Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

freeradius-server-libs-3.0.21-3.6.1 RPM for aarch64

From OpenSuSE Leap 15.3 for aarch64

Name: freeradius-server-libs Distribution: SUSE Linux Enterprise 15
Version: 3.0.21 Vendor: SUSE LLC <https://www.suse.com/>
Release: 3.6.1 Build date: Wed Feb 17 10:08:40 2021
Group: System/Libraries Build host: ibs-arm-1
Size: 691770 Source RPM: freeradius-server-3.0.21-3.6.1.src.rpm
Packager: https://www.suse.com/
Url: http://www.freeradius.org/
Summary: FreeRADIUS shared library
The FreeRADIUS shared libraries.

Provides

Requires

License

GPL-2.0-only AND LGPL-2.1-only

Changelog

* Mon Jan 04 2021 adam.majer@suse.de
  - freeradius-server-radiusd-logrotate.patch: move logrotate
    options into specific parts for each log as "global" options
    will persist past and clobber global options in the
    main logrotate config (bsc#1180525)
* Wed Aug 26 2020 adam.majer@suse.de
  - freeradius-server-radiusd-logrotate.patch: fix permissions in
    logrotate global section (bsc#1170505, bsc#1174905)
* Tue Mar 24 2020 adam.majer@suse.de
  - update to 3.0.21 (jsc#SLE-11896)
    Feature Improvements
    * New stored procedure for allocating IPs with PostgreSQL
      Rates of 1500 IPs per second are now possible
      See raddb/mods-config/sql/ippool/postgresql/procedure.sql
    * Add SQL IP pool support for Microsoft SQL Server
      See raddb/mods-config/sql/ippool/mssql/
    * Added RCNTEC dictionary. Closes #3168.
    * Added Pica8 dictionary. Closes #3179.
    * Add TLS-Client-Cert-Valid-Since attribute holding not
      Before date Patch from Boris Lytochkin. Fixes #3157.
    * Generate attributes containing unknown OIDs See raddb/sites-available/tls
    * Update the WiMAX dictionary.
    * Added ability to rlm_python(Python2) show a stacktrace
      from errors. #2979.
    * Add WiFi Alliance Policy OIDs.
      See raddb/certs/xpextensions
    * radmin now shows coa stats, too.
    * Sample schema extensions for summarizing data in SQL
      See mods-config/sql/main/*/process-radacct.sql
    * Update dictionary.aerohive, dictionary.fortinet,
      dictionary.arista and dictionary.erx.
    * Added VAS Experts dictionary.
    * Many updates to RPM and jenkins builds from Matthew Newton.
    * Added %C (time now in seconds) and %c (microsecond component of now)
      back-ported from the "master" branch.
    * Add reload capability to systemd unit file in Debian and RedHat.
    * Increase timestamp precision in postauth to maximum supported by each
      database and simplify (and make more consistent between drivers)
      the timestamps in SQL queries by using expansions.
    * Option to set dictionary path in raduat script.
    Bug Fixes
    * Various fixes found by PVS-Studio.
    * Set permissions of certificates in bootstrap shell script Fixes #3132.
    * Increase the 'nasportid' SQL field for 'varchar(32)'. #3141.
    * Skip processing proxy reply if there are no home servers available.
    * Update SQLite IPPool queries. Fixes #3177
    * rlm_sql_unixodbc fixes. Fixes #2822.
    * Fixes when building with LibreSSL.
    * Fix the rlm_python3 build. Note that this module is experimental. #3183.
    * The rlm_python should append the 'python_path' paths in 'sys.path'.
      It fixes the expected behavior to use the existing Python modules
      Fixes #3180.
    * Fix rlm_python to print the script errors properly.
    * Bound total query time for PostgreSQL. Fixes #3253.
    * Many fixes to Oracle sqlippool. It now does 500 IPs per second
      without any tuning. Fixes #3270.
    * Reference sqlippool by it's correct name. Fixes #3272.
    * Revert 3.0.20 patch which caused crashes on duplicate clients.
    * Update WiMAX-MSK attribute. Fixes #3280.
    * Fix crash when trying to access non-existant regex capture group.
    * Use timestamps (request or server) rather than SQL NOW()
      in accounting queries so that these are stable when replayed
      from a file buffer.
  - freeradius-python3_patches.patch: upstreamed
* Tue Mar 17 2020 adam.majer@suse.de
  - update to 3.0.20 (bsc#1146848)
    Feature Improvements
    * Added Force10 dictionary.
    * Update dictionary.hp with new attributes. #2690.
    * Update dictionary.aruba with new attributes. #2696.
    * Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456)
    * Relax OpenSSL version checks, now that their API is both public, and stable.
    * Note that tls_min_version/tls_max_version also support "1.3"
      Since there is no standard yet for EAP with TLS 1.3, it will not work.
    * Added tripplite dictionary from #2760.
    * Switch to the async interface for rlm_sql_postgresql so that
      we can enforce query_timeout.
    * Added new LDAP option 'allow_dangling_group_ref'.
    * Updated documentation and functionality for EAP session caching
      See "cache" section of mods-available/eap.
    * Tighten systemd unit file security. Fixes #2637.
    * Disable TLS 1.0 and TLS 1.1 support in the default configuration
      We STRONGLY recommend doing this for all installations.
    * Add expansions for *outgoing* Radsec connections
      "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and
      TLS-Cert-* attributes. Fixes #2839.
    * Add %{listen:tls} which returns "yes" or "no" for
      TLS or non-TLS connections.
    * Update dictionary.lancom with new attributes. #2847.
    * Added rlm_sql_mongo. See raddb/mods-available/sql.
      Note that this module is experimental.
    * Added more documentation in sites-available/robust-proxy-accounting.
    * sqlippool now re-allocates unexpired leases, to prevent IP pool
      exhaustion when clients perform multiple reauthentication attempts
    * Add support to radmin keep the history in ~/.radmin_history.
    * Add support for ENV and LD_PRELOAD in radiusd.conf.
      See the new ENV sub-section of radiusd.conf.
    * Update dictionary.aptilo. #3002.
    * Update dictionary.airespace. #3039.
    * Add sites-available/coa-relay, which makes CoA easier #3045.
    * Add example stored procedure for IP Pools in MySQL
      See mods-config/sql/ippool/mysql/procedure.sql
    * Update dictionary.dhcp dictionary with the recent hardware types.
    * Add experimental rlm_python3. This should largely work
      the same as rlm_python, which was Python2 only.
    * Add Dockerfiles for Debian10 and CentOS8.
    * Add RPM spec file compatibility for RHEL/CentOS 8.
    * Notes on certificate constraints. See raddb/certs/server.cnf.
    * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585.
    Bug Fixes
    * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627
    * ERX-Acct-Request-Reason is "integer". Closes #2635.
    * Fix a slow memory leak in the file management code.
    * Try to fix file permissions if they get modified while
      the server is running
    * Fix slow memory leak with clients.
    * Fix request and connection timeouts in rlm_rest.
    * Fix systemd issues.
    * Fixes from clang analyzer.
    * Fix missing include for the dictionaries:
      alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn,
      audiocodes,avaya,bristol, columbia_university,freedhcp,garderos,
      infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus.
    * Fix internal sanity check when running with "-Xx".
