Press Releases

12 May 2014 - Version 3.0.3 has been released.

The focus of this release is stability.

Feature improvements

  • Everything now builds with no warnings from the C compiler, clang static analyzer, or cppcheck.
  • rlm_ldap now supports defining the LDAP attribute name via backticked expansion (i.e. shell command) in RADIUS <-> LDAP mappings.
  • rlm_ldap now supports older style generic attributes.
  • dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed.
  • Static regular expressions (e.g. /a*b/) are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed.
  • dynamic expansions are cached after being parsed. They are no longer re-parsed at run-time for every request.
  • regular expressions are now parsed and cached when the server starts.
  • Added the %{rest:} expansion to rlm_rest, which will send a GET request to the URL passed as the format string. Any body text will be written to the expansion buffer.
  • rlm_rest now available as a debian package.
  • When an 'if' condition statically evaluates to true/false, unlang does more static optimization. For examples, see src/tests/keywords/if-skip
  • All modules are marked as safe for '-C', which lets the dynamic expansion checks work in more situations.
  • Added 'none' and 'custom' rlm_rest body types. 'custom' allows sending of arbitrary expanded text and content-type headers.
  • Added "config" section to Perl. See mods-available/perl
  • Added '%v' which expands to the server version - Patch from Alan Buxey.
  • more mis-matched casts are caught in "if" conditions, and descriptive errors are printed.
  • Support basic response validation in radclient. This allows administrators to write local test cases for their site-specific configurations.
  • Removed radconf2xml and radmin "show client config" and "show home_server config".
  • Forbid running with vulnerable versions of OpenSSL. See "allow_vulnerable_openssl" in the "security" subsection of "radiusd.conf"
  • Catch underlying "heartbleed" problem, so that nothing bad happens even when using a vulnerable version of OpenSSL.
  • Add locking API for sql_null, linelog, and detail modules, which should improve performance and work around issues on platforms with bad file locking.
  • Allow DHCP NAKs to be delayed, via setting reply:FreeRADIUS-Response-Delay = 1
  • Allow tag and array references anywhere attributes are allowed in "unlang".
  • many enhancements to radsniff, including output to collectd, ipv6 support and packet loss statistics.
  • Many dictionary updates (ZTE, Brocade, Motorola).
  • rlm_yubikey now automatically splits passwords from OTP strings.
  • The detail file reader is now threaded by default. This should improve performance reading the files.

Bug Fixes

  • Fix xlat expression %{attribute[n]} so that it actually returns the n'th attribute instead of the first one.
  • Don't parse string on RHS of update {} when using unary operators (!*). The RHS should always be ignored.
  • Check for more optional functions in json-c so we can Build with libjson0, which is the name of the json-c package on debian/ubuntu.
  • Fix issue in radmin where the main dictionaries would not be loaded which, depending on the configuration, may have caused validation errors.
  • Fix handling of "%{reply:3GPP-*}"
  • Fix rlm_perl garbage attributes
  • Fix oracle SQL queries, which amongst other things still used the old expansion format, which is no longer supported/parsed.
  • Truncate long format strings and error markers instead of omitting them.
  • Fix multiple attribute parsing in rlm_rest JSON.
  • Don't crash in rlm_rest if connect_uri is commented out in the configuration.
  • Don't double-escape strings to / from Perl. You may need to double-check your Perl scripts if they use "\" characters. See mods-available/perl for documentation.
  • Don't re-run "authorize" if a home server fails to respond.
  • Don't append "0x" to hex output of octets types, for xlat expansions. This is the same as v2, and makes it easier to concatenate multiple attributes of type "octets"
  • FreeBSD fixes for execinfo linking.
  • Make some of the module configurations more consistent.
  • Fix corner cases where STDOUT wouldn't be closed in daemon mode.
  • Re-enable "update coa" and originating CoA requests.
  • Prevent multiple threads writing to the sql query logs.
  • Fix zombie period calculation. Closes #579
  • Properly parent VPs for talloc, when moving them in map2request.
  • Various fixes for talloc parent / child relationships
  • Allow rlm_counter to support VSAs.
  • Normalize return codes for many modules. "do nothing" is noop, not "ok".
  • Run Post-Proxy-Type Fail. Closes #576
  • Fix DHCP destination port for replies to relays. Closes #591
  • Do-Not-Respond policy works again Closes #593
  • Proxy-To-Virtual-Server works again. Closes #596
  • Build fixes for ancient systems. Closes #607, #608, #609.
  • %{Module-Return-Code} works again. Closes #610.
  • Don't increment statistics for Status-Server responses. Closes #612.
  • A duplicate request isn't a duplicate if the original one is marked "done". This should lower retransmissions from clients.
  • Fix multiple regular expression and glob memory leaks.
  • Don't allocate any memory in fr_fault() as it can cause malloc to deadlock.
  • Temporarily set dumpable flag before calling system in fr_fault() else the debugger may not be able to attach.
  • Set nonblock on all TCP client sockets.
  • Fix minor buffer overrun in mschapv2 where some attribute strings were not correctly \0 terminated.
  • Fix crash on authentication failure with MIT kerberos.
  • Fix code so that octal escape sequences aren't prematurely unescaped in rlm_sql, radclient, preprocess, and other places. This may require configuration changes, as these sequences will no longer need double escaping (\\) of the backslash.
  • The connection pools no longer have one connection used twice in certain rare conditions.
  • Use self pipes for internal signals. The code was there, but was unused.
  • Don't crash if there are outstanding EAP sessions and were told to exit gracefully.
  • Fix typo in dictionary.rfc4072

28 April 2014 - Version 2.2.5 has been released.

The focus of this release is stability.

Feature improvements

  • Update dictionary.terena and dictionary.zte.
  • Expose server version via %v. Patch from Alan Buxey.
  • Forbid running with vulnerable versions of OpenSSL. See "allow_vulnerable_openssl" in the "security" subsection of "radiusd.conf"
  • Catch underlying "heartbleed" problem, so that nothing bad happens with EAP even when using a vulnerable version of OpenSSL.

Bug Fixes

  • Minor changes to build on Sun.
  • Print non-ASCII characters as octal in linelog. Closes #578.
  • Fix zombie period calculation. Closes #579

21 March 2014 - Version 3.0.2 has been released.

The focus of this release is stability.

Feature improvements

  • secret keys and LDAP / SQL passwords are now printed as '<<< secret >>>' in debugging mode. Use -Xx to see the actual passwords.
  • Print out more information about passwords in -Xx, including hashes, comparisons, etc.
  • Allow cast (and implicit conversion) of integers to IPv4 addresses
  • More xlats allow attribute references. This means they can operate on binary data. e.g. expr, base64, md5, sha1.
  • Added more tests.
  • The dictionaries are now auto-loaded. raddb/dictionary should no longer have $INCLUDE ${prefix}/share/dictionary
  • A "panic_action" can be set to have the server dump a gdb log on SEGV or other fatal error. See radiusd.conf
  • Add support for SHA-224, SHA-256, SHA-384, SHA-512 to rlm_pap.
  • Add "%{sha256:}" and "%{sha512:}" xlat functions.
  • Cache CUI in EAP session resumption.
  • templates can now have sub-sections, which will be included in the section referencing the template.
  • Update more dictionaries.
  • