25 Jan 2016 14:00:00 EST urgency=medium Feature improvements * "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast. * Allow shorthand form of ipv4prefix values e.g. 127/8. * Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong. * Added printing of coa and disconnect stats (radmin). * radclient defaults to expecting Access-Accept responses to Status-Server. * Updated dictionary.lancom, dictionary.starent. * Portability fixes for Solaris. * More errors from ntlm_auth gets passed to MS-CHAP. * Update abfab-tr-idp virtual server. * Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients. * The server now issues a WARNING message if duplicate configuration items are found. * TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok". * Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check. * Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap. * TTLS and PEAP now require "virtual_server" to be a real server. * Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements. * Various rlm_python fixes from Herwin Weststrate. * Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond. * elasticsearch updates from Matthew Newton Bug fixes * Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL. * Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types. * Data type "ipv4prefix" is parsed correctly. * Use correct talloc context in rlm_exec. Fixes #1338. * Complain in unlang if "else" is used with no previous "if" or "elsif". * Send accounting status packets to the accounting port. Fixes #1364. * Print out CFLAGS when doing "radiusd -Xxv" * Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira. * Fixes for LEAP proxying. Don't use LEAP! * Fix issue with "directory already exists" seen when doing "make install". * Fixed bug with radmin related to the option "stats detail <filename>" * Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398 * Fixed SoH. Attributes were not being copied to the virtual server. * Used a wrong list to global statistics in "stats". * Create EAP-PWD identity correctly. Prevents segfaults. * Dynamically validate authentication types for PEAP and EAP-MSCHAPv2. * Fix includes in installed headers. * OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2" * Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries. * Fix home server fail-over for home servers using TCP and/or RadSec. * Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape. * Use correct authentication vector when sending Access-Reject replies for RadSec. * Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute. * Fix debugging constants in rlm_perl. Patch from Herwin Weststrate. * Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API. * Automatically skip zero-length attributes when sending packets, instead of erroring out. FreeRADIUS 3.0.10 Mon 05 Oct 2015 15:00:00 EDT urgency=medium Feature improvements * Do more optimization of unlang policies. This makes run-time a bit faster. * Re-name most of the functions in src/lib. Third-party module authors will have to do the same. * More documentation on contributing and how to write modules. * Update radiusd.service for systemd. * Open IPv6 proxy socket if the server is listening on IPV6 auth / acct / coa packets. * Create debian packages for DHCP. Fixes #1125. * Add more tests for "update" section parsing. * Update "man" pages. * Update attributes for Alcatel 7750 * Add dictionary for Boingo Wi-Fi * Add support for DHCP lease queries. See raddb/sites-available/dhcp * On HUP, check all modules for config files which have changed. And only re-load those modules. * Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS packets. Patch from Herwin Weststrate. * Documentation fixes from Alan Buxey and Matthew Newton. * Update "logrotate" script. * Added more RFCs to doc/rfc for new standards implemented by FreeRADIUS. * Don't crash when doing "radmin -e "help hup". Patch from Matthew Newton. * The dictionary parser now does more sanity checks, which prevents run-time problems with invalid attributes. * Update debian packages. Patches from Christopher Hoskin. * Many other debian packaging fixes from Matthew Netwon and Herwin Weststrate. * Add "session-state" to Perl. Patch from Herwin Weststrate. Bug fixes * Fix rlm_files so that there are no collisions when loading 10's of 1000's of users. * Fix radclient to use our internal v4/v6 parsing functions. v6 addresses with ports now work correctly. * Fix sending/receiving packet messages to wrap v6 addresses in square brackets '[]'. * Check for sasl/sasl.h when building rlm_ldap, and disable SASL functionality if unavailable. * Fix issue which caused a non \0 terminated buffer to be assigned to attributes if the value being assigned contained an invalid escape sequence. * Fix deadlock when reconnecting connections in the connection pool. * Fix potential overrun in functions that used fr_utf8_char with a non nul terminated buffer. * Fix decoding issue for Tunnel-Password type attributes which were very long. Found by Denis Andzakovic. * Fix radclient issue with TCP sockets on FreeBSD. * The server now creates ${run_dir} and ${logdir} directories in daemon mode, when running as "root". * Handle tags when using maps. Fixes #1191. * Fix crash when CoA packets time out. * Fix parse error in rediswho * Fix regex support in SQL radcheck the "users" file and radsniff. * Register listen xlat earlier, so that it's available when the virtual servers are