    * Allow "inner-tunnel" virtual servers to work better
      with "accept" and "reject" policies.
    * Fix dictionary.huawei data types for
      Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address.
    * Framed-Interface-ID in postgresql/queries.conf is string,
      not inet Fixes #2817.
    * Fix rlm_cache to complain on unknown attributes in the "update"
      section of its configuration.
    * Add configure checks for -latomic. This helps on armel,
      mips and mipsel. Fixes #2828.
    * Add support to Oracle 19 and 18. Via #2857.
    * Add support for decoding tags in rlm_rest. Fixes #2848.
    * Use correct passwords when updating CRLs in raddb/certs/.
    * Properly separate "originate-coa" packets when accounting
      packets are read from the detail file reader.
    * Use the correct virtual server for pre/post-proxy.
    * radsqlrelay fixes backported from "master" branch
    * Fix DoS issues due to multithreaded BN_CTX access
      (bsc#1166847, CVE-2019-17185)
  - disable python2 for SLE15 and Factory
  - freeradius-server-enable-python3.patch: enable Python3 module
  - freeradius-python3_patches.patch: backport python3 fixes from upstream
  - freeradius-server-opensslversion.patch: updated
* Wed Mar 11 2020 adam.majer@suse.de
  - Enable memcached driver on SLE15
* Mon Dec 23 2019 jcnengel@gmail.com
  - Add missing BuildRequire on samba-core-devel required for windbind
    support in rlm_mschap.
* Wed Apr 10 2019 michael@stroeder.com
  - update to 3.0.19 (jira#SLE-5890)
    Feature improvements
    * Update dictionary.cisco
    * Update sqlippool to allow for stored procedures with
      PostgreSQL.  This increases performance substantially.
      Patch from Nathan Ward.  Fixes #2540.
    * Re-added "show client config" command to radmin.
    * Cleaned up mods-available/sql example so that it is
      easier to understand.
    * Added pfSense dictionary. Closes #2581
    * Update dictionary.h3c Closes #2592
    * Update elasticsearch/logstash config for v6.7.0.
    * EAP-PWD security fixes from Mathy Vanhoef. See
      http://freeradius.org/security/
      (CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664)
    Bug fixes
    * Update dynamic_client module and server core so that
      the functionality works.  This has been broken since
      at least v2.
    * Fix crash in sqlippool due to escaping changes.
      Patch from Nathan Ward.  Fixes #2532, #2533.
    * Fix systemd notify, watchdog and unit files.
      Fixes #2541, #2499.
    * Fix erroneous length check in EAP-FAST.
    * Update documentation to remove old "ignore_null"
      configuration. Fixes #2578.
    * Fix default POD port. Should be 3799.  Fixes #2591
    * Correctly encode vendor-specific "encrypted" attributes.
      Fixes #2600
* Wed Feb 27 2019 adam.majer@suse.de
  - reformat changelog mostly by wrapping lines
  - add missing bug numbers for security fixes
* Tue Feb 26 2019 michael@stroeder.com
  - update to 3.0.18
    * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss.
    * Do-Not-Respond policies can now be set in the "post-auth" section.
    * Encode / Decode ADSL Forum DHCP options.
    * Fix module ordering issues. e.g. when "sqlippool" needs "sql".
    See the "instantiate" section of radiusd.conf.
    * Add Big Switch dictionary. Fixes #2252.
    * Add sql_session_start policy (raddb/policy.d/accounting)
    This minimizes race conditions when using Simultaneous-Use (#2257).
    * For rlm_perl, all variables are now tainted by default.
    See raddb/mods-available/perl, and the "perl_flags" configuration item.
    This change should only affect people who are using variables in
    insecure ways.
    * Allow "sqlcounter" module to be listed in "post-auth".
    * Add support for IPv6 attributes in SQL. Fixes #2280
    * The server is better at handling fail-over for outbound RadSec and
    TCP connections. Fixes #2284.
    * The server is now more aggressive about retrying failed outbound
    RadSec and TCP connections. Fixes #2284.
    * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list.
    * Add expansion for Radsec connections. "%{listen:TLS-...}" for
    TLS-Client-Cert-* and TLS-Cert-* attributes.
    * Add notes on running "ldapsearch" using the parameters from the LDAP module.
    * "ipaddr" attributes can now be cast to "integer" type attributes
    in an "update" section.
    * Move main thread queue to using atomic queues. This should help
    with contention in high load scenarios.
    * Add "recv_buff" setting to listeners. For more details,
    see sites-available/default.
    * The sqlippool module can now use attributes other than "Pool-Name"
    to assign IP pools. The "Pool-Name" attribute is still the default.
    * The "unpack" expansion can now unpack substrings.
    See mods-available/unpack for documentation and examples.
    * The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair
    Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE.
    * Allow for <instance>-LDAP-UserDN. See mods-available/ldap for more information.
    * Add sanitizing of control list for moonshot. Fixes #2318.
    * Update rlm_sql_mysql to be compatible with MySQL 8
    Fixes https://bugs.launchpad.net/bugs/1795310.
    * Allow logging of only Access-Accept or Access-Reject messages
    See radiusd.conf, "auth_accept" and "auth_reject".
    * Removed Connect-Rate comparison. It was unused and broken.
    * Add dictionary.infinera.
    * Use OpenSSL HMAC functions instead of local ones.
    * Some SQL modules can now use "auto_escape" to escape unsafe strings
    See mods-config/sql/main/mysql/queries.conf.
    * Add wispr2date conversion in mods-available/date.
    * Implement dictionary-based handling in rlm_python.
    Fixes #2334 See mods-available/python for details.
    * Add support for SKIP LOCKED in sqlippool. This can improve performance
    by an order of magnitude or more.
    See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383
    * Allow PSK and certificates at the same time Except for TLS 1.3
    which does not support that.
    * Update docker scripts. Fixes #2306 Patch from Matthew Newton.
    * Add crypt xlat.
    * MySQL connections can now skip verifying the server certificate.
    Fixes #2481. See mods-available/sql.
    * Add better mechanism to detect MariaDB (Old MySQL).
    * Add RFC 7532 "bang path" support for realms Fixes #2492.
    * Update dictionary.ukerna documentation. Fixes #2493.
    * Add support for systemd service and watchdogs Fixes #2499.
    * Check for openss/rand.h, and allow building without OpenSSL engine.
    Patch from Eneas U de Queiroz Fixes #2517.
    * The default PosgtreSQL queries now use "ON CONFLICT" to better
    deal with issues. This requires PostgreSQL 9.5 or later.
    Please use a recent version of PostgreSQL, or edit the default
    queries to remove "ON CONFLICT".
    BUG FIXES
    * The session-state list is no longer cleaned in the inner-tunnel.
    This lets the outer Access-Reject section access session-state.
    * Fix typo in lock initialization for TLS sockets Found by Sergio NNX.
    * Add check for crash when home server down Fixes #2233.
    * Add username key for postauth table.
    * Better libpcap checks, when the header files or libraries are missing. Fixes #2245.
    * Allow building with old versions of OpenSSL Fixes #2247.
    * Allow non-FreeRADIUS State attributes to be used with the
    "session-state" list. i.e. State length != 16.
    * Be more aggressive about cleaning up zombie children when running in debug mode.
    * Use LTDL_DEEPBIND, which fixes issues with Oracle libraries
    exporting LDAP API functions.
    * unlock files when asked to unlock them.
    * return error instead of asserting in map code.
    * Don't write 0 bytes to SSL. Fixes #2270.
    * Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262.
    * Various dictionary cleanups and consistency checks Fixes #2281.
    * rlm_python has stronger thread locking to prevent reported issues.
    Performance may be affected.
    * Don't allow Message-Authenticator to overflow past the end of a large packet.
    * Fix crash in sqlippool when SQL server goes away Fixes #2300.
    * Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303.
    * Fix crash with CoA packets/ Fixes #2304.
    * Fix crash in rlm_exec with CoA. Fixes #2328.
    * Print errors while parsing the log config, and don't quit when
    deprecated log settings are found.
    * Fix DHCP encoder xlat so that it can be used with a list of attributes.
    It previously only encoded the first member of the list,
    and now encodes all members.
    * The "expr" module now skips more whitespace.
    * Remove internal FreeRADIUS-Response-Delay attributes from
    attr_filter Access-Reject.
    * Don't send junk to redis when maximum args reached.
    * Small updates to IPv6 for accounting schema Fixes #2364.
    * Fix OpenDirectory integration in rlm_mschap.
    * Fix slow memory leak with dynamic clients.
    * Don't artificially truncate debug output for long strings.
    * Fix memory leak in EAP-PWD.
    * Fix crash in "hints" file with Fall-Through = yes.
    * Fix crash / timer issues with many CoA packets.
    * Fix attr_filter so that it does not treat vendor attributes of
    number 26 as Vendor-Specific.
    * Fix reconnect correctly in rlm_sql_mysql.
    * Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485.
    * Fix rare occurance of bad xlat expansion.
    * Check for rare race condition when a proxy reply arrives too late.
* Wed Jul 04 2018 adam.majer@suse.de
  - install license as %license instead of documentation
* Tue Jun 26 2018 michael@stroeder.com
  - also fix ownership of /var/log/radius in systemd unit
* Tue Apr 17 2018 michael@stroeder.com
  - update to 3.0.17
    Feature Improvements
    * Add CURLOPT_CAINFO. Patch from Nicolas C #2167.
    * "stats home server" now supports "src IPADDR", to specify home
    server also by source IP. Fixes #2169.
    * Add Dockerfiles for a selection of common systems.
    * Increase number of permitted file descriptors, for systems with many
    home servers.
    * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs
    Patch from Isaac Boukris. Fixes #2205.
    * Update main READMEs. Patches from Matthew Newton.
    * Added dictionary.mimosa.
    Bug Fixes
    * Don't call post-proxy twice when proxying to a virtual server.
    Matthew Newton, #2161.
    * Use "raw" string value for shared secrets and dynamic clients
    It now parses strings with backslashes and "special characters"
    correctly. Fixes #2168.
    * Fix RuntimeDirectory for RedHat, from Alan Buxey.
    * Relax checks in 'if' parser from Isaac Bourkis.
    * Minor cleanups for %{debug_attr:&request} from Isaac Boukris.
    * Be more aggressive about cleaning up cached certificate attributes,
    due to deficiencies in OpenSSL. Reported by Nicolas Reich.
    * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall.
    * Fix double free in rlm_sql. Fixes #2180.
    * rlm_detail now writes empty Access-Accept packets.
    * rlm_python can now create tagged attributes.
    * Don't crash on duplicate realm + authhost / accthost
    * Allow partial certificate chain to trusted CA. Fixes #2162.
    * Treat SSL_read() returning zero as error. Fixes #2164.
    * detail writer now checks if the file was renamed or deleted.
    * Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name.
    * RedHat Systemd updates. Fixes #2184.
    * Use correct API for State variable in rlm_securid.
    * Remove broken radclient option "-i".
    * Fix "users" file (and hints, etc). So that it does not get confused
    about entry ordering with multiple $INCLUDEs.
    * Fix rlm_sql to expand the un-escaped string, not the raw string.
    * Link default and inner-tunnel only if they exist. Fixes #2206.
    * Don't use both IP_PKTINFO and IP_SENDSRCADDR.
    * Always install signal handler for SIGINT (needed by Docker).
    * Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs
    which are not self-signed will now be checked.
    * sqlippool now returns "fail" if it fails IP allocation.
    * Fix rlm_yubikey to look for correct attribute in replay attack check.
* Thu Jan 11 2018 michael@stroeder.com
  - update to 3.0.16
    Feature improvements
    * rlm_python now supports multiple lists.  From #2031.
    * Add trust router re-keying.  From #2007.
    * Add support for Samba / AD LDAP schema.
    See doc/schemas/ldap/samba/README.txt and
    doc/schemas/ldap/samba/
    * Add "tls_min_version" and "tls_max_version" to EAP module
    for Debian OpenSSL issues.
    * Better documentation for client certificates in PEAP and TTLS:
    it usually doesn't work.  Fixes #2068.
    * Distinguish login failure from AD unavailable.  Fixes #2069.
    * Update RH spec files.  Fixes #2070.
    * Run Post-Proxy-Type if all home servers are dead.
    Fixes #2072.
    * Print offending IP addresses when EAP sessions come from
    two upstream home servers, and rate-limit the messages.
    * Minor packaging updates.
    * Better documentation for rlm_rest.
    * EAP-FAST now has it's own "cipher_list", so that it is
    easier to configure.
    * EAP-FAST now forcibly disables TLS1.2, until such time
    as we implement the new keying mechanism from TLS1.2.
    * Add documentation for allow_expired_crl.
    * Update Debian logrotation.  #2093 and #2101.
    * DHCP relay can now drop responses.  #2095.
    * rlm_sqlippool can now assign Delegated-IPv6-Prefix.
    It also now can assign any IPv4 or IPv6 address.
    Based on patches from maximumG.  #2094.
    See raddb/mods-available/sqlippool for changes.
    * radeapclient can now use EAP-SIM-Ki to dynamically
    create the necessary triplets.
    * Explain why many LDAP connections are closed.
    Fixes #1969.
    * Debian build / package issues fixed by Matthew Newton.
    * dictionary.patton updates from Brice Schaffner.  Fixes #2137.
    * Added scripts to build "inner-server.pem", and updated
    mods-config/inner-eap and certs/README to match.
    * Added provisions for using an external CA.  See raddb/certs/
    * Include dhcpclient binary in freeradius-dhcp debian packge.
    Bug fixes
    * Bind the lifetime of program name and python path to the module
    FR-AD-002 (redone)
    * Pass correct statement length into sqlite3_prepare[_v2]
    FR-AD-003 (redone)
    * Allow 100-Continue responses with additional headers in rlm_rest.
    * fix corner case where detail files were not being locked
    correctly.
    * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group.
    Fixes #1947
    * Clean up exfile code.  Which should help to avoid issues
    with reading / writing 100's of detail files.
    * Fix build for winbind.  Patch from Alex Clouter.
    * Fix checkrad for Mikrotik.  Patch from Muchael Ducharme.
    * Fix home server stats lookup.  Patch from Phil Mayers.
    * Add libjson-c3 as an optional dependency.
    * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking
    against NSS, which breaks the server.  Fixes #2040.
