There is a high impact bug that will increasingly impact TLS-based EAP users in FreeRADIUS 3.0.7, such as 802.1X deployments, when FreeRADIUS is used with a TLS 1.2 capable version of OpenSSL. It would be wise not to update to this release and to go for a newer one.

This occurs because FreeRADIUS miscalculates the MPPE keys meaning that client auth cannot complete when a client negotiates with TLS 1.2.

See: https://github.com/FreeRADIUS/freeradius-server/commit/254c61cfadd20f100a7eb4a43254e71e23508c4f

iOS 9 and OS X El Capitan, currently in beta, are examples of clients that use TLS 1.2 by default for EAP purposes. Users find that they cannot associate to networks that use WPA2-Enterprise.

This bug was resolved starting with FreeRADIUS 3.0.8
I suggest that you consider upgrading this package to 3.0.9 and not 3.0.7.

The supplicant in Windows 7 and newer support TLS 1.2 for the
TLS-based EAP types offered such as EAP-PEAP if the machine is fully
patched via Windows Update.

TLS 1.1 and 1.2 are however, for the moment, disabled by default.

See the second More Information section of:

https://support.microsoft.com/en-us/kb/2977292

Here's the full ChangeLog from the version we have up to the latest stable 3.0.11:

FreeRADIUS 3.0.11 Mon 25 Jan 2016 14:00:00 EST urgency=medium
	Feature improvements
	* "unlang" comparisons of IP addresses to IP prefixes
	  are now detected, and types automatically cast.
	* Allow shorthand form of ipv4prefix values e.g. 127/8.
	* Add "auto_chain" to raddb/mods-available/eap, tls
	  subsection.  This allows the disabling of OpenSSL
	  auto-chaining of certificates.  Which might be wrong.
	* Added printing of coa and disconnect stats (radmin).
	* radclient defaults to expecting Access-Accept responses
	  to Status-Server.
	* Updated dictionary.lancom, dictionary.starent.
	* Portability fixes for Solaris.
	* More errors from ntlm_auth gets passed to MS-CHAP.
	* Update abfab-tr-idp virtual server.
	* Added "filter_password" in policy.d/filter.  This
	  removes embedded zero bytes in User-Password, for
	  compatibility with broken clients.
	* The server now issues a WARNING message if duplicate
	  configuration items are found.
	* TLS can skip the "verify" section if OCSP returns OK.
	  See raddb/mods-available/eap, "skip_if_ocsp_ok".
	* Set TLS-OCSP-Cert-Valid = yes / no / skipped, which
	  is the result from the OCSP check.
	* Interoperate with AD and "LmCompatibiltyLevel = 5",
	  by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for
	  native winbind in rlm_mschap.
	* TTLS and PEAP now require "virtual_server" to be a real server.
	* Print WARNING when TTLS or PEAP identities are spoofed
	  or not properly anonymized.  See RFC 7542 for requirements.
	* Various rlm_python fixes from Herwin Weststrate.
	* Allow setting Response-Packet-Type in "Post-Proxy-Type Fail",
	  which is useful when the home server does not respond.
	* elasticsearch updates from Matthew Newton