being parsed. * Parse Ascend-Data-Filter when given as "0x..." * Print Ascend-Data-Filter correctly. Add test cases for both. * Allow old-style clients again. They will be disallowed for 3.1.0 and following. * Complain instead of crash when "else" and "elsif" are in the wrong place. * Clean up memory more aggressively. This lowers the maximum memory used, most typically for TLS based EAP methods. * Prevent the server from unlinking the control socket of an already running instance. * Fallback to using the configured OCSP URL if one exists, and no URL is provided in the certificate. * Return CoA-NAK if proxying CoA fails. Based on patch from Jorge Pereira. * Lower peak memory usage by decreasing size of internal memory pools. * The control socket is now left in place if a second copy of the server is accidentally started. * Allow virtual attributes in "switch", "case", etc. Fixes #1240 and #1265. * Many spell check / typo fixes in comments and example configuration files. * Better handle multiple DHCP listeners. * Don't print secrets for old-style realms. Fixes #1267. * Don't fall through in empty "case" statements. Fixes #1274. * Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2. * Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. * Fix off by one error that caused some MSCHAP-Error messages to be sent without the password change version (V=3) and the textual message component (M=). * Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say that any of these fields are optional, and not including V= caused errors with wpa_supplicant. * Do not include M= in MSCHAPv1 errors. It's not supported. FreeRADIUS 3.0.9 Wed 08 Jul 2015 12:00:00 EDT urgency=medium Feature improvements * Make "pool" configurations more consistent, and update documentation for them. * Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability. * More VSAs for 3GPP2 * Added examples of multi-value attributes to rlm_perl. * LDAP-Group and SQL-Group attributes are now dynamically allocated. * Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap". * Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error. * Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier. * Move to C99 initializers for modules. * Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate". * Added 'bootstrap' section to modules. Third-party modules will need to be updated. * When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list. * When reading dynamic clients from a file, don't expire them if the underlying file is unchanged. * Allow the server to originate CoA requests from the post-auth stage. * The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist. * Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification. * HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else. * Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved. * Increase default max_requests to 16384. Memory is cheap now. * Added "stats memory" commands to radmin. Debug build only. * Aptilo controller dictionary updates. * SQL modules now use Acct-Unique-Session-Id everywhere. * The redis modules are now stable. * The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds. * DHCP code is now in libfreeradius-dhcp. * More DHCP encoding / decoding unit tests. * rlm_replicate can now be listed in the "accounting" section. * Better sqlite debugging output. * Remove "required" option from many sql_ippool directives. * Set default CA "basic constraints" to "critical". Fixes #1073 * Updates to help / man pages from Jorge Pereira. * Added more tests. Bug fixes * Be more careful about unused config item warnings when using -Xx. * Move more defines to be auto-generated. * Allow virtual servers in proxy fallback. * Allow %{module:} to work. * Don't crash in RadSec. Closes #980. * Return better errors when a unix group / user is not found. * Re-enable detail module "locking" parameter. * Don't crash when logging replies from Status-Server packets. * The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase * Don't require NT-Password for MS-CHAP password changes. * Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho. * Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015 * Fix dynamic clients read from SQL in non-debug mode * MS-CHAP now allows retries (i.e. password change) when passwords are expired. * Allow "user=radiusd" when the server is already user "radiusd" * suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership. * Fix issue which caused the server to sometimes have problems when a home server was marked zombie. * Fix format.pl because Perl is now more picky. * Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port. * Fix corner case with cursor functions and removal. * OpenDirectory fixes and documentation. * Fix leaks in rlm_redis. * RFC 6929 "evs" attributes are now encoded / decoded properly. * Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests. * Printed attributes again use double quotes instead of single quotes. * Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680. * rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert. * Make "break" work in "foreach" loops * Allow dynamic expansions to work again in the "hints" file. * Correct minor typos in comments and examples from Alan Buxy. * Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise. FreeRADIUS 3.0.8 Wed 22 Apr 2015 13:30:00 EDT urgency=medium Feature improvements * Allow syslog_severity to be set in rlm_linelog. * Allow defaults to be set for bulk clients in LDAP and couchbase. * Updates to dhcpclient. Patches from Nicolas C. * rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton. * Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random * Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. * Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken. * Add support for server side sort controls when searching for user objects in rlm_ldap. Bug fixes * Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block. * Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing. * Fix ASSERT on truncated detail packets. * Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc. * Fix issue in "switch" when "correct_escapes = false". Fixes #911. * Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail. * Allow forward references in configuration items. Modules aren't always loaded in a sane order. * Fix more escaping issues. Closes #912. * Decode MAC addresses correctly for VMPS. * Fix memory leak with TLS connections. * Fix state machine threading issues for conflicting packets. * Fix copy_request_to_tunnel issues for tagged attributes. * Allow "ok" to over-ride "updated" inside of Auth-Type sections. * Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread. * Allow "netmask" to work again in client definitions. * Relax restrictions on SQL group queries. * track outgoing proxy sockets and clean them up more aggressively. * track proxy statistics, including CoA and Disconnect. * If radmin has a connection failure when running a command, it re-connects and runs the command again. * mark home servers "unknown" less aggressively. * Fix potential SEGV in PostgreSQL driver on error. * Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients. * Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required. * Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap. * Fix invalid assert in state.c, that could cause abort in post-auth. * Fix double free when -m flag is used, and connection pools are referenced by multiple modules. * RADIUS over TLS accounting uses the same port as authentication. * Regularized return codes from radmin commands. * Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script. * radwho and radlast now have a -D option to load dictionaries * DHCP packets are no longer checked for duplicates. * Don't crash in sql module group comparisons in corner case. * Calculate MPPE keys correctly when using TLS 1.2. * Fix load-balance sections. Closes #945 * TLS certificates are available again in the post-auth section. They are not available for session resumption. * radclient encodes CHAP-Password properly when using -c. Closes #955. * Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated. * Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error. * Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups. * Fixes to PostgreSQL queries. Patches from Santiago Gimeno. FreeRADIUS 3.0.7 Thu 19 Feb 2015 12:00:00 EDT urgency=medium Feature improvements * Allow coa home_servers to be derived from client sections if a coa_server section is provided. * Automatically determine the correct port if no port is provided for a home server. * Allow foreach to operate over lists. * Add compile time features to ${feature.*} and versions of core libraries to ${version.*}. Feature and version names match output of radiud -xv. %v is now deprecated. * Add support for PATCH method in rlm_rest. * Validate more module xlats on startup, and warn if an xlat expansion is found in a double quoted config item which will not be expanded. * Add support for sub-second timeouts in rlm_rest. * Add support for connection timeouts in rlm_rest. * Add %{jsonquote:<str>} xlat to escape strings for insertion into json documents. * Add %{ldapquote:<str>} xlat to escape strings for insertion into ldap DNs. * Add %{explode:&ref <char>}, splits value of &ref on <char> and creates new &ref type attributes with the fragments. * Allow rlm_ldap to use attribute references for base_dn and filter config items. The attribute references are not escaped, allowing DNs and filters to be created dynamically. * Add %{nexttime:[<int>]h|d|w|y} to calculate the number of seconds before the next <int> hour(s), day(s), week(s), or year(s). * Allow the left side of update sections to be xlat expansions. The result of the expansion is then used to reference the attribute to be modified. * Added %{lpad:&Attribute-Name 7 x} and rpad. These produce fixed-width output strings, with padding to the left (lpad) or the right (rpad). * For some SQL drivers (MySQL, sqlite) distinguish between constraints violations (on insert), invalid queries, and server errors, and return noop, invalid, and error respectively. * Call SHOW WARNINGS in the MySQL driver and write them to the request log, if libmysqlclient indicates warnings are available on the server. * Forbid the creation of Vendor-Specific for non-standard VSAs. Use Attr-26 = 0x... instead. * Make dhcpclient work with raw sockets and various other improvements - Contributed by nchaigne * Add support for SSHA2 - Contributed by PDD. * Add perle dictionary - Contributed by Hachmer * Modernise init scripts for RHEL, SUSE and Debian. * radmin now tracks the return code of commands, and exits with status "1" if any command failed to execute. * radmin now sends error messages from the server to stderr, instead of to stdout. * radmin now looks