    * rlm_python fixes.  Fixes #2041
    * Typos in "man" pages.  Fixes #2045
    * Expand "next" in %{%{...}:-%{...}}.  Fixes #2048
    * Don't add TLS attributes twice.  Fixes #2050.
    * Fix memory allocation in rlm_rest.  Fixes #2051.
    * Update trustrouter for new API. Fixes #2059.
    * Fix SQLite issues on FreeBSD.  Fixes #2060
    * Don't do debug logging of bad passwords.  Fixes #2064. (bsc#1099802)
    * More graceful handling of "die" in rlm_perl.  Fixes #2073.
    * Fix occasional crash when using
    cisco_accounting_username_bug = yes
    * EAP-FAST fixes from Isaac Boukris.
    [#2078], #2076, and #2082, #2126.
    * DHCP fixes, relay, #2092, add run-time check, #2028
    * Decode multiple RADIUS packets at a time in highly loaded
    RadSec connections.  Patch from Jan Tomasek.  #2106.
    * TunnelPassword is not "single value" in LDAP schema.
    Fixes #2061.
    * sql log now opens the expanded filename, not the input one.
    This was a regression introduced in 3.0.15.
    * Remove unnecessary UNIQUE constrain in Oracle schemas.
    * Fix SSL thread and locking issues when modules also use SSL.
    Fixes #2125 and #2129.
    * Re-add dhcpclient "raw packet" changes.  Patches from
    Nicolas Chaigne and Matthew Newton.  Fixes #2155.
* Tue Sep 19 2017 adam.majer@suse.de
  - Fix permissions of radiusd.service (bnc#1053654)
* Fri Aug 25 2017 varkoly@suse.com
  - bsc#1055679 - freeradius-server does not provide winbind/AD auth
    Added libwbclient-devel as buildrequires
* Mon Jul 17 2017 michael@stroeder.com
  - update to 3.0.15 with security fixes for
    issues found via fuzzing by Guido Vranken (bsc#1049086)
    https://freeradius.org/security/fuzzer-2017.html
    * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret()
    * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63
    * CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax()
    * CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes
    * CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp()
    * CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions()
    * CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly
    * FR-AD-002 (v3) String lifetime issues in rlm_python
    * FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare
* Mon May 29 2017 adam.majer@suse.de
  - update to 3.0.14 (still FATE#322416)
    Feature improvements
    * Enforce TLS client certificate expiration on session resumption,
      and Session-Timeout. See CVE-2017-9148 (bnc#1041445)
    * Updated dictionary.cisco.vpn3000, dictionary.patton
    * Added dictionary.dellemc
    * Lowered the log output for failed PEAP sessions.
    * ALlow utc in rlm_date.
    * The internal OpenSSL session cache has been disabled.
      Please see mods-available/eap
    * Update detail reader documentation.
    * Make outgoing RadSec connections non-blocking.
    * Add SQL backing to Moonshot-*-TargetedId generation.
    Bug Fixes
    * radtest uses Cleartext-Password for EAP, not User-Password.
    * Update documentation for mods-enabled/ linking.
    * Enhanced checks for moonshot salt.
    * Allow session resumption for RadSec connections.
    * Update "huntgroups" file to note that port ranges are not supported
    * Fix OpenSSL permissions issues on default key files.
    * Certificates are not required when PSK is used.
    * Allow SubjectAltName as first extension in cert.
    * Fixed talloc issue with TLS session resumption.
    * "&Attr-26 := 0x01" now produces useful error messages.
    * Handle connection error in rlm_ldap_cacheable_groupobj.
    * Fix endian issues in DHCP.
    * Multiple minor fixes for Coverity complaints.
    * Handle unexpected regex.
    * Fix minor issues in dictionaries.
    * Fix typos and grammar. Patches from Alan Buxey.
    * Fix erroneous VP creation in rlm_preproces.
    * Fix MIB. Patch from Jeff Gehlbach.
    * Trust router updates from Alejandro Perez.
    * Allow build with LibreSSL.
    * Use correct packet for channel bindings.
    * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us
      a test license. Please see the git commit history for more info.
    * Fix incorrect length check in EAP-PWD. This may be exploitable.
    * Stop rotating session database files (radutmp, radwtmp) since
      these are not logfiles.
  - freeradius-server-radiusd-logrotate.patch: updated
* Mon Mar 06 2017 michael@stroeder.com
  - removed obsolete freeradius-server-fix-cert-bootstrap.patch
    because recent /etc/raddb/certs/bootstrap simply works
  - update to 3.0.13 (still FATE#322416)
    Feature improvements
    * Add dictionary.rfc7930.  Note that we do not implement
      the RFC.
    * Added 'cipher_server_preference' to mods-available/eap
      Patch from #1797.
    * OpenSSL 1.1.0 compatibility fixes.
    * rlm_perl: radiusd::xlat to evaluate xlat string
      within perl script
    * Allow authentication retry in winbind. Patch from
      Herwin Weststrate. See raddb/mods-available/mschap.
    * Added "recv-coa" method to rlm_rest.  It behaves the
      same as "authorize".
    * Document Trust Router tr_port option.  Patch from
      Stefan Paetow.
    * Update elasticsearch/logstash examples so that they work
      with elastic stack v5.  Patch from Matthew Newton.
    * Print information about packets, replies, and contents
      in the detail file reader.
    * Update abfab-tr policy.  Pull request #1893
      from Stefan Paetow.
    * Reject packets which contain User-Password and
      EAP-Message.
    * Add example for filtering Access-Challenge.
      See sites-enabled/default.
    * Pull symlink fixes from v4.0.x.  Fixes #1859.
    * Add systemd reload.  Not everything is reloaded, but
      some is.  Fixes #1662.
    * Better documentation for listen "ipaddr".  Fixes #1921
    * Add dictionary.cnergee, updated dictionary.nomadix.
    * radclient no longer needs -x to print statistics with -s.
    Bug fixes
    * Minor typos.  Fixes #1763
    * Fix typo in RPM build.  Closes #1767.
    * rlm_mschap check for password expiry only
      if password was correct.  Fixes #1762.
    * Update debian build.
    * update rlm_counter "man" page.  Fixes #1775.
    * Remove erroneous assert.  Fixes #1778.
    * fix mschap password change test.  Fixes #1792.
    * Cleanup config file on data remove.  Fixes #1795.
    * passwd module returns "notfound" if not found.
    * Check for old OpenSSL, and don't build rlm_eap_fast
      if it necessary.  Fixes #1803
    * Cleanup memory better after ldap version query.
      Patch from Aleksey Katargin.
    * Rename lt_* functions to avoid linker issues with
      libtool.  Fixes #1277
    * Many miscellaneous fixes and typos.
    * Allow long strings in %{%{foo} bar:-%{baz} blah".
      Fixes #1866
    * Fix filtering operators, along with more documentation and
      more tests for them.
    * Fix OpenSSL fixes.  Fixes #1876.
    * Finish SQL select queries even when SELECT returns no rows.
      Fixes #1879.
    * Set Module-Failure-Message for more EAP errors.
    * Correct typo in dictionary.rfc5580.  Fixes #1882
    * Remove obselete systemd syslog.target.
    * Client-Port-Balance load-balancing now uses client port.
    * Radrelay examples fixed from Alex Clouter.
    * Update systemd target.  Pull request #1896.