	Bug fixes
	* Fix issue where field nas_type would not be accessible via
	  the %{client:} xlat, for clients loaded from SQL.
	* Fix compatiblity issues with OpenSSL 1.0.2.  Ignore
	  calls to msg_callback with 'pseudo' content types.
	* Data type "ipv4prefix" is parsed correctly.
	* Use correct talloc context in rlm_exec.  Fixes #1338.
	* Complain in unlang if "else" is used with no previous
	  "if" or "elsif".
	* Send accounting status packets to the accounting port.
	  Fixes #1364.
	* Print out CFLAGS when doing "radiusd -Xxv"
	* Fixed bug with coa/acct stats value #1339. Based on patch from
	  Jorge Pereira.
	* Fixes for LEAP proxying.  Don't use LEAP!
	* Fix issue with "directory already exists" seen when doing
	  "make install".
	* Fixed bug with radmin related to the option "stats detail <filename>"
	* Complain if the detail file reader does not have permission
	  to read the "detail.work" file.  Fixes #1398
	* Fixed SoH. Attributes were not being copied to the virtual server.
	* Used a wrong list to global statistics in "stats".
	* Create EAP-PWD identity correctly.  Prevents segfaults.
	* Dynamically validate authentication types for PEAP and EAP-MSCHAPv2.
	* Fix includes in installed headers.
	* OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly.
	  See raddb/mods-available/eap, "disable_tlsv1_2"
	* Allow password change to work for MS-CHAP.  This requires 'r=0',
	  because password changes are not retries.
	* Fix home server fail-over for home servers using TCP and/or RadSec.
	* Special characters in expanded regexes are now escaped
	  e.g. User-Name containing '.', and comparing /%{User-Name}/,
	  the '.' will now be escaped.  See src/tests/keywords/regex-escape.
	* Use correct authentication vector when sending Access-Reject replies
	  for RadSec.
	* Set FreeRADIUS-Proxied-To in TTLS again.  You should use the
	  "inner-tunnel" virtual server, instead of relying on this attribute.
	* Fix debugging constants in rlm_perl.  Patch from Herwin Weststrate.
	* Add samba-dev / samba4-dev to debian builds so that rlm_mschap can
	  automatically use the new winbind API.
	* Automatically skip zero-length attributes when sending packets,
	  instead of erroring out.

FreeRADIUS 3.0.10 Mon 05 Oct 2015 15:00:00 EDT urgency=medium
	Feature improvements
	* Do more optimization of unlang policies.  This makes
	  run-time a bit faster.
	* Re-name most of the functions in src/lib.  Third-party
	  module authors will have to do the same.
	* More documentation on contributing and how to write
	  modules.
	* Update radiusd.service for systemd.
	* Open IPv6 proxy socket if the server is listening on IPV6
	  auth / acct / coa packets.
	* Create debian packages for DHCP.  Fixes #1125.
	* Add more tests for "update" section parsing.
	* Update "man" pages.
	* Update attributes for Alcatel 7750
	* Add dictionary for Boingo Wi-Fi
	* Add support for DHCP lease queries.
	  See raddb/sites-available/dhcp
	* On HUP, check all modules for config files which have
	  changed.  And only re-load those modules.
	* Allow FreeRADIUS-Response-Delay(-USec) to be set for
	  RADIUS packets.  Patch from Herwin Weststrate.
	* Documentation fixes from Alan Buxey and Matthew Newton.
	* Update "logrotate" script.
	* Added more RFCs to doc/rfc for new standards implemented
	  by FreeRADIUS.
	* Don't crash when doing "radmin -e "help hup".
	  Patch from Matthew Newton.
	* The dictionary parser now does more sanity checks, which
	  prevents run-time problems with invalid attributes.
	* Update debian packages.  Patches from Christopher Hoskin.
	* Many other debian packaging fixes from Matthew Netwon
	  and Herwin Weststrate.
	* Add "session-state" to Perl.  Patch from Herwin Weststrate.

	Bug fixes
	* Fix rlm_files so that there are no collisions when loading
	  10's of 1000's of users.
	* Fix radclient to use our internal v4/v6 parsing functions.
	  v6 addresses with ports now work correctly.
	* Fix sending/receiving packet messages to wrap v6 addresses
	  in square brackets '[]'.
	* Check for sasl/sasl.h when building rlm_ldap, and disable
	  SASL functionality if unavailable.
	* Fix issue which caused a non \0 terminated buffer to be
	  assigned to attributes if the value being assigned contained
	  an invalid escape sequence.
	* Fix deadlock when reconnecting connections in the connection
	  pool.
	* Fix potential overrun in functions that used fr_utf8_char
	  with a non nul terminated buffer.
	* Fix decoding issue for Tunnel-Password type attributes
	  which were very long.  Found by Denis Andzakovic.
	* Fix radclient issue with TCP sockets on FreeBSD.
	* The server now creates ${run_dir} and ${logdir} directories
	  in daemon mode, when running as "root".
	* Handle tags when using maps.  Fixes #1191.
	* Fix crash when CoA packets time out.
	* Fix parse error in rediswho
	* Fix regex support in SQL radcheck the "users" file and radsniff.
	* Register listen xlat earlier, so that it's available when the
	  virtual servers are being parsed.
	* Parse Ascend-Data-Filter when given as "0x..."
	* Print Ascend-Data-Filter correctly.  Add test cases for both.
	* Allow old-style clients again.  They will be disallowed for
	  3.1.0 and following.
	* Complain instead of crash when "else" and "elsif" are in
	  the wrong place.
	* Clean up memory more aggressively.  This lowers the
	  maximum memory used, most typically for TLS based EAP methods.
	* Prevent the server from unlinking the control socket of an
	  already running instance.
	* Fallback to using the configured OCSP URL if one exists, and
	  no URL is provided in the certificate.
	* Return CoA-NAK if proxying CoA fails.  Based on patch from
	  Jorge Pereira.
	* Lower peak memory usage by decreasing size of internal
	  memory pools.
	* The control socket is now left in place if a second copy
	  of the server is accidentally started.
	* Allow virtual attributes in "switch", "case", etc.
	  Fixes #1240 and #1265.
	* Many spell check / typo fixes in comments and example
	  configuration files.
	* Better handle multiple DHCP listeners.
	* Don't print secrets for old-style realms.  Fixes #1267.
	* Don't fall through in empty "case" statements.
	  Fixes #1274.
	* Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2.
	* Always delete MS-MPPE-* from the TTLS inner tunnel. This allows
	  TTLS / EAP-MSCHAPv2 to work. Fixes #1206.
	* Fix off by one error that caused some MSCHAP-Error messages to
	  be sent without the password change version (V=3) and the textual
	  message component (M=).
	* Always include C= V= and M= in MSCHAPv2 errors.  RFC 2759 does not say
	  that any of these fields are optional, and not including V= caused
	  errors with wpa_supplicant.
	* Do not include M= in MSCHAPv1 errors.  It's not supported.

FreeRADIUS 3.0.9 Wed 08 Jul 2015 12:00:00 EDT urgency=medium
	Feature improvements
	* Make "pool" configurations more consistent, and
	  update documentation for them.
	* Move connection pool logic to "most recently started",
	  instead of MRU.  This should help with pool stability.
	* More VSAs for 3GPP2
	* Added examples of multi-value attributes to rlm_perl.
	* LDAP-Group and SQL-Group attributes are now dynamically
	  allocated.
	* Only the "sql" module registers SQL-Group.  Other instances
	  register "instance-name-SQL-Group", similarly to "ldap".
	* Unknown attributes are now complained about more often
	  when used in unlang statements.  e.g. if (Foo-Bar == 3)
	  used to be a string to string comparison.  It is now a
	  parse error.
	* Rename RLM_COMPONENT_* to MOD_* in the code.
	  This makes many things easier.
	* Move to C99 initializers for modules.
	* Load modules in raddb/mods-enabled.  This allows attributes
	  like "LDAP-Group" to be used in the "files" module,
	  without explicit ordering or listing in "instantiate".
	* Added 'bootstrap' section to modules.  Third-party modules
	  will need to be updated.
	* When adding clients from a DB, add them to a virtual server
	  if that virtual server has a "listen" section.  Otherwise,
	  add the clients to the global list.
	* When reading dynamic clients from a file, don't expire them
	  if the underlying file is unchanged.
	* Allow the server to originate CoA requests from the post-auth
	  stage.
	* The server creates ${run_dir} and ${logdir} in daemon mode,
	  if they do not already exist.
	* Add dictionary for Wi-Fi Alliance Hotspot 2.0.  The server
	  now supports all mandatory and optional attributes for this
	  specification.
	* HUP now re-loads the configuration only if the files have
	  changed.  If all files are unchanged, HUP re-opens the
	  log file, and does nothing else.
	* Much better debug messages for EAP-TLS, including which
	  attributes are cached, and when they are retrieved.
	* Increase default max_requests to 16384.  Memory is cheap now.
	* Added "stats memory" commands to radmin.  Debug build only.
	* Aptilo controller dictionary updates.
	* SQL modules now use Acct-Unique-Session-Id everywhere.
	* The redis modules are now stable.
	* The LDAP module now supports SASL "interactive bind" method.
	  This allows Kerberos based administrator and user binds.
	* DHCP code is now in libfreeradius-dhcp.
	* More DHCP encoding / decoding unit tests.
	* rlm_replicate can now be listed in the "accounting" section.
	* Better sqlite debugging output.
	* Remove "required" option from many sql_ippool directives.
	* Set default CA "basic constraints" to "critical".  Fixes #1073
	* Updates to help / man pages from Jorge Pereira.
	* Added more tests.

	Bug fixes
	* Be more careful about unused config item warnings
	  when using -Xx.
	* Move more defines to be auto-generated.
	* Allow virtual servers in proxy fallback.
	* Allow %{module:} to work.
	* Don't crash in RadSec.  Closes #980.
	* Return better errors when a unix group / user
	  is not found.
	* Re-enable detail module "locking" parameter.
	* Don't crash when logging replies from Status-Server packets.
	* The couchbase module now uses "update" instead of "map",
	  for consistent with the rest of the server.  See
	  raddb/mods-available/couchbase
	* Don't require NT-Password for MS-CHAP password changes.
	* Be a bit more careful about decrypting MS-CHAP-MPPE-Key
	  attributes. Closes #1013.  There is no perfect fix, tho.
	* Fix security issues with EAP-PWD.
	  See http://freeradius.org/security.html#eap-pwd-2015
	* Fix dynamic clients read from SQL in non-debug mode
	* MS-CHAP now allows retries (i.e. password change) when
	  passwords are expired.
	* Allow "user=radiusd" when the server is already user
	  "radiusd"
	* suid up/down works on non-Linux systems.  This means
	  that the control socket should have the correct
	  ownership.
	* Fix issue which caused the server to sometimes have problems
	  when a home server was marked zombie.
	* Fix format.pl because Perl is now more picky.
	* Fix proxy to Packet-Dst-IP-Address, so that it uses the
	  correct destination port.
	* Fix corner case with cursor functions and removal.
	* OpenDirectory fixes and documentation.
	* Fix leaks in rlm_redis.
	* RFC 6929 "evs" attributes are now encoded / decoded
	  properly.
	* Fix talloc pool leaks when receiving malformed or
	  retransmitted Accounting/CoA requests.
	* Printed attributes again use double quotes instead of
	  single quotes.
	* Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl"
	  to eap.conf.  Fixes oCert CVE-2015-4680.
	* rlm_expr now errors out correctly on malformed attribute
	  references instead of triggering an assert.
	* Make "break" work in "foreach" loops
	* Allow dynamic expansions to work again in the "hints" file.
	* Correct minor typos in comments and examples from Alan Buxy.
	* Re-urlencode the path portion of ldapi:// urls before
	  passing it to ldap_initialise.

FreeRADIUS 3.0.8 Wed 22 Apr 2015 13:30:00 EDT urgency=medium
	Feature improvements
        * Allow syslog_severity to be set in rlm_linelog.
	* Allow defaults to be set for bulk clients in LDAP and couchbase.
	* Updates to dhcpclient.  Patches from Nicolas C.
	* rlm_mschap now supports direct connections to winbind, which
	  is faster than ntlm_auth.  See raddb/mods-available/mschap.
	  Patch from Matthew Newton.
	* Recommend /dev/urandom for TLS randomness, instead of
	  ${certdir}/random
	* Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}.
	* Allow Expanded EAP types where vendor is 0 (IETF) and
	  type is normal EAP type.  Supplicants sending Expanded
	  EAP types like this are broken.
	* Add support for server side sort controls when searching for
	  user objects in rlm_ldap.

	Bug fixes
	* Don't complain about "authorize" in "server {}" blocks, but
	  only if there's no "server" block.
	* Fix cosmetic issue where debug from the first packet read by
	  a detail reader thread would be emited during config parsing.
	* Fix ASSERT on truncated detail packets.
	* Don't use main server log functions from within panic_action,
	  as in the case of syslog this would cause deadlocks if the
	  fault was triggered from within a malloc.
	* Fix issue in "switch" when "correct_escapes = false".
	  Fixes #911.
	* Fix sqlcounter configuration to use "%%b" instead of "%b",
	  otherwise the new syntax validation will fail.
	* Allow forward references in configuration items.  Modules
	  aren't always loaded in a sane order.
	* Fix more escaping issues.  Closes #912.
	* Decode MAC addresses correctly for VMPS.
	* Fix memory leak with TLS connections.
	* Fix state machine threading issues for conflicting packets.
	* Fix copy_request_to_tunnel issues for tagged attributes.
	* Allow "ok" to over-ride "updated" inside of Auth-Type sections.
	* Update state machine so that post-proxy is run though child
	  threads for performance, instead of blocking the main thread.
	* Allow "netmask" to work again in client definitions.
	* Relax restrictions on SQL group queries.
	* track outgoing proxy sockets and clean them up more aggressively.
	* track proxy statistics, including CoA and Disconnect.
	* If radmin has a connection failure when running a command,
	  it re-connects and runs the command again.
	* mark home servers "unknown" less aggressively.
	* Fix potential SEGV in PostgreSQL driver on error.
	* Fix issue where fields like nas_type would not be accessible via
	  the %{client:} xlat, for dynamic clients.
	* Set default busy_timeout (of 200ms) in the sqlite driver, so writes
	  don't cause selects to fail in multithreaded mode. This is user
	  configurable, and may be increased if required.
	* Convert Password-With-Header attributes to binary (from hex or
	  base64), in the authorize method of rlm_pap.
	* Fix invalid assert in state.c, that could cause abort in
	  post-auth.
	* Fix double free when -m flag is used, and connection pools are
	  referenced by multiple modules.
	* RADIUS over TLS accounting uses the same port as authentication.
	* Regularized return codes from radmin commands.
	* Fix RHEL spec file so it works correctly for Centos7 which uses
	  systemd, and didn't like the SystemV init script.
	* radwho and radlast now have a -D option to load dictionaries
	* DHCP packets are no longer checked for duplicates.
	* Don't crash in sql module group comparisons in corner case.
	* Calculate MPPE keys correctly when using TLS 1.2.
	* Fix load-balance sections.  Closes #945
	* TLS certificates are available again in the post-auth section.
	  They are not available for session resumption.
	* radclient encodes CHAP-Password properly when using -c.
	  Closes #955.
	* Fix issue in rlm_cache_memcached driver that caused variable
	  length values to be truncated.
	* Fix track functionality in detail reader, so it no longer
	  fails with a "Failed marking detail request as done: Bad file
	  descriptor" error.
	* Actually add the peer identity (as User-Name) to the inner
	  tunnel in EAP-PWD requests, so it's available for lookups.
	* Fixes to PostgreSQL queries.  Patches from Santiago Gimeno.

FreeRADIUS 3.0.7 Thu 19 Feb 2015 12:00:00 EDT urgency=medium
	Feature improvements
	* Allow coa home_servers to be derived from client
	  sections if a coa_server section is provided.
	* Automatically determine the correct port if no port is
	  provided for a home server.
	* Allow foreach to operate over lists.
	* Add compile time features to ${feature.*} and versions
	  of core libraries to ${version.*}.  Feature and version
	  names match output of radiud -xv. %v is now deprecated.
	* Add support for PATCH method in rlm_rest.
	* Validate more module xlats on startup, and warn if an
	  xlat expansion is found in a double quoted config item
	  which will not be expanded.
	* Add support for sub-second timeouts in rlm_rest.
	* Add support for connection timeouts in rlm_rest.
	* Add %{jsonquote:<str>} xlat to escape strings for insertion
	  into json documents.
	* Add %{ldapquote:<str>} xlat to escape strings for insertion
	  into ldap DNs.
	* Add %{explode:&ref <char>}, splits value of &ref on
	  <char> and creates new &ref type attributes with the
	  fragments.
	* Allow rlm_ldap to use attribute references for base_dn and
	  filter config items. The attribute references are not
	  escaped, allowing DNs and filters to be created dynamically.
	* Add %{nexttime:[<int>]h|d|w|y} to calculate the number of
	  seconds before the next <int> hour(s), day(s), week(s),
	  or year(s).
	* Allow the left side of update sections to be xlat expansions.
	  The result of the expansion is then used to reference the
	  attribute to be modified.
	* Added %{lpad:&Attribute-Name 7 x} and rpad.  These produce
	  fixed-width output strings, with padding to the left (lpad)
	  or the right (rpad).
	* For some SQL drivers (MySQL, sqlite) distinguish between
	  constraints violations (on insert), invalid queries, and
	  server errors, and return noop, invalid, and error respectively.
	* Call SHOW WARNINGS in the MySQL driver and write them to
	  the request log, if libmysqlclient indicates warnings are
	  available on the server.
	* Forbid the creation of Vendor-Specific for non-standard
	  VSAs.  Use Attr-26 = 0x... instead.
	* Make dhcpclient work with raw sockets and various other
	  improvements - Contributed by nchaigne
	* Add support for SSHA2 - Contributed by PDD.
	* Add perle dictionary - Contributed by Hachmer
	* Modernise init scripts for RHEL, SUSE and Debian.
	* radmin now tracks the return code of commands, and exits
	  with status "1" if any command failed to execute.
	* radmin now sends error messages from the server to
	  stderr, instead of to stdout.
	* radmin now looks for sockets matching it's UID and GID,
	  rather than just always using the first one it finds.
	* radmin can how delete clients which are tied to a listener.
	* Moved RADIUS attribute definitions to src/include/rfc*.h
	* Move to talloc pools for requests.  For in-memory tests
	  (default config, 'users' file), performance increases by 30%.
	* In rlm_ldap allow sasl_mech to be specified for admin and
	  user binds. Only non-interactive mechs (like EXTERNAL)
	  are currently supported.
	* Remove support for ephemeral RSA keys.  They were "export only",
	  and should not be used by anyone.
	* Syntax errors in the "users" file now produce better
	  error messages.

	Bug fixes
	* Fix issues parsing LDAP hostnames with non-standard ports.
	* Fix issues with realms containing regular expressions.
	* Allow unary negation before parantheses in rlm_expr.
	* Fix infinite loop in kevent event loop code. Issue only
	  presented on FreeBSD.
	* Be more careful to define Auth-Types before loading modules.
	* Link libfreeradius-radius against OpenSSL too, to avoid
	  multi-version symbols in SSL libraries.
	* When rlm_ldap rebinds a connection, it should use bind
	  credentials from the module that created the connection
	  pool, not credentials from the module referencing it.
	* Empty server config pairs should be allowed in rlm_ldap
	  instances that reference another module's connection pool.
	* Mark rlm_always as huppable, so its rcode can be changed
	  via radmin (allows policy toggles).
	* Emit warnings when ignoring user configured pool values.
	* Fix issue that would cause radclient to complain
	  intermittently about differing numbers of filters and
	  requests.
	* Fix cosmetic issues in connection pool logging, that made
	  it appear as if the same connection was being opened
	  multiple times.
	* Fix threadsafety issues in SQL drivers, where a static
	  buffer was used to store error messages.
	* Log RERROR, RWARN, RINFO to the global log if request
	  logging is not enabled.
	* Link to libldap instead of libldap_r. libldap_r
	  is not supported for use by projects outside of OpenLDAP.
	* Set connection timeout correctly in rlm_sql_mysql.
	* Build with older versions of libcurl, and use CFLAGS from
	  curl-config.
	* Honour Packet-Src-Port and Packet-Src-IP-address in radclient.
	* Initialise ldapai_info_version field, so libldap will report
	  its vendor and version.
	* Fix log rotation scripts by using the copyrotate option.
	* Fix issue that caused opening control sockets to always
	  fail on non-Linux systems, if a user or group was set.
	* Save Session-State after proxying.
	* Additional fixes for reading CoA/DM requests from detail
	  files.
	* Create dynamic clients if the dynamic clients virtual server
	  returns ok *or* updated. Emit useful messages for other codes.
	* Compile bare "authorize" statements, and issue errors saying
	  using them isn't a good idea.

FreeRADIUS 3.0.6 Wed 17 Dec 2014 16:00:00 EDT urgency=medium
	Feature improvements
	* radmin / raddebug conditional errors are printed
	  to the output, instead of being discarded.
	* raddebug will exit if condition set with -c was invalid.
	* radmin auto-reconnects if the connection to the server
	  has gone away.
	* rlm_cache now has submodule support.  See
	  raddb/mods-available/cache
	* New memcached driver for rlm_cache. See
	  raddb/mods-available/cache
	* Add support for &Attribute-Name[*] in conditions.
	  See "man unlang" for details.
	* Add &Attribute-Name[n] which gets the last instance
	  of an attribute e.g. Module-Failure-Message[n].
	* Allow for redundant string expansions.  See the
	  "instantiate" section of radiusd.conf.
	* When checking IP addresses in conditions, make the
	  right side be parsed as an IP prefix.
	* Support JIT compilation of compiled regular expressions
	  when built with libpcre.
	* Support named capture groups with "%{regex:<name>}"
	  when built with libpcre.
	* Increase regular expression capture groups from 8 to 32.
	* Emit error markers for badly formed regular expressions.
	* Allow 'm' flag to enable multiline mode in regular
	  expressions.
	* Support limited implicit attribute conversion in update
	  sections.
	* Support casting between IPv6 and IPv4 where the IPv6
	  address has the v4/v6 mapping prefix (::ffff:).

	Bug fixes
	* PEAP works again.  As does proxying EAP-MSCHAPv2
	  from inside of a PEAP tunnel.
	* "group" is allowed inside of "instantiate" sections.
	* update disconnect {} with
	  disconnect:Packet-Dst-IP-Address now works correctly.
	* Regular expression comparisons of non string attributes
	  are now disallowed in the files module.  Previously
	  they would silently fail or produce undefined behaviour.
	* Fix parsing of old regular expressions.  Closes #842
	* Fix off by one error in ascend filters.  Closes #843.
	* Handle NT-Hash in rlm_pap.  This allows passwords to
	  have backslashes in them.
	* Fix infinite loop on "Fall-Through = yes" when
	  processing SQL groups.
	* Correct the check of SQL query return code.
	* Run "Post-Auth-Type Reject" if the request was rejected
	  in post-auth
	* Write "Login OK" only if the post-auth section passed.
	* Create TLS-Cert-* certificates, even when EAP session
	  caching is disabled.
	* Finalize the "correct_escapes" with many more tests.
	* Move to the new OpenLDAP libldap API, fixes more issues
	  with binary values.
	* Fix potential memory corruption in rlm_ldap if start
	  connections were set to 0, and the server was running
	  in threaded mode. The fix is a workaround for an issue
	  in libldap and was suggested by Howard Chu.
	* Give parse errors on "%{...", without the closing brace.
	* Allow spaces in certificate passwords for build rules
	  in raddb/certs//
	* Make all regular expression evaluation binary safe.
	  Where that's not possible, emit an error if the pattern
	  or subject contains an embedded null byte.
	* Fix various issues around masking IPv6 addresses.
	* Give descriptive error if unknown attributes are used
	  in "update" sections.
	* Deal with cases where ldap_initialize isn't available
	  gracefully, and use it exclusively when it's available.

FreeRADIUS 3.0.5 Fri 21 Nov 2014 15:30:00 EDT urgency=medium
	Feature improvements
	* Large update to Huawei dictionary.
	* Added dictionary.rfc7155
	* Regular expressions like /%{User-Name}/ are now parsed
	  and validated when the server starts.
	* All configuration items which are dynamically expanded
	  are now parsed and validated when the server starts.
	* %{expr:...} expressions can now do bit shifting and more.
	  See raddb/mods-available/expr.
	* The detail file reader can now track packets which have
	  had replies, so they are never re-transmitted.  See
	  raddb/sites-available/buffered-sql, the "track" config item.
	* CoA and Disconnect packets can now be sent to a specific
	  home server by setting control:Packet-Dst-IP-Address and
	  (optionally) control:Packet-Dst-Port.
	* Allow CoA and Disconnect packets to be read from the
	  detail file.
	* Allow LDAP to specify arbitrary attributes for dynamic
	  clients.
	* Convert all unused attributes in the control: list to config
	  pairs in dynamic clients. This allows arbitrary client
	  attributes to be set for dynamic clients too.
	* rlm_couchbase now supports bulk loading of clients on startup
	  in a similar way to rlm_ldap. Contributed by Aaron Hurt.
	* Allow one level of backslashes (finally).  See radiusd.conf,
	  "correct_escapes" setting.
	* Rename dictionary.redback to dictionary.ericsson.ab
	* Add --disable-openssl-version-check option to configure.
	  So vendors can disable the check.  Patch from
	  Nikolai Kondrashov.
	* Do context-specific indenting in debug messages.  This makes
	  the debug output easier to read.
	* Make configuration a separate RPM, just like for Debian.
	* better decoding of unknown VSAs
	* When supported by OpenSSL, allow TLS 1.1 and TLS 1.2
	  in EAP methods.
	* Allow multiple new connections to be spawned simultaneously
	  in the connection pool, to cope with spikes in traffic.
	* Document retry_delay in connection pools.
	* Allow checksimul in rlm_couchbase.
	* Use kqueue on systems which support it.  This allows for
	  better scaling when using many sockets.

