From: Alan T. DeKok Date: Tue, 12 Feb 2013 15:13:49 +0000 (-0500) Subject: Prune changelog from before 2.2.0 X-Git-Tag: release_2_2_1~176 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dfc17e1fbcfddd6e766fd60bd4c431c5760e8170;p=thirdparty%2Ffreeradius-server.git Prune changelog from before 2.2.0 --- diff --git a/doc/ChangeLog b/doc/ChangeLog index 79836fb685a..7405c2d6d7e 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -124,872 +124,3 @@ FreeRADIUS 2.2.0 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium wouldn't use methods it knew about. * Add more sanity checks in dynamic_clients code so the server won't crash if it attempts to load a badly formated client definition. - -FreeRADIUS 2.1.12 Fri 30 Sept 2011 16:57:38 CEST, urgency=medium - Feature improvements - * Updates to dictionary.erx, dictionary.siemens, dictionary.starent, - dictionary.starent.vsa1, dictionary.zyxel, added dictionary.symbol - * Added support for PCRE from Phil Mayers - * Configurable file permission in rlm_linelog - * Added "relaxed" option to rlm_attr_filter. This copies attributes - if at least one match occurred. - * Added documentation on dynamic clients. - See raddb/modules/dynamic_clients. - * Added support for elliptical curve cryptography. - See ecdh_curve in raddb/eap.conf. - * Added support for 802.1X MIBs in checkrad - * Added support for %{rand:...}, which generates a uniformly - distributed number between 0 and the number you specify. - * Created "man" pages for all installed commands, and documented - options for all commands. Patch from John Dennis. - * Allow radsniff to decode encrypted VSAs and CoA packets. - Patch from Bjorn Mork. - * Always send Message-Authenticator in radtest. Patch from John Dennis. - radclient continues to be more flexible. - * Updated Oracle schema and queries - * Added SecurID module. See src/modules/rlm_securid/README - - Bug fixes - * Fix memory leak in rlm_detail - * Fix "failed to insert event" - * Allow virtual servers to be reloaded on HUP. - It no longer complains about duplicate virtual servers. - * Fix %{string:...} expansion - * Fix "server closed socket" loop in radmin - * Set ownership of control socket when starting up - * Always allow root to connect to control socket, even if - "uid" is set. They're root. They can already do anything. - * Save all attributes in Access-Accept when proxying inner-tunnel - EAP-MSCHAPv2 - * Fixes for DHCP relaying. - * Check certificate validity when using OCSP. - * Updated Oracle "configure" script - * Fixed typos in dictionary.alvarion - * WARNING on potential proxy loop. - * Be more aggressive about clearing old requests from the - internal queue - * Don't open network sockets when using -C - -FreeRADIUS 2.1.11 Mon 20 Jun 2011 12:57:38 CEST, urgency=medium - Feature improvements - * Added doc/rfc/rfc6158.txt: RADIUS Design Guidelines. - All vendors need to read it and follow its directions. - * Microsoft SoH support for PEAP from Phil Mayers. - See doc/SoH.txt - * Certificate "bootstrap" script now checks for certificate expiry. - See comments in raddb/eap.conf, and then "make_cert_command". - * Support for dynamic expansion of EAP-GTC challenges. - Patch from Alexander Clouter. - * OCSP support from Alex Bergmann. See raddb/eap.conf, "ocsp" - section. - * Updated dictionary.huawei, dictionary.3gpp, dictionary.3gpp3. - * Added dictionary.eltex, dictionary.motorola, and dictionary.ukerna. - * Experimental redis support from Gabriel Blanchard. - See raddb/modules/redis and raddb/modules/rediswho - * Add "key" to rlm_fastusers. Closes bug #126. - * Added scripts/radtee from original software at - http://horde.net/~jwm/software/misc/comparison-tee - * Updated radmin "man" page for new commands. - * radsniff now prints the hex decoding of the packet (-x -x -x) - * mschap module now reloads its configuration on HUP - * Added experimental "replicate" module. See raddb/modules/replicate - * Policy "foo" can now refer to module "foo". This lets you - over-ride the behavior of a module. - * Policy "foo.authorize" can now over-ride the behavior of module - "foo", "authorize" method. - * Produce errors in more situations when the configuration files - have invalid syntax. - - Bug fixes - * Ignore pre/post-proxy sections if proxying is disabled - * Add configure checks for pcap_fopen*. - * Fix call to otp_write in rlm_otp - * Fix issue with Access-Challenge checking from 2.1.10, when the - debug flag was set after server startup. Closes #116 and #117. - * Fix typo in zombie period start time. - * Fix leak in src/main/valuepair.c. Patch from James Ballantine. - * Allow radtest to use spaces in shared secret. - Patch from Cedric Carree. - * Remove extra calls to HMAC_CTX_init() in rlm_wimax, fixing leak. - Patch from James Ballantine. - * Remove MN-FA key generation. The NAS does this, not AAA. - Patch from Ben Weichman. - * Include dictionary.mikrotik by default. Closes bug #121. - * Add group membership query to MS-SQL examples. Closes bug #120. - * Don't cast NAS-Port to integer in Postgresql queries. - Closes bug #112. - * Fixes for libtool and autoconf from Sam Hartman. - * radsniff should read the dictionaries in more situations. - * Use fnmatch to check for detail file reader==writer. - Closes bug #128. - * Check for short writes (i.e. disk full) in rlm_detail. - Closes bug #130. Patches and testing from John Morrissey. - * Fix typo in src/lib/token.c. Closes bug #124 - * Allow workstation trust accounts to use MS-CHAP. - Closes bug #123. - * Assigning foo=`/bin/echo hello` now produces a syntax error - if it is done outside of an "update" section. - * Fix "too many open file descriptors" problem when using - "verify client" in eap.conf. - * Many fixes to dialup_admin for PHP5, by Stefan Winter. - * Allow preprocess module to have "hints = " and "huntgroups =", - which allows them to be empty or non-existent. - * Renamed "php3" files to "php" in dialup_admin/ - * Produce error when sub-TLVs are used in a dictionary. They are - supported only in the "master" branch, and not in 2.1.x. - * Minor fix in dictionary.redback. Closes bug #138. - * Fixed MySQL "NULL" issues in ippool.conf. Closes bug #129. - * Fix to Access-Challenge warning from Ken-ichirou Matsuzawa. - Closes bug #118. - * DHCP fixes to send unicast packets in more situations. - * Fix to udpfromto, to enable it to work on IPv6 networks. - * Fixes to the Oracle accounting_onoff_query. - * When using both IPv4 and IPv6 home servers, ensure that we use the - correct local socket for proxying. Closes bug #143. - * Suppress messages when thread pool is nearly full, all threads - are busy, and we can't create new threads. - * IPv6 is now enabled for udpfromto. Closes bug #141 - * Make sqlippool query buffer the same size as sql module. - Closes bug #139. - * Make Coa / Disconnect proxying work again. - * Configure scripts for rlm_caching from Nathaniel McCallum - * src/lib/dhcp.c and src/include/libradius.h are LGPL, not GPL. - * Updated password routines to use time-insensitive comparisons. - This prevents timing attacks (though none are known). - * Allow sqlite module to do normal SELECT queries. - * rlm_wimax now has a configure script - * Moved Ascend, USR, and Motorola "illegal" dictionaries to separate - files. See share/dictionary for explanations. - * Check for duplicate module definitions in the modules{} section, - and refuse to start if duplicates are found. - * Check for duplicate virtual servers, and refuse to start if - duplicates are found. - * Don't use udpfromto if source is INADDR_ANY. Closes bug #148. - * Check pre-conditions before running radmin "inject file". - * Don't over-ride "no match" with "match" for regexes. - Closes bug #152. - * Make retry and error message configurable in mschap. - See raddb/modules/mschap - * Allow EAP-MSCHAPv2 to send error message to client. This change - allows some clients to prompt the user for a new password. - See raddb/eap.conf, mschapv2 section, "send_error". - * Load the default virtual server before any others. - This matches what users expect, and reduces confusion. - * Fix configure checks for udpfromto. Fixes Debian bug #606866 - * Definitive fix for bug #35, where the server could crash under - certain loads. Changes src/lib/packet.c to use RB trees. - * Updated "configure" checks to allow IPv6 udpfromto on Linux. - * SQL module now returns NOOP if the accounting start/interim/stop - queries don't do anything. - * Allow %{outer.control: ... } in string expansions - * home_server coa config now matches raddb/proxy.conf - * Never send a reply to a DHCP Release. - -FreeRADIUS 2.1.10 Tue 28 Sep 12:00:00 CEST 2010, urgency=medium - Feature improvements - * Install the "radcrypt" program. - * Enable radclient to send requests containing MS-CHAPv1 - Send packets with: MS-CHAP-Password = "password". It will - be automatically converted to the correct MS-CHAP attributes. - * Added "-t" command-line option to radtest. You can use "-t pap", - "-t chap", "-t mschap", or "-t eap-md5". The default is "-t pap" - * Make the "inner-tunnel" virtual server listen on 127.0.0.1:18120 - This change and the previous one makes PEAP testing much easier. - * Added more documentation and examples for the "passwd" module. - * Added dictionaries for RFC 5607 and RFC 5904. - * Added note in proxy.conf that we recommend setting - "require_message_authenticator = yes" for all home servers. - * Added example of second "files" configuration, with documentation. - This shows how and where to use two instances of a module. - * Updated radsniff to have it write pcap files, too. See '-w'. - * Print out large WARNING message if we send an Access-Challenge - for EAP, and receive no follow-up messages from the client. - * Added Cached-Session-Policy for EAP session resumption. See - raddb/eap.conf. - * Added support for TLS-Cert-* attributes. For details, see - raddb/sites-available/default, "post-auth" section. - * Added sample raddb/modules/{opendirectory,dynamic_clients} - * Updated Cisco and Huawei, HP, Redback, and ERX dictionaries. - * Added RFCs 5607, 5904, and 5997. - * For EAP-TLS, client certificates can now be validated using an - external command. See eap.conf, "validate" subsection of "tls". - * Made rlm_pap aware of {nthash} prefix, for compatibility with - legacy RADIUS systems. - * Add Module-Failure-Message for mschap module (ntlm_auth) - * made rlm_sql_sqlite database configurable. Use "filename" - in sql{} section. - * Added %{tolower: ...string ... }, which returns the lowercase - version of the string. Also added %{toupper: ... } for uppercase. - - Bug fixes - * Fix endless loop when there are multiple sub-options for - DHCP option 82. - * More debug output when sending / receiving DHCP packets. - * EAP-MSCHAPv2 should return the MPPE keys when used outside - of a TLS tunnel. This is needed for IKE. - * Added SSL "no ticket" option to prevent SSL from creating sessions - without IDs. We need the IDs, so this option should be set. - * Fix proxying of packets from inside a TTLS/PEAP tunnel. - Closes bug #25. - * Allow IPv6 address attributes to be created from domain names - Closes bug #82. - * Set the string length to the correct value when parsing double - quotes. Closes bug #88. - * No longer look users up in /etc/passwd in the default configuration. - This can be reverted by enabling "unix" in the "authorize" section. - * More #ifdef's to enable building on systems without certain - features. - * Fixed SQL-Group comparison to register only if the group - query is defined. - * Fixed SQL-Group comparison to register -SQL-Group, - just like rlm_ldap. This lets you have multiple SQL group checks. - * Fix scanning of octal numbers in "unlang". Closes bug #89. - * Be less aggressive about freeing "stuck" requests. Closes bug #35. - * Fix example in "originate-coa" to refer to the correct packet. - * Change default timeout for dynamic clients to 1 hour, not 1 day. - * Allow passwd module to map IP addresses, too. - * Allow passwd module to be used for CoA packets - * Put boot filename into DHCP header when DHCP-Boot-Filename - is specified. - * raddb/certs/Makefile no longer has certs depend on index.txt and - serial. Closes bug #64. - * Ignore NULL errorcode in PostgreSQL client. Closes bug #39 - * Made Exec-Program and Exec-Program-Wait work in accounting - section again. See sites-available/default. - * Fix long-standing memory leak in esoteric conditions. Found - by Jerry Nichols. - * Added "Password-With-Header == userPassword" to raddb/ldap.attrmap - This will automatically convert more passwords. - * Updated rlm_pap to decode Password-With-Header, if it was base64 - encoded, and to treat the contents as potentially binary data. - * Fix Novell eDir code to use the right function parameters. - Closes bug #86. - * Allow spaces to be escaped when executing external programs. - Closes bug #93. - * Be less restrictive about checking permissions on control socket. - If we're root, allow connecting to a non-root socket. - * Remove control socket on normal server exit. If the server isn't - running, the control socket should not exist. - * Use MS-CHAP-User-Name as Name field from EAP-MSCHAPv2 for MS-CHAP - calculations. It *MAY* be different (upper / lower case) from - the User-Name attribute. Closes bug #17. - * If the EAP-TLS methods have problems, more SSL errors are now - available in the Module-Failure-Message attribute. - * Update Oracle configure scripts. Closes bug #57. - * Added text to DESC fields of doc/examples/openldap.schema - * Updated more documentation to use "Restructured Text" format. - Thanks to James Lockie. - * Fixed typos in raddb/sql/mssql/dialup.conf. Closes bug #11. - * Return error for potential proxy loops when using "-XC" - * Produce better error messages when slow databases block - the server. - * Added notes on DHCP broadcast packets for FreeBSD. - * Fixed crash when parsing some date strings. Closes bug #98 - * Improperly formatted Attributes are now printed as "Attr-##". - If they are not correct, they should not use the dictionary name. - * Fix rlm_digest to be check the format of the Digest attributes, - and return "noop" rather than "fail" if they're not right. - * Enable "digest" in raddb/sites-available/default. This change - enables digest authentication to work "out of the box". - * Be less aggressive about marking home servers as zombie. - If they are responding to some packets, they are still alive. - * Added Packet-Transmit-Counter, to track detail file retransmits. - Closes bug #13. - * Added configure check for lt_dladvise_init(). If it exists, then - using it solves some issues related to libraries loading libraries. - * Added indexes to the MySQL IP Pool schema. - * Print WARNING message if too many attributes are put into a packet. - * Include dhcp test client (not built by default) - * Added checks for LDAP constraint violation. Closes bug #18. - * Change default raddebug timeout to 60 seconds. - * Made error / warning messages more consistent. - * Correct back-slash handling in variable expansion. Closes bug #46. - You SHOULD check your configuration for backslash expansion! - * Fix typo in "configure" script (--enable-libltdl-install) - * Use local libltdl in more situations. This helps to avoid - compile issues complaining about lt__PROGRAM__LTX_preloaded_symbols. - * Fix hang on startup when multiple home servers were defined - with "src_ipaddr" field. - * Fix 32/64 bit issue in rlm_ldap. Closes bug #105. - * If the first "listen" section defines 127.0.0.1, don't use that - as a source IP for proxying. It won't work. - * When Proxy-To-Realm is set to a non-existent realm, the EAP module - should handle the request, rather than expecting it to be proxied. - * Fix IPv4 issues with udpfromto. Closes bug #110. - * Clean up child processes of raddebug. Closes bugs #108 and #109 - * retry OTP if the OTP daemon fails. Closes bug #58. - * Multiple calls to ber_printf seem to work better. Closes #106. - * Fix "unlang" so that "attribute not found" is treated as a "false" - comparison, rather than a syntax error in the configuration. - * Fix issue with "Group" attribute. - -FreeRADIUS 2.1.9 Mon 24 May 8:00:00 CEST 2010, urgency=medium - Feature improvements - * Add radmin command "stats detail " to see what - is going on inside of a detail file reader. - * Added documentation for CoA. See raddb/sites-available/coa - * Add sub-option support for Option 82. See dictionary.dhcp - * Add "server" field to default SQL NAS table, and documented it. - - Bug fixes - * Reset "received ping" counter for Status-Server checks. In some - corner cases it was not getting reset. - * Handle large VMPS attributes. - * Count accounting responses from a home server in SNMP / statistics - code. - * Set EAP-Session-Resumed = Yes, not "No" when session is resumed. - * radmin packet counter statistics are now unsigned, for numbers - 2^31..2^32. After that they roll over to zero. - * Be more careful about expanding data in PAP and MS-CHAP modules. - This prevents login failures when passwords contain '{'. - * Clean up zombie children if there were many "exec" modules being - run for one packet, all with "wait = no". - * re-open log file after HUP. Closes bug #63. - * Fix "no response to proxied packet" complaint for Coa / Disconnect - packets. It shouldn't ignore replies to packets it sent. - * Calculate IPv6 netmasks correctly. Closes bug #69. - * Fix SQL module to re-open sockets if they unexpectedly close. - * Track scope for IPv6 addresses. This lets us use link-local - addresses properly. Closes bug #70. - * Updated Makefiles to no longer use the shell for recursing into - subdirs. "make -j 2" should now work. - * Updated raddb/sql/mysql/ippool.conf to use "= NULL". Closes - bug #75. - * Updated Makefiles so that "make reconfig" no longer uses the shell - for recursing into subdirs, and re-builds all "configure" files. - * Used above method to regenerate all configure scripts. - Closes bug #34. - * Updated SQL module to allow "server" field of "nas" table - to be blank: "". This means the same as it being NULL. - * Fixed regex realm example. Create Realm attribute with value - of realm from User-Name, not from regex. Closes bug #40. - * If processing a DHCP Discover returns "fail / reject", ignore - the packet rather than sending a NAK. - * Allow '%' to be escaped in sqlcounter module. - * Fix typo internal hash table. - * For PEAP and TTLS, the tunneled reply is added to the reply, - rather than integrated via the operators. This allows multiple - VSAs to be added, where they would previously be discarded. - * Make request number unsigned. This changes nothing other than - the debug output when the server receives more than 2^31 packets. - * Don't block when reading child output in 'exec wait'. This means - that blocked children get killed, instead of blocking the server. - * Enabled building without any proxy functionality - * radclient now prefers IPv4, to match the default server config. - * Print useful error when a realm regex is invalid - * relaxed rules for preprocess module "with_cisco_vsa_hack". The - attributes can now be integer, ipaddr, etc. (i.e. non-string) - * Allow rlm_ldap to build if ldap_set_rebind_proc() has only - 2 arguments. - * Update configure script for rlm_python to avoid dynamic linking - problems on some platforms. - * Work-around for bug #35 - * Do suid to "user" when running in debug mode as root - * Make "allow_core_dumps" work in more situations. - * In detail file reader, treat bad records as EOF. - This allows it to continue working when the disk is full. - * Fix Oracle default accounting queries to work when there are no - gigawords attributes. Other databases already had the fix. - * Fix rlm_sql to show when it opens and closes sockets. It already - says when it cannot connect, so it should say when it can connect. - * "chmod -x" for a few C source files. - * Pull update spec files, etc. from RedHat into the redhat/ directory. - * Allow spaces when parsing integer values. This helps people who - put "too much" into an SQL value field. - -FreeRADIUS 2.1.8 Wed 30 Dec 16:44:50 CEST 2009, urgency=medium - Feature improvements - * Print more descriptive error message for too many EAP sessions. - This gives hints on what to do when "failed to store handler" - * Commands received from radmin are now printed on stdout when - in debugging mode. - * Allow accounting packets to be written to a detail file, even - if they were read from a different detail file. - * Added OpenSSL license exception (src/LICENSE.openssl) - - Bug fixes - * DHCP sockets can now set the broadcast flag before binding to a - socket. You need to set "broadcast = yes" in the DHCP listener. - * Be more restrictive on string parsing in the config files - * Fix password length in scripts/create-users.pl - * Be more flexible about parsing the detail file. This allows - it to read files where the attributes have been edited. - * Ensure that requests read from the detail file are cleaned up - (i.e. don't leak) if they are proxied without a response. - * Write the PID file after opening sockets, not before - (closes bug #29) - * Proxying large numbers of packets no longer gives error - "unable to open proxy socket". - * Avoid mutex locks in libc after fork - * Retry packet from detail file if there was no response. - * Allow old-style dictionary formats, where the vendor name is the - last field in an ATTRIBUTE definition. - * Removed all recursive use of mutexes. Some systems just don't - support this. - * Allow !* to work as documented. - * make templates work (see templates.conf) - * Enabled "allow_core_dumps" to work again - * Print better errors when reading invalid dictionaries - * Sign client certificates with CA, rather than server certs. - * Fix potential crash in rlm_passwd when file was closed - * Fixed corner cases in conditional dynamic expansion. - * Use InnoDB for MySQL IP Pools, to gain transactional support - * Apply patch to libltdl for CVE-2009-3736. - * Fixed a few issues found by LLVM's static checker - * Keep track of "bad authenticators" for accounting packets - * Keep track of "dropped packets" for auth/acct packets - * Synced the "debian" directory with upstream - * Made "unlang" use unsigned 32-bit integers, to match the - dictionaries. - -FreeRADIUS 2.1.7 Mon Sept 14 11:20:00 CEST 2009; , urgency=medium - Feature improvements - * Full support for CoA and Disconnect packets as per RFC 3576 - and RFC 5176. Both receiving and proxying CoA is supported. - * Added "src_ipaddr" configuration to "home_server". See - proxy.conf for details. - * radsniff now accepts -I, to read from a filename instead of - a device. - * radsniff also prints matching requests and any responses to those - requests when '-r' is used. - * Added example of attr_filter for Access-Challenge packets - * Added support for udpfromto in DHCP code - * radmin can now selectively mark modules alive/dead. - See "set module state". - * Added customizable messages on login success/fail. - See msg_goodpass && msg_badpass in log{} section of radiusd.conf - * Document "chase_referrals" and "rebind" in raddb/modules/ldap - * Preliminary implementation of DHCP relay. - * Made thread pool section optional. If it doesn't exist, - the server will run single-threaded. - * Added sample radrelay.conf for people upgrading from 1.x - * Made proxying more stable by failing over, rather than - rejecting the first request. See "response_window" in proxy.conf - * Allow home_server_pools to exist without realms. - * Add dictionary.iea (closes bug #7) - * Added support for RFC 5580 - * Added experimental sql_freetds module from Gabriel Blanchard. - * Updated dictionary.foundry - * Added sample configuration for MySQL cluster in raddb/sql/ndb - See the README file for explanations. - - Bug fixes - * Fixed corner case where proxied packets could have extra - character in User-Password attribute. Fix from Niko Tyni. - * Extended size of "attribute" field in SQL to 64. - * Fixes to ruby module to be more careful about when it builds. - * Updated Perl module "configure" script to check for broken - Perl installations. - * Fix "status_check = none". It would still send packets - in some cases. - * Set recursive flag on the proxy mutex, which enables safer - cleanup on some platforms. - * Copy the EAP username verbatim, rather than escaping it. - * Update handling so that robust-proxy-accounting works when - all home servers are down for extended periods of time. - * Look for DHCP option 53 anywhere in the packet, not just - at the start. - * Fix processing of proxy fail handler with virtual servers. - * DHCP code now prints out correct src/dst IP addresses - when sending packets. - * Removed requirement for DHCP to have clients - * Fixed handling of DHCP packets with message-type buried in the packet - * Fixed corner case with negation in unlang. - * Minor fixes to default MySQL & PostgreSQL schemas - * Suppress MSCHAP complaints in debugging mode. - * Fix SQL module for multiple instance, and possible crash on HUP - * Fix permissions for radius.log for sites that change user/group, - but which don't create the file before starting radiusd. - * Fix double counting of packets when proxying - * Make %l work - * Fix pthread keys in rlm_perl - * Log reasons for EAP failure (closes bug #8) - * Load home servers and pools that aren't referenced from a realm. - * Handle return codes from virtual attributes in "unlang" - (e.g. LDAP-Group). This makes "!(expr)" work for them. - * Enable VMPS to see contents of virtual server again - * Fix WiMAX module to be consistent with examples. (closes bug #10) - * Fixed crash with policies dependent on NAS-Port comparisons - * Allowed vendor IDs to be be higher than 32767. - * Fix crash on startup with certain regexes in "hints" file. - * Fix crash in attr_filter module when packets don't exist - * Allow detail file reader to be faster when "load_factor = 100" - * Add work-around for build failures with errors related to - lt__PROGRAM__LTX_preloaded_symbols. libltdl / libtool are horrible. - * Made ldap module "rebind" option aware of older, incompatible - versions of OpenLDAP. - * Check value of Fall-Through in attr_filter module. - -FreeRADIUS 2.1.6 Mon May 18 10:00:00 CEST 2009; urgency=medium - Feature improvements - * radclient exits with 0 on successful (accept / ack), and 1 - otherwise (no response / reject) - * Added support for %{sql:UPDATE ..}, and insert/delete - Patch from Arran Cudbard-Bell - * Added sample "do not respond" policy. See raddb/policy.conf - and raddb/sites-available/do_not_respond - * Cleanups to Suse spec file from Norbert Wegener - * New VSAs for Juniper from Bjorn Mork - * Include more RFC dictionaries in the default install - * More documentation for the WiMAX module - * Added "chase_referrals" and "rebind" configuration to rlm_ldap. - This helps with Active Directory. See raddb/modules/ldap - * Don't load pre/post-proxy if proxying is disabled. - * Added %{md5:...}, which returns MD5 hash in hex. - * Added configurable "retry_interval" and "poll_interval" - for "detail" listeners. - * Added "delete_mppe_keys" configuration option to rlm_wimax. - Apparently some WiMAX clients misbehave when they see those keys. - * Added experimental rlm_ruby from - http://github.com/Antti/freeradius-server/tree/master - * Add Tunnel attributes to ldap.attrmap - * Enable virtual servers to be reloaded on HUP. For now, only - the "authorize", "authenticate", etc. processing sections are - reloaded. Clients and "listen" sections are NOT reloaded. - * Updated "radwatch" script to be more robust. See scripts/radwatch - * Added certificate compatibility notes in raddb/certs/README, - for compatibility with different operating systems. (i.e. Windows) - - Bug fixes - * Minor changes to allow building without VQP. - * Minor fixes from John Center - * Fixed raddebug example - * Don't crash when deleting attributes via unlang - * Be friendlier to very fast clients - * Updated the "detail" listener so that it only polls once, - and not many times in a row, leaking memory each time... - * Update comparison for Packet-Src-IP-Address (etc.) so that - the operators other than '==' work. - * Did autoconf magic to work around weird libtool bug - * Make rlm_perl keep tags for tagged attributes in more situations - * Update UID checking for radmin - * Added "include_length" field for TTLS. It's needed for RFC - compliance, but not (apparently) for interoperability. - -FreeRADIUS 2.1.5 Sun Jan 1 1:1:00 CEST 2009; , urgency=medium - * Release number skipped due to procedural issues. - -FreeRADIUS 2.1.4 Tue Mar 10 17:05:00 CEST 2009; , urgency=medium - Feature improvements - * Permit multiple "-e" in radmin. - * Add support for originating CoA-Request and Disconnect-Request. - See raddb/sites-available/originate-coa. - * Added "lifetime" and "max_queries" to raddb/sql.conf. - This helps address the problem of hung SQL sockets. - * Allow packets to be injected via radmin. See "inject help" - in radmin. - * Answer VMPS reconfirmation request. Patch from Hermann Lauer. - * Sample logrotate script in scripts/logrotate.freeradius - * Add configurable poll interval for "detail" listeners - * New "raddebug" command. This prints debugging information from - a running server. See "man raddebug. - * Add "require_message_authenticator" configuration to home_server - configuration. This makes the server add Message-Authenticator - to all outgoing Access-Request packets. - * Added smsotp module, as contributed by Siemens. - * Enabled the administration socket in the default install. - See raddb/sites-available/control-socket, and "man radmin" - * Handle duplicate clients, such as with replicated or - load-balanced SQL servers and "readclients = yes" - - Bug fixes - * Clean up control sockets when they are closed, so that we don't - leak memory. - * Define SUN_LEN for systems that don't have it. - * Correct some boundary conditions in the conditional checker ("if") - in "unlang". Bug noted by Arran Cudbard-Bell. - * Work around minor building issues in gmake. This should only - have affected developers. - * Change how we manage unprivileged user/group, so that we do not - create control sockets owned by root. - * Fixed more minor issues found by Coverity. - * Allow raddb/certs/bootstrap to run when there is no "make" - command installed. - * In radiusd.conf, run_dir depends on the name of the program, - and isn't hard-coded to "..../radiusd" - * Check for EOF in more places in the "detail" file reader. - * Added Freeswitch dictionary. - * Chop ethernet frames in VMPS, rather than droppping packets. - * Fix EAP-TLS bug. Patch from Arnaud Ebalard - * Don't lose string for regex-compares in the "users" file. - * Expose more functions in rlm_sql to rlm_sqlippool, which - helps on systems where RTLD_GLOBAL is off. - * Fix typos in MySQL schemas for ippools. - * Remove macro that was causing build issues on some platforms. - * Fixed issues with dead home servers. Bug noted by Chris Moules. - * Fixed "access after free" with some dynamic clients. - -FreeRADIUS 2.1.3 Fri Dec 5 17:40:00 CEST 2008; , urgency=medium - Feature improvements - * Allow running with "user=radiusd" and binding to secure - sockets. - * Start sending Status-Server "are you alive" messages earlier, - which helps with proxying multiple realms to a home server. - * Removed thread pool code from rlm_perl. It's not necessary. - * Added example Perl configuration to raddb/modules/perl - * Force OpenSSL to support certificates with SHA256. - This seems to be necessary for WiMAX certs. - - Bug fixes - * Fix Debian patch to allow it to build. - * Fix potential NULL dereference in debugging mode on certain - platforms for TTLS and PEAP inner tunnels. - * Fix uninitialized memory in handling of vendor definitions - * Fix parsing of quoted (but non-string) attributes in the "users" - file. - * Initialize uknown NAS IP to 255.255.255.255, rather than 0.0.0.0 - * use SUN_LEN in control socket, to avoid truncation on some - platforms. - * Correct internal handling of "debug condition" to prevent it - from being over-written. - * Check return code of regcomp in "unlang", so that invalid - regular expressions are caught rather than mishandled. - * Make rlm_sql use . Addresses bug #610. - * Document list "type = status" better. Closes bug #580. - * Set "default days" for certificates, because OpenSSL won't - do it. This closes bug #615. - * Reference correct list in example raddb/modules/ldap. - Closes #596. - * Increase default schema size for Acct-Session-Id to 64. - Closes #540. - * Fix use of temporary files in dialup-admin. Closes #605 - and addresses CVE-2008-4474. - * Addressed a number of minor issues found by Coverity. - * Added DHCP option 150 to the dictionary. Closes #618. - -FreeRADIUS 2.1.2 Thurs Dec 3 10:47:00 CEST 2008; , urgency=medium - Due to packaging issues, 2.1.2 has been pulled from the net. - -FreeRADIUS 2.1.1 Thu Sep 25 11:03:00 CEST 2008; , urgency=medium - Feature improvements - * Many more options and features in radmin. See "man radmin" and - raddb/sites-available/control-socket - * Many more commands available via the control socket. Connect - via "radmin", and type "help" for more information. - * Added dictionary.networkphysics and dictionary.lancom. - * Calculate WiMAX MIP keys, and added sample WiMAX SQL tables. - - Bug fixes - * Fixed bug that made radmin not work - * Fixed Suse && Debian package scripts - * Fixed issues with dynamic clients - * Fixed configure checks for -lreadline - * rlm_sqlippool no longer needs to be linked to rlm_sql. - * Add statistics for detail file listeners. This closes bug #593. - * Fixed printing of some WiMAX attributes. - * Fix double free on exit() in rlm_attr_filter - * Fixed build issues on Solaris. - * Fixed fast session resumption for EAP-TLS - -FreeRADIUS 2.1.0 Fri Sep 5 13:20:01 CEST 2008; , urgency=medium - Feature improvements - * Clients may now be defined dynamically, based on IP address. - See raddb/sites-available/dynamic-clients. - * SNMP support is now available through an experimental Perl script. - See scripts/snmp-proxy/README - * SNMP statistics are available through Status-Server packets. - See raddb/sites-available/status - * Added more Microsoft attributes from bug #568. - * The "linelog" module has more functionality and flexibility. - See raddb/modules/linelog. - * The debugging output has been sanitized. It should be much - more readable. - * Debug logs can now be turned on/off while the server is running, for - a user, group, realm, etc. See the "log" section of radiusd.conf. - * Added support for WiMAX Forum attributes. The dynamic keys - are not yet calculated. See share/dictionary.wimax - * Added session resumption for PEAP and TTLS. - See raddb/eap.conf, "cache" sub-section. - * Added "radmin" command-line tool for administering a running server. - See "man radmin" and raddb/sites-available/control-socket. - - Bug fixes - * Double escaping of '\\' in the "users" (and some other) files - has been fixed. If you have '\\' in the "users" file, your - configuration WILL NEED TO BE CHECKED, AND FIXED! - * Parse "security" section in radiusd.conf. This was accidentally - deleted in 2.0.5. Closes bug #566. - * Bind to interface before IP, which allows DHCP sockets to - listen on "*" for multiple interfaces. - * Fix handling of giaddr in DHCP responses. - * Corrected parsing of status_check in home_server so that it works. - * Fix hints so that "Puser" works again. - * Removed length restrictions on attribute names in the dictionaries. - * Update socket code to avoid C compiler optimizations. - -FreeRADIUS 2.0.5 ; Date: 2008/06/07 17:17:00 , urgency=medium - Feature improvements - * Permit SQL authorize_reply_query to be empty. - * Allow setting response packet type in Post-Proxy-Type Fail - handler. - * Added install-chown target to set correct permission and ownership - make RADMIN=radmin RGROUP=radius install-chown - * Support for LDAP-Group and other dynamic comparison attributes - in unlang. Developed from a patch by Jason Alderfer. - * Added chroot support. See radiusd.conf for comments. - * Allow clients of 0/0. We do not recommend using this, though. - * Moved many module configurations into raddb/modules/* - - Bug fixes - * Allow proxying to virtual servers for accounting packets, too. - * Added "num fields" function to PostgreSQL client. - * Updated proxy fallback mechanism to validate fallback servers, - and to process fallback requests in a child thread. - * rlm_realm returns "ok" for LOCAL realms, not "noop". - * Fixed some DHCP code handling. The examples should now work. - -FreeRADIUS 2.0.4 ; Date: 2008/04/30 08:56:40 , urgency=medium - Feature improvements - * Allow "virtual_server" in "realm" and "home_server" sections. - See raddb/proxy.conf and raddb/sites-available/virtual.example.com. - * Allow "passwd" module to be listed in "accounting" and "post-auth". - * Added "fallback" to "home_server_pool" configuration, to handle - the case of all home servers being dead. See raddb/proxy.conf. - * Added sample text to raddb/sites-available/inner-tunnel which - can simplify debugging of inner tunnel configurations. - * Added regular expression matching in realm names. See - raddb/proxy.conf for examples. - * Added simple DHCP server functionality. For comments, see - raddb/sites-available/dhcp. - * Added file globbing capabilities to detail file reader - * Added sample raddb/sites-available/robust-proxy-accounting - * Clients in SQL can now refer to a virtual server. - Patch from Michael Bretterklieber. - * Added some examples of creating RADIUS administrator in SQL, - and assigning appropriate access rights. - - Bug fixes - * Install all files in raddb/sites-available - * Allow non-threaded builds. - * Don't treat '0x' as special for known attributes that are not - of type "octets". - * Fix log error in rlm_pap. - * Remove documentation about non-existent functionality. - * Updated warning messages in debug output. - * Fix handling of timeouts in rlm_ldap that affected 64-bit systems. - This fix was supposed to go into 2.0.3, but did not make it. - * Fix event handling in debug mode for failed proxy requests. - * Fix memleak in fifos. Closes #537. - * Fix memleak on blocked threads. Closes #538. - * Perform additional checks on NULL realms. Closes #541. - * Fix handling of "clients" in "listen" section. - * When detail file cannot process a packet, sleep for longer - to let the rest