    * Trim starting whitespace in xlat strings.
    * Get MySQL result lengths using normal API.
    * suid down after fchown().  Fixes #1914.
    * Fix cases of comparing pointer to NUL character.  Fixes #1915.
    * OpenSSL v1.1 fixes.  Pull request #1921.
    * Better Handle v4/v6 host names.  Pull request #1919.
    * Remove "Auth-Type = System" from docs and examples.
    * Don't crash on malformed %{home_server}.  Fixes #1922
    * fix erroneous use of talloc destructor in rlm_eap
    * Issue trigger modules.sql.fail.  Fixes #1923
    * Document python_path gotcha's.  Fixes #1845
    * dlopen() the specific version of Python.  Fixes #1592
* Mon Feb 20 2017 kukuk@suse.de
  - Don't require insserv if we use systemd
  - Remove require for unused fillup
* Mon Jan 30 2017 adam.majer@suse.de
  - Merge changes from SLE to openSUSE (FATE#322416):
    * freeradius-server-radclient-init-error-buffer.patch - make sure
      we initialize error buffer. bsc#911886: radclient error free()
      invalid pointer
    * freeradius-server-opensslversion.patch: remove OpenSSL version
      check and assume we know what we are doing. (bnc#1013311)
    * merge .changes file, mostly.
  - do not attempt to detect "vulnerable" OpenSSL versions. SUSE
    security fixes do not necessarily bump version numbers as
    does upstream OpenSSL (bnc#1021375)
  - do not generate certificates in %post. End-user needs to do this
    manually.
  - keep FreeTDS disabled on SLE12 - we never shipped it enabled
  - require OpenSSL 1.0+
  - use pkgconfig(systemd) instead of plain systemd as BuildRequires
  - don't list manual pages as %doc
* Sun Jan 01 2017 jengelh@inai.de
  - Remove --with-pic which is for static libs only.
  - Use SUSE RPM group names. Trim filler words from description.
  - Do not hide errors from groupadd/useradd.
* Fri Nov 18 2016 adam.majer@suse.de
  - Add upstream keyring
  - 2 new modules: rlm_sql_freetds and rlm_eap_fast
* Thu Sep 29 2016 michael@stroeder.com
  - update to 3.0.12 - still fate#320481
    The focus of this release is stability.
    * Feature improvements
      + Add support for =~ and !~ in update sections. See "man unlang"
      + Add dictionary.checkpoint.
      + Simultaneous-Use prints out more information.
      + Print WARNING in debug mode when packets may be truncated.
      + Added expansions %{home_server:state} and
      %{home_server_pool:state}, which show the state of the
      server / pool.
      + Mark rlm_sql_freetds as stable.
      + Make rlm_perl less fragile. Patch from Herwin Weststrate.
      + Allow extended attributes to have "encrypt=2"
      + Update dictionary.aruba.
      + Add support for EAP-FAST. This is an isolated feature which
      does not affect anything else.
      + Update OpenSSL vulnerability list. Use a version of OpenSSL
      released after September 20, 2016.
      + EAP certificate verification is now done when "verify" is
      enabled and "ocsp" is disabled.
      + New dhcpclient and rlm_rad_counter man pages.
      + Minor abfab and moonshot additions.
      + Pass CFLAGS through from environment in RPM builds. Allows
      more custom builds.
      + Build with Heimdal in addtion to libkrb5.
    * Bug Fixes
      + Use correct typedef for older versions of sqlite.
      + Update mssql schema to add priority
      + don't complain on /dev/urandom in ldap
      + fix == operator in update sections
      + Don't create DHCP strings with many trailing zeros.
      + Allow MS-CHAP change passwords instead of complaining on
      large buffer.
      + Allow assignment or equality operator on SQL.
      + Update aclocal tests for FreeBSD 10.
      + Remove occasional hang in rlm_linelog.
      + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544
      + A few minor bugfixes caught in v3.1.x cleanup, and
      back-ported to v3.0.x.
      + do_not_respond again works in post-proxy
      + Allow realm "~^.*$" {} and User-Name with no realm.
      + Fix leak when creating unknown attributes
      + Fix Debian / logrotate.
      + Make OpenSSL error functions thread-safe.
      + Fix crash with rlm_sql and updating SQL-User-Name.
      + Debian build updates.
      + Allow regular expression comparisons in radclient.
      + Fix memory leak on unknown attributes in detail file reader.
      + Update example paths in "man" pages when installing them
      + Build fixes for rlm_mschap. Fixes #1489.
      + BSD build fixes. Patch from issue #1583.
      + Be more careful about /lib/ when building. Fixes #1585.
      + Correct ifdef placement error. Fixes #1572.
      + Allow for more files in internal "exfile" API So it will be
      possible to open more than 64 "detail" files at the same
      time.
      + Remove support for statically built EAP modules. Fixes #1591.
      + Many fixes to rlm_python from Guillaume Pannatier.
      + Use correct week adjustment in SQLcounter. Fixes #1608
      + Minor fixes to allow compilation without DHCP, VMPS, or TCP.
      + Fix checks for module / config file change on HUP.
      + Compile regex comparisons when sent via "debug condition".
      + Update filenames in documentation and examples.
      + Don't crash if SQL connection becomes unavailable.
      + Disallow originate_coa when proxy_requests = no.
      + Free rad_perlconf_hv in correct perl context.
      + Multiple fixes for Debian builds. #1510, among others.
      + Set OpenSSL FIPS compatibility flag when necessary.
      + Pulled fixes for the build system over from other branches.
      + Fix OCSP for RADIUS over TLS.
      + Fix skip_if_ocsp_ok behavior.
      + Better fixes for systems without closefrom() but which have
      /proc.
      + Minor build fixes back-ported from v4.0.x.
      + build --whout-ascend-binary. Fixes #1761.
      + Be more aggressive about not opening new connections in
      debug mode after CTRL-C. Address #1604.
* Fri Sep 02 2016 adam.majer@suse.de
  - use %{with} macro for conditional inclusions instead of hardcoding
    version numbers
  - improved package descriptions
  - fixed builds on SLE12 and SLE11SP4
* Mon Jan 25 2016 michael@stroeder.com
  - removed installation of experimental module rlm_sqlhpwippool.so
  - update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763,
    bsc#935573, CVE-2015-4680)
    * Changes of version 3.0.11
      + Feature improvements
    - "unlang" comparisons of IP addresses to IP prefixes are now
      detected, and types automatically cast.
    - Allow shorthand form of ipv4prefix values e.g. 127/8.
    - Add "auto_chain" to raddb/mods-available/eap, tls subsection.
      This allows the disabling of OpenSSL auto-chaining of
      certificates. Which might be wrong.
    - Added printing of coa and disconnect stats (radmin).
    - radclient defaults to expecting Access-Accept responses to
      Status-Server.
    - Updated dictionary.lancom, dictionary.starent.
    - Portability fixes for Solaris.
    - More errors from ntlm_auth gets passed to MS-CHAP.
    - Update abfab-tr-idp virtual server.
    - Added "filter_password" in policy.d/filter. This removes
      embedded zero bytes in User-Password, for compatibility with
      broken clients.
    - The server now issues a WARNING message if duplicate
      configuration items are found.
    - TLS can skip the "verify" section if OCSP returns OK. See
      raddb/mods-available/eap, "skip_if_ocsp_ok".
    - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the
      result from the OCSP check.
    - Interoperate with AD and "LmCompatibiltyLevel = 5", by
      always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind
      in rlm_mschap.
    - TTLS and PEAP now require "virtual_server" to be a real
      server.
    - Print WARNING when TTLS or PEAP identities are spoofed or
      not properly anonymized. See RFC 7542 for requirements.
    - Various rlm_python fixes from Herwin Weststrate.
    - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail",
      which is useful when the home server does not respond.
    - elasticsearch updates from Matthew Newton
      + Bug Fixes
    - Fix issue where field nas_type would not be accessible via
      the %{client:} xlat, for clients loaded from SQL.
    - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to
      msg_callback with 'pseudo' content types.
    - Data type "ipv4prefix" is parsed correctly.
    - Use correct talloc context in rlm_exec. Fixes #1338.
    - Complain in unlang if "else" is used with no previous "if"
      or "elsif".
    - Send accounting status packets to the accounting port.
      Fixes #1364.
    - Print out CFLAGS when doing "radiusd -Xxv"
    - Fixed bug with coa/acct stats value #1339. Based on patch
      from Jorge Pereira.
    - Fixes for LEAP proxying. Don't use LEAP!
    - Fix issue with "directory already exists" seen when doing
      "make install".
    - Fixed bug with radmin related to the option "stats detail
      <filename>"
    - Complain if the detail file reader does not have permission
      to read the "detail.work" file. Fixes #1398
    - Fixed SoH. Attributes were not being copied to the virtual
      server.
    - Used a wrong list to global statistics in "stats".
    - Create EAP-PWD identity correctly. Prevents segfaults.
    - Dynamically validate authentication types for PEAP and
      EAP-MSCHAPv2.
    - Fix includes in installed headers.
    - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys
      correctly. See raddb/mods-available/eap, "disable_tlsv1_2"
    - Allow password change to work for MS-CHAP. This requires
      'r=0', because password changes are not retries.
    - Fix home server fail-over for home servers using TCP and/or
      RadSec.
    - Special characters in expanded regexes are now escaped e.g.
      User-Name containing '.', and comparing /%{User-Name}/, the
      '.' will now be escaped. See src/tests/keywords/regex-escape.
    - Use correct authentication vector when sending Access-Reject
      replies for RadSec.
    - Set FreeRADIUS-Proxied-To in TTLS again. You should use the
      "inner-tunnel" virtual server, instead of relying on this
      attribute.
    - Fix debugging constants in rlm_perl. Patch from Herwin
      Weststrate.
    - Add samba-dev / samba4-dev to debian builds so that
      rlm_mschap can automatically use the new winbind API.
    - Automatically skip zero-length attributes when sending
      packets, instead of erroring out.
* Mon Oct 26 2015 jkeil@suse.de
  - fix bsc#951404
    * Rebuild of freeradius-server package fails
    * fix source url
    - ftp://ftp.freeradius.org/pub/freeradius/
      + ftp://ftp.freeradius.org/pub/freeradius/old/
* Mon Oct 05 2015 michael@stroeder.com
  - update to 3.0.10
    * Changes of version 3.0.10
      + Feature improvements
    - Do more optimization of unlang policies. This makes run-time
      a bit faster.
    - Re-name most of the functions in src/lib. Third-party module
      authors will have to do the same.
    - More documentation on contributing and how to write modules.
    - Update radiusd.service for systemd.
    - Open IPv6 proxy socket if the server is listening on IPV6
      auth / acct / coa packets.
    - Create debian packages for DHCP. Fixes #1125.
    - Add more tests for "update" section parsing.
    - Update "man" pages.
    - Update attributes for Alcatel 7750
    - Add dictionary for Boingo Wi-Fi
    - Add support for DHCP lease queries.
      See raddb/sites-available/dhcp
    - On HUP, check all modules for config files which have
      changed. And only re-load those modules.
    - Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS
      packets. Patch from Herwin Weststrate.
    - Documentation fixes from Alan Buxey and Matthew Newton.
    - Update "logrotate" script.
    - Added more RFCs to doc/rfc for new standards implemented by
      FreeRADIUS.
    - Don't crash when doing "radmin -e "help hup". Patch from
      Matthew Newton.
    - The dictionary parser now does more sanity checks, which
      prevents run-time problems with invalid attributes.
    - Update debian packages. Patches from Christopher Hoskin.
    - Many other debian packaging fixes from Matthew Netwon and
      Herwin Weststrate.
    - Add "session-state" to Perl. Patch from Herwin Weststrate.
      + Bug Fixes
    - Fix rlm_files so that there are no collisions when loading
      10's of 1000's of users.
    - Fix radclient to use our internal v4/v6 parsing functions.
      v6 addresses with ports now work correctly.
    - Fix sending/receiving packet messages to wrap v6 addresses
      in square brackets '[]'.
    - Check for sasl/sasl.h when building rlm_ldap, and disable
      SASL functionality if unavailable.
    - Fix issue which caused a non \0 terminated buffer to be
      assigned to attributes if the value being assigned contained
      an invalid escape sequence.
    - Fix deadlock when reconnecting connections in the connection
      pool.
    - Fix potential overrun in functions that used fr_utf8_char
      with a non nul terminated buffer.
    - Fix decoding issue for Tunnel-Password type attributes which
      were very long. Found by Denis Andzakovic.
    - Fix radclient issue with TCP sockets on FreeBSD.
    - The server now creates ${run_dir} and ${logdir} directories
      in daemon mode, when running as "root".
    - Handle tags when using maps. Fixes #1191.
    - Fix crash when CoA packets time out.
    - Fix parse error in rediswho
    - Fix regex support in SQL radcheck the "users" file and
      radsniff.
    - Register listen xlat earlier, so that it's available when
      the virtual servers are being parsed.
    - Parse Ascend-Data-Filter when given as "0x..."
    - Print Ascend-Data-Filter correctly. Add test cases for both.
    - Allow old-style clients again. They will be disallowed for
      3.1.0 and following.
    - Complain instead of crash when "else" and "elsif" are in the
      wrong place.
    - Clean up memory more aggressively. This lowers the maximum
      memory used, most typically for TLS based EAP methods.
    - Prevent the server from unlinking the control socket of an
      already running instance.
    - Fallback to using the configured OCSP URL if one exists, and
      no URL is provided in the certificate.
    - Return CoA-NAK if proxying CoA fails. Based on patch from
      Jorge Pereira.
    - Lower peak memory usage by decreasing size of internal
      memory pools.
    - The control socket is now left in place if a second copy of
      the server is accidentally started.
    - Allow virtual attributes in "switch", "case", etc. Fixes
      [#1240] and #1265.
    - Many spell check / typo fixes in comments and example
      configuration files.
    - Better handle multiple DHCP listeners.
    - Don't print secrets for old-style realms. Fixes #1267.
    - Don't fall through in empty "case" statements. Fixes #1274.
    - Update EAP-TTLS so that MPPE keys are correctly calculated
      with TLSv1.2.
    - Always delete MS-MPPE-* from the TTLS inner tunnel. This
      allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206.
    - Fix off by one error that caused some MSCHAP-Error messages
      to be sent without the password change version (V=3) and the
      textual message component (M=).