	Bug fixes
	* Parse list qualifiers in generic LDAP 'valuepair_attribute'
	  attributes correctly.
	* Fix issue where prefix length would be ignored for dynamic
	  or static clients if the address matched INADDR_ANY
	  (0.0.0.0).
	* Allow null user object filter in rlm_ldap, it's valid to
	  specify a complete object DN and use the base scope.
	* Don't SEGV if a received attribute value in a JSON structure
	  is null, or a value can't be stringified.
	* Don't assert if the server returns a JSON content-type and
	  the server hasn't been built with support for JSON.
	  Closes #808.
	* Set CURLOPT_NOSIGNAL to prevent curl from handling signals
	  and causing a longjmp error when the server was running with
	  threads.
	* Allow tabs after attribute names in the "users" file.
	  Closes #796.
	* Free unknown DICT_ATTRs.  Closes #795
	* Handle unknown attributes in the conditions and "update"
	  sections.  e.g. Attr-1.2.3.4 = foo.
	* Use correct array size for MS-CHAP new password.
	* In rlm_rest, check for older versions of libraries at start
	  time, rather than when a packet comes in.
	* Don't call detach on parse error in rlm_perl.  Closes #802.
	* Integer fixes for big-endian systems.  Closes #803.
	* Don't optimize %{Packet-Src-IP-Address}.  Closes #804.
	* dhcpclient loads dictionaries correclty.  Closes #805.
	* double quotes are no longer escaped in single-quoted
	  strings.  e.g. 'foo "hello" bar'.
	* Fixes for proxying to virtual servers broke the detail file
	  reader.  Now they both work.
	* Typos and fixes from Nikolai Kondrashov.
	* Fixes to OpenSSL version checks, for cross-platform issues.
	* cppcheck fixes from Herwin Weststrate.
	* Fix build for OSX Yosemite
	* Merge DHCP sub-options.  Closes #812.
	* Fix decoding of Starent attributes.
	* When a module asks for a connection, don't return idle
	  connections.
	* LDAP connection timeouts will now retry, instead of failing.
	* Prevent race conditions between fork and wait for child.
	  Patch from James Rouzier.
	* Fix triggers for connection pools.  Patches from
	  Nikolai Kondrashov.
	* Fix SEGV when comparing non string type check items.
	* Build with newer versions of libmysqlclient.
	* make the %{escape:} and %{unescape:} xlat functions UTF8
	  safe.
	* Don't escape UTF8 chars in SQL query strings.
	* Fix issue in cached LDAP group comparisons, which caused
	  checks to sometimes fail.
	* Fix use after free issue in unlang switch evaluation.
	* Respect operators in rlm_cache when merging into the current
	  request.
	* Update Cache-Entry-Hits each time rlm_cache is called.
	* Produce WARN messages if SQL queries are empty strings.
	* Fix invalid assertion when proxying CoA requests.
	* Allow empty strings in "case" statements.  Closes #836.
	* Normalize escaping for string expansions.  i.e. don't do
	  double escaping in rare situations.
	* Normalize LDAP escaping.  LDAP servers have multiple ways
	  to escape things, so the data has to be normalized before
	  we can compare two LDAP DNs.
	* Don't go to high debug level if we're proxying inner EAP
	  as EAP.  Closes #839.
	* Fix rlm_rest state handling.  Closes #835.

Based on the internal prioritization and resource discussion this rebase and related issues have been deferred from 7.3 to 7.4.

We're working on rebase to 3.0.12, which is required to get fixes for a number of bugs.

Should this rebase be to the 3.0.14 version that fixes CVE-2017-9148?

See: #1456697

No, we're backporting the fix.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1954