of the server do something. - * Add missing table to raddb/sql/mssql/schema.sql. Closes #545. - * Updated rlm_sql_postgresql to build with PostgreSQL 7.x. - Closes #533. - * Fix "postauth" of rlm_ldap to look for LDAP-UserDn in the - correct place. - * Update rlm_attr_filter for some corner cases. Closes #543. - * Fixed memory leak in libfreeradius event handler. - * In the SQL Accounting on/off queries, remove the restriction - that the session time had to be zero. - -FreeRADIUS 2.0.3 ; Date: 2008/03/17 09:22:17 , urgency=medium - Feature improvements - * Updated raddb/certs/ca.cnf with extensions to allow ca.der - to be imported as a CA on Symbian and Windows Mobile devices. - Closes bug #524 - * Enable multiple matches in "hints" via Fall-Through = Yes. - Closes bug #477 - * Added preliminary SQLite driver, contibuted by Apple. - Untested, with no sample configuration. This address bug #470. - * Updated logging sub-system so that log messages from libfreeradius - can go to the log file, and not stdout. - * Added dictionary.rfc5176 - * EAP module now checks for instance name, and uses that for - authentication. This avoids the need to set Auth-Type when - there are multiple instances of the EAP module. - * Added Module-Return-Code attribute, which contains the value - returned by the previous module (ok/fail/update/etc.) - - Bug fixes - * Corrected typos in rlm_dbm. Closes bugs #521 and #522. - * Detail file "listen" sections now work much better. - * Don't allow old "log_*" to over-ride new format. Closes bug #525 - * Initialize allocated memory in Oracle SQL driver. This fixes - occasional crashes on some systems. Closes bug #518 - * Call correct function in rlm_protocol_filter. This enables the - module to build. Closes bug #512. - * Added deprecated flag to build for rlm_krb5. This allows it to - run on 64-bit systems. Closes bug #491 - * Corrected error message when parsing invalid configurations - so it doesn't crash. Closes bug #527 - * Fix handling of timeouts in rlm_ldap that affected 64-bit systems. - * Handle $INCLUDE's in "instantiate" section. Closes #528. - * Format updates to "man" pages from Stephen Gran. - -FreeRADIUS 2.0.2 ; Date: 2008/02/14 11:13:48 , urgency=medium - Feature improvements - * Added notes on how to debug the server in radiusd.conf - * Moved all "log_*" in radiusd.conf to log{} section. - The old configurations are still accepted, though. - * Added ca.der target in raddb/certs/Makefile. This is - needed for importing CA certs into Windows. - * Added ability send raw attributes via "Raw-Attribute = 0x0102..." - This is available only debug builds. It can be used - to create invalid packets! Use it with care. - * Permit "unlang" policies inside of Auth-Type{} sub-sections - of the authenticate{} section. This makes some policies easier - to implement. - * "listen" sections can now have "type = proxy". This lets you - control which IP is used for sending proxied requests. - * Added note on SSL performance to raddb/certs/README - - Bug fixes - * Fixed reading of "detail" files. - * Allow inner EAP tunneled sessions to be proxied. - * Corrected MySQL schemas - * syslog now works in log{} section. - * Corrected typo in raddb/certs/client.cnf - * Updated raddb/sites-available/proxy-inner-tunnel to - permit authentication to work. - * Ignore zero-length attributes in received packets. - * Correct memcpy when dealing with unknown attributes. - * Corrected debugging messages in attr_rewrite. - * Corrected generation of State attribute in EAP. This - fixes the "failed to remember handler" issues. - * Fall back to DEFAULT realm if no realm was found. - Based on a patch from Vincent Magnin. - * Updated example raddb/sites-available/proxy-inner-tunnel - * Corrected behavior of attr_filter to match documentation. - This is NOT backwards compatible with previous versions! - See "man rlm_attr_filter" for details. - -FreeRADIUS 2.0.1 ; Date: 2008/01/22 13:29:37 , urgency=low - Feature improvements - * "unlang" has been expanded to do less run-time expansion, - and to have better handling of typed data. See "man unlang" - for documentation and new examples. - - Bug fixes - * The 'acct_unique' module has been updated to understand - the deprecated (but still used) Client-IP-Address attribute. - * The EAP-MSCHAPv2 module no longer leaks MS-CHAP2-Success in - packets. - * Fixed crash in rlm_dbm. - * Fixed parsing of syslog configuration. - -FreeRADIUS 2.0.0 ; Date: 2007/11/24 08:33:09 , urgency=low - Feature improvements - * Debugging mode is much clearer and easier to read. - * A new policy language makes many configurations trivial. - See "man unlang" for a complete description. - * Virtual servers are now supported. This permits clear separation - of policies. See raddb/sites-available/README - * EAP-TLS (PEAP, EAP-TTLS) and OpenSSL certificates "just work". - See raddb/certs/README for details. - * Proxying is much more configurable than before. - See proxy.conf for documentation on pools, and new config items. - * Full support for IPv6. - * Much more complete support for the RADIUS SNMP MIBs. - * HUP now works. Only some modules are re-loaded, - and the server configuation is *not* reloaded. - * "check config" option now works. See "man radiusd" - * radrelay functionality is now included in the server core. - See raddb/sites-available/copy-acct-to-home-server - * VMPS support. It is minimal, but functional. - * Cleaned up internal API's and names, including library names. - - Bug fixes - * Many.