    - Always include C= V= and M= in MSCHAPv2 errors. RFC 2759
      does not say that any of these fields are optional, and not
      including V= caused errors with wpa_supplicant.
    - Do not include M= in MSCHAPv1 errors. It's not supported.
* Fri Aug 07 2015 jkeil@suse.de
  - Fix boo#912714: freeradius can't use ntlm_auth
    * Create winbind group
    * Add radiusd to winbind group
* Tue Aug 04 2015 jkeil@suse.de
  - Remove gpg signature file
    * The gpg signature checking is broken and doesn't work
* Tue Aug 04 2015 jkeil@suse.de
  - Fix bsc#935573: Insufficent CRL application for intermediate certificates
    * CVE-2015-4680
    * freeradius-server-CVE-2015-4680.patch based on
      https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3
* Wed Jul 08 2015 michael@stroeder.com
  - update to 3.0.9
    * Changes of version 3.0.9
      + Feature improvements
    - Make "pool" configurations more consistent, and update
      documentation for them.
    - Move connection pool logic to "most recently started",
      instead of MRU. This should help with pool stability.
    - More VSAs for 3GPP2
    - Added examples of multi-value attributes to rlm_perl.
    - LDAP-Group and SQL-Group attributes are now dynamically
      allocated.
    - Only the "sql" module registers SQL-Group. Other instances
      register "instance-name-SQL-Group", similarly to "ldap".
    - Unknown attributes are now complained about more often when
      used in unlang statements. e.g. if (Foo-Bar == 3) used to be
      a string to string comparison. It is now a parse error.
    - Rename RLM_COMPONENT_* to MOD_* in the code. This makes many
      things easier.
    - Move to C99 initializers for modules.
    - Load modules in raddb/mods-enabled. This allows attributes
      like "LDAP-Group" to be used in the "files" module, without
      explicit ordering or listing in "instantiate".
    - Added 'bootstrap' section to modules. Third-party modules
      will need to be updated.
    - When adding clients from a DB, add them to a virtual server
      if that virtual server has a "listen" section. Otherwise,
      add the clients to the global list.
    - When reading dynamic clients from a file, don't expire them
      if the underlying file is unchanged.
    - Allow the server to originate CoA requests from the
      post-auth stage.
    - The server creates ${run_dir} and ${logdir} in daemon mode,
      if they do not already exist.
    - Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server
      now supports all mandatory and optional attributes for this
      specification.
    - HUP now re-loads the configuration only if the files have
      changed. If all files are unchanged, HUP re-opens the log
      file, and does nothing else.
    - Much better debug messages for EAP-TLS, including which
      attributes are cached, and when they are retrieved.
    - Increase default max_requests to 16384. Memory is cheap now.
    - Added "stats memory" commands to radmin. Debug build only.
    - Aptilo controller dictionary updates.
    - SQL modules now use Acct-Unique-Session-Id everywhere.
    - The redis modules are now stable.
    - The LDAP module now supports SASL "interactive bind" method.
      This allows Kerberos based administrator and user binds.
    - DHCP code is now in libfreeradius-dhcp.
    - More DHCP encoding / decoding unit tests.
    - rlm_replicate can now be listed in the "accounting" section.
    - Better sqlite debugging output.
    - Remove "required" option from many sql_ippool directives.
    - Set default CA "basic constraints" to "critical". Fixes #1073
    - Updates to help / man pages from Jorge Pereira.
    - Added more tests.
      + Bug Fixes
    - Be more careful about unused config item warnings when
      using -Xx.
    - Move more defines to be auto-generated.
    - Allow virtual servers in proxy fallback.
    - Allow %{module:} to work.
    - Don't crash in RadSec. Closes #980.
    - Return better errors when a unix group / user is not found.
    - Re-enable detail module "locking" parameter.
    - Don't crash when logging replies from Status-Server packets.
    - The couchbase module now uses "update" instead of "map", for
      consistent with the rest of the server.
      See raddb/mods-available/couchbase
    - Don't require NT-Password for MS-CHAP password changes.
    - Be a bit more careful about decrypting MS-CHAP-MPPE-Key
      attributes. Closes #1013. There is no perfect fix, tho.
    - Fix security issues with EAP-PWD.
      See http://freeradius.org/security.html#eap-pwd-2015
    - Fix dynamic clients read from SQL in non-debug mode
    - MS-CHAP now allows retries (i.e. password change) when
      passwords are expired.
    - Allow "user=radiusd" when the server is already user
      "radiusd"
    - suid up/down works on non-Linux systems. This means that the
      control socket should have the correct ownership.
    - Fix issue which caused the server to sometimes have problems
      when a home server was marked zombie.
    - Fix format.pl because Perl is now more picky.
    - Fix proxy to Packet-Dst-IP-Address, so that it uses the
      correct destination port.
    - Fix corner case with cursor functions and removal.
    - OpenDirectory fixes and documentation.
    - Fix leaks in rlm_redis.
    - RFC 6929 "evs" attributes are now encoded / decoded properly.
    - Fix talloc pool leaks when receiving malformed or
      retransmitted Accounting/CoA requests.
    - Printed attributes again use double quotes instead of single
      quotes.
    - Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to
      eap.conf. Fixes oCert CVE-2015-4680.
    - rlm_expr now errors out correctly on malformed attribute
      references instead of triggering an assert.
    - Make "break" work in "foreach" loops
    - Allow dynamic expansions to work again in the "hints" file.
    - Correct minor typos in comments and examples from Alan Buxy.
    - Re-urlencode the path portion of ldapi:// urls before
      passing it to ldap_initialise.
  - freeradius-server-rlm_sql_unixodbc-configure.patch removes
    hard-coded directory in configure script of rlm_sql_unixodbc
  - install new module rlm_sqlhpwippool.so
* Thu Apr 23 2015 vcizek@suse.com
  - minor adjustments/cleanup of spec and changes
* Wed Apr 22 2015 michael@stroeder.com
  - update to 3.0.8
    * Changes of version 3.0.8
      + Feature improvements
    - Allow syslog_severity to be set in rlm_linelog.
    - Allow defaults to be set for bulk clients in LDAP and
      couchbase.
    - Updates to dhcpclient. Patches from Nicolas C.
    - rlm_mschap now supports direct connections to winbind,
      which is faster than ntlm_auth.
      See raddb/mods-available/mschap. Patch from Matthew Newton.
    - Recommend /dev/urandom for TLS randomness, instead of
      ${certdir}/random
    - Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}.
    - Allow Expanded EAP types where vendor is 0 (IETF) and type
      is normal EAP type. Supplicants sending Expanded EAP types
      like this are broken.
    - Add support for server side sort controls when searching
      for user objects in rlm_ldap.
      + Bug Fixes
    - Don't complain about "authorize" in "server {}" blocks, but
      only if there's no "server" block.
    - Fix cosmetic issue where debug from the first packet read by
      a detail reader thread would be emited during config parsing.
    - Fix ASSERT on truncated detail packets.
    - Don't use main server log functions from within panic_action,
      as in the case of syslog this would cause deadlocks if the
      fault was triggered from within a malloc.
    - Fix issue in "switch" when "correct_escapes = false".
      Fixes #911.
    - Fix sqlcounter configuration to use "%%b" instead of "%b",
      otherwise the new syntax validation will fail.