for sockets matching it's UID and GID, rather than just always using the first one it finds. * radmin can how delete clients which are tied to a listener. * Moved RADIUS attribute definitions to src/include/rfc*.h * Move to talloc pools for requests. For in-memory tests (default config, 'users' file), performance increases by 30%. * In rlm_ldap allow sasl_mech to be specified for admin and user binds. Only non-interactive mechs (like EXTERNAL) are currently supported. * Remove support for ephemeral RSA keys. They were "export only", and should not be used by anyone. * Syntax errors in the "users" file now produce better error messages. Bug fixes * Fix issues parsing LDAP hostnames with non-standard ports. * Fix issues with realms containing regular expressions. * Allow unary negation before parantheses in rlm_expr. * Fix infinite loop in kevent event loop code. Issue only presented on FreeBSD. * Be more careful to define Auth-Types before loading modules. * Link libfreeradius-radius against OpenSSL too, to avoid multi-version symbols in SSL libraries. * When rlm_ldap rebinds a connection, it should use bind credentials from the module that created the connection pool, not credentials from the module referencing it. * Empty server config pairs should be allowed in rlm_ldap instances that reference another module's connection pool. * Mark rlm_always as huppable, so its rcode can be changed via radmin (allows policy toggles). * Emit warnings when ignoring user configured pool values. * Fix issue that would cause radclient to complain intermittently about differing numbers of filters and requests. * Fix cosmetic issues in connection pool logging, that made it appear as if the same connection was being opened multiple times. * Fix threadsafety issues in SQL drivers, where a static buffer was used to store error messages. * Log RERROR, RWARN, RINFO to the global log if request logging is not enabled. * Link to libldap instead of libldap_r. libldap_r is not supported for use by projects outside of OpenLDAP. * Set connection timeout correctly in rlm_sql_mysql. * Build with older versions of libcurl, and use CFLAGS from curl-config. * Honour Packet-Src-Port and Packet-Src-IP-address in radclient. * Initialise ldapai_info_version field, so libldap will report its vendor and version. * Fix log rotation scripts by using the copyrotate option. * Fix issue that caused opening control sockets to always fail on non-Linux systems, if a user or group was set. * Save Session-State after proxying. * Additional fixes for reading CoA/DM requests from detail files. * Create dynamic clients if the dynamic clients virtual server returns ok *or* updated. Emit useful messages for other codes. * Compile bare "authorize" statements, and issue errors saying using them isn't a good idea. FreeRADIUS 3.0.6 Wed 17 Dec 2014 16:00:00 EDT urgency=medium Feature improvements * radmin / raddebug conditional errors are printed to the output, instead of being discarded. * raddebug will exit if condition set with -c was invalid. * radmin auto-reconnects if the connection to the server has gone away. * rlm_cache now has submodule support. See raddb/mods-available/cache * New memcached driver for rlm_cache. See raddb/mods-available/cache * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. * Support JIT compilation of compiled regular expressions when built with libpcre. * Support named capture groups with "%{regex:<name>}" when built with libpcre. * Increase regular expression capture groups from 8 to 32. * Emit error markers for badly formed regular expressions. * Allow 'm' flag to enable multiline mode in regular expressions. * Support limited implicit attribute conversion in update sections. * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:). Bug fixes * PEAP works again. As does proxying EAP-MSCHAPv2 from inside of a PEAP tunnel. * "group" is allowed inside of "instantiate" sections. * update disconnect {} with disconnect:Packet-Dst-IP-Address now works correctly. * Regular expression comparisons of non string attributes are now disallowed in the files module. Previously they would silently fail or produce undefined behaviour. * Fix parsing of old regular expressions. Closes #842 * Fix off by one error in ascend filters. Closes #843. * Handle NT-Hash in rlm_pap. This allows passwords to have backslashes in them. * Fix infinite loop on "Fall-Through = yes" when processing SQL groups. * Correct the check of SQL query return code. * Run "Post-Auth-Type Reject" if the request was rejected in post-auth * Write "Login OK" only if the post-auth section passed. * Create TLS-Cert-* certificates, even when EAP session caching is disabled. * Finalize the "correct_escapes" with many more tests. * Move to the new OpenLDAP libldap API, fixes more issues with binary values. * Fix potential memory corruption in rlm_ldap if start connections were set to 0, and the server was running in threaded mode. The fix is a workaround for an issue in libldap and was suggested by Howard Chu. * Give parse errors on "%{...", without the closing brace. * Allow spaces in certificate passwords for build rules in raddb/certs// * Make all regular expression evaluation binary safe. Where that's not possible, emit an error if the pattern or subject contains an embedded null byte. * Fix various issues around masking IPv6 addresses. * Give descriptive error if unknown attributes are used in "update" sections. * Deal with cases where ldap_initialize isn't available gracefully, and use it exclusively when it's available. FreeRADIUS 3.0.5 Fri 21 Nov 2014 15:30:00 EDT urgency=medium Feature improvements * Large update to Huawei dictionary. * Added dictionary.rfc7155 * Regular expressions like /%{User-Name}/ are now parsed and validated when the server starts. * All configuration items which are dynamically expanded are now parsed and validated when the server starts. * %{expr:...