    - Allow forward references in configuration items. Modules
      aren't always loaded in a sane order.
    - Fix more escaping issues. Closes #912.
    - Decode MAC addresses correctly for VMPS.
    - Fix memory leak with TLS connections.
    - Fix state machine threading issues for conflicting packets.
    - Fix copy_request_to_tunnel issues for tagged attributes.
    - Allow "ok" to over-ride "updated" inside of Auth-Type
      sections.
    - Update state machine so that post-proxy is run though child
      threads for performance, instead of blocking the main thread.
    - Allow "netmask" to work again in client definitions.
    - Relax restrictions on SQL group queries.
    - track outgoing proxy sockets and clean them up more
      aggressively.
    - track proxy statistics, including CoA and Disconnect.
    - If radmin has a connection failure when running a command,
      it re-connects and runs the command again.
    - mark home servers "unknown" less aggressively.
    - Fix potential SEGV in PostgreSQL driver on error.
    - Fix issue where fields like nas_type would not be
      accessible via the %{client:} xlat, for dynamic clients.
    - Set default busy_timeout (of 200ms) in the sqlite driver, so
      writes don't cause selects to fail in multithreaded mode.
      This is user configurable, and may be increased if required.
    - Convert Password-With-Header attributes to binary (from hex
      or base64), in the authorize method of rlm_pap.
    - Fix invalid assert in state.c, that could cause abort in
      post-auth.
    - Fix double free when -m flag is used, and connection pools
      are referenced by multiple modules.
    - RADIUS over TLS accounting uses the same port as
      authentication.
    - Regularized return codes from radmin commands.
    - Fix RHEL spec file so it works correctly for Centos7 which
      uses systemd, and didn't like the SystemV init script.
    - radwho and radlast now have a -D option to load dictionaries
    - DHCP packets are no longer checked for duplicates.
    - Don't crash in sql module group comparisons in corner case.
    - Calculate MPPE keys correctly when using TLS 1.2.
    - Fix load-balance sections. Closes #945
    - TLS certificates are available again in the post-auth
      section. They are not available for session resumption.
    - radclient encodes CHAP-Password properly when using -c
      Closes #955.
    - Fix issue in rlm_cache_memcached driver that caused variable
      length values to be truncated.
    - Fix track functionality in detail reader, so it no longer
      fails with a "Failed marking detail request as done: Bad
      file descriptor" error.
    - Actually add the peer identity (as User-Name) to the inner
      tunnel in EAP-PWD requests, so it's available for lookups.
    - Fixes to PostgreSQL queries. Patches from Santiago Gimeno.
  - new set of consolidated patch files:
    deleted:
    * freeradius-server-2.1.1-logrotate_su.patch
    * freeradius-server-2.1.6-rcradiusd.patch
    * freeradius-server-initscript-pidfile.patch
    * freeradius-server-radius-reload-logrotate.patch
    * freeradius-server-var_run.patch
    added:
    * freeradius-server-radiusd-logrotate.patch
    * freeradius-server-rcradiusd.patch
    * freeradius-server-tmpfiles.patch
* Wed Jan 14 2015 tchvatal@suse.com
  - Do not disable as-needed build
  - Remove the with_sysconfig switch and just stick with versions
* Tue Jan 13 2015 vcizek@suse.com
  - update to 3.0.6
    - fixes a segmentation fault in PEAP module (bnc#912588)
    Feature improvements:
    * radmin / raddebug conditional errors are printed to the output, instead of being discarded.
    * raddebug will exit if condition set with -c was invalid.
    * radmin auto-reconnects if the connection to the server has gone away.
    * rlm_cache now has submodule support. See raddb/mods-available/cache
    * New memcached driver for rlm_cache. See raddb/mods-available/cache
    * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details.
    * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n].
    * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf.
    * When checking IP addresses in conditions, make the right side be parsed as an IP prefix.
    * Support JIT compilation of compiled regular expressions when built with libpcre.
    * Support named capture groups with "%{regex:<name>}" when built with libpcre.
    * Increase regular expression capture groups from 8 to 32.
    * Emit error markers for badly formed regular expressions.
    * Allow 'm' flag to enable multiline mode in regular expressions.
    * Support limited implicit attribute conversion in update sections.
    * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).
* Mon Dec 22 2014 dimstar@opensuse.org
  - Drop .keyring and .sig file: freeradius-server still uses MD5
    signatures, which are no longer validated/accepted by GPG 2.1.
* Wed Dec 03 2014 vcizek@suse.com
  - update to 3.0.5
    Some of the new features:
    * Allow LDAP to specify arbitrary attributes for dynamic
      clients.
    * Allow one level of backslashes (finally).  See radiusd.conf,
      "correct_escapes" setting.
    * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2
      in EAP methods.
    * Allow multiple new connections to be spawned simultaneously
      in the connection pool, to cope with spikes in traffic.
    * Use kqueue on systems which support it.  This allows for
      better scaling when using many sockets.
    * Home server "response_window" can now take fractions of a
      second.  See proxy.conf.
    * radmin now supports "show module status", as thee counterpart
      to "set module status"
    * "ipaddr" will now use v6 if no v4 address is present.  You should
      use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
    * "client" sections will allow "ipaddr = 192.192.0/24".  The old
      "netmask" is still accepted, but the new format is preferred.
    * Allow custom HTTP headers to be set for rlm_rest requests using
      control:REST-HTTP-Header (attributes consumed after use).
    * Extend format of %{rest:} expansion to allow HTTP method and POST
      data to be specified
      and urlquoting.
    * Add support for aliases in rlm_ldap.
    * Add support for connection pool sharing to all modules that use
      the connection pool (pool = <instance>).
    * "tls" sections now have a "psk_query" configuration item, for dynamic
      queries to discover a key from a PSK identity.
    * Preliminary support for EAP channel bindings.
    * Foundational work for dynamic home servers.  They do not yet work,
      but this is now only a matter of updating the "realm" module in
      a future release.
    * Support &attr[*] syntax to copy all instances of an attribute when
      used with the += operator in an update section. May be qualified with
      a tag.
    * The logintime and expiration modules can now be listed in the
      post-auth section.  This makes some configurations simpler.
    * rlm_sqlippool is now IPV6 capable.  Set "ipv6 = yes" to get
      Framed-IPv6-Prefix returned.  The SQL queries have NOT been updated.
      Please submit patches.
    and numerous; bugfixes
  - remove gpg-offline
  - create /run/radiusd after install
  - drop freeradius-server-opensslversion.patch (upstream)
* Mon Dec 01 2014 meissner@suse.com
  - freeradius-server-opensslversion.patch: do not check the minor
    version of openssl, minor versions are supposed to be compatible.
    bnc#906682

Files

/usr/lib64/freeradius
/usr/lib64/freeradius/libfreeradius-dhcp.so
/usr/lib64/freeradius/libfreeradius-eap.so
/usr/lib64/freeradius/libfreeradius-radius.so
/usr/lib64/freeradius/libfreeradius-server.so
/usr/share/licenses/freeradius-server-libs
/usr/share/licenses/freeradius-server-libs/COPYRIGHT
/usr/share/licenses/freeradius-server-libs/LICENSE


Generated by rpm2html 1.8.1

Fabrice Bellet, Sat Mar 9 14:48:48 2024