} expressions can now do bit shifting and more. See raddb/mods-available/expr. * The detail file reader can now track packets which have had replies, so they are never re-transmitted. See raddb/sites-available/buffered-sql, the "track" config item. * CoA and Disconnect packets can now be sent to a specific home server by setting control:Packet-Dst-IP-Address and (optionally) control:Packet-Dst-Port. * Allow CoA and Disconnect packets to be read from the detail file. * Allow LDAP to specify arbitrary attributes for dynamic clients. * Convert all unused attributes in the control: list to config pairs in dynamic clients. This allows arbitrary client attributes to be set for dynamic clients too. * rlm_couchbase now supports bulk loading of clients on startup in a similar way to rlm_ldap. Contributed by Aaron Hurt. * Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting. * Rename dictionary.redback to dictionary.ericsson.ab * Add --disable-openssl-version-check option to configure. So vendors can disable the check. Patch from Nikolai Kondrashov. * Do context-specific indenting in debug messages. This makes the debug output easier to read. * Make configuration a separate RPM, just like for Debian. * better decoding of unknown VSAs * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods. * Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic. * Document retry_delay in connection pools. * Allow checksimul in rlm_couchbase. * Use kqueue on systems which support it. This allows for better scaling when using many sockets. Bug fixes * Parse list qualifiers in generic LDAP 'valuepair_attribute' attributes correctly. * Fix issue where prefix length would be ignored for dynamic or static clients if the address matched INADDR_ANY (0.0.0.0). * Allow null user object filter in rlm_ldap, it's valid to specify a complete object DN and use the base scope. * Don't SEGV if a received attribute value in a JSON structure is null, or a value can't be stringified. * Don't assert if the server returns a JSON content-type and the server hasn't been built with support for JSON. Closes #808. * Set CURLOPT_NOSIGNAL to prevent curl from handling signals and causing a longjmp error when the server was running with threads. * Allow tabs after attribute names in the "users" file. Closes #796. * Free unknown DICT_ATTRs. Closes #795 * Handle unknown attributes in the conditions and "update" sections. e.g. Attr-1.2.3.4 = foo. * Use correct array size for MS-CHAP new password. * In rlm_rest, check for older versions of libraries at start time, rather than when a packet comes in. * Don't call detach on parse error in rlm_perl. Closes #802. * Integer fixes for big-endian systems. Closes #803. * Don't optimize %{Packet-Src-IP-Address}. Closes #804. * dhcpclient loads dictionaries correclty. Closes #805. * double quotes are no longer escaped in single-quoted strings. e.g. 'foo "hello" bar'. * Fixes for proxying to virtual servers broke the detail file reader. Now they both work. * Typos and fixes from Nikolai Kondrashov. * Fixes to OpenSSL version checks, for cross-platform issues. * cppcheck fixes from Herwin Weststrate. * Fix build for OSX Yosemite * Merge DHCP sub-options. Closes #812. * Fix decoding of Starent attributes. * When a module asks for a connection, don't return idle connections. * LDAP connection timeouts will now retry, instead of failing. * Prevent race conditions between fork and wait for child. Patch from James Rouzier. * Fix triggers for connection pools. Patches from Nikolai Kondrashov. * Fix SEGV when comparing non string type check items. * Build with newer versions of libmysqlclient. * make the %{escape:} and %{unescape:} xlat functions UTF8 safe. * Don't escape UTF8 chars in SQL query strings. * Fix issue in cached LDAP group comparisons, which caused checks to sometimes fail. * Fix use after free issue in unlang switch evaluation. * Respect operators in rlm_cache when merging into the current request. * Update Cache-Entry-Hits each time rlm_cache is called. * Produce WARN messages if SQL queries are empty strings. * Fix invalid assertion when proxying CoA requests. * Allow empty strings in "case" statements. Closes #836. * Normalize escaping for string expansions. i.e. don't do double escaping in rare situations. * Normalize LDAP escaping. LDAP servers have multiple ways to escape things, so the data has to be normalized before we can compare two LDAP DNs. * Don't go to high debug level if we're proxying inner EAP as EAP. Closes #839. * Fix rlm_rest state handling. Closes #835.
Based on the internal prioritization and resource discussion this rebase and related issues have been deferred from 7.3 to 7.4.
We're working on rebase to 3.0.12, which is required to get fixes for a number of bugs.
Should this rebase be to the 3.0.14 version that fixes CVE-2017-9148? See: #1456697
No, we're backporting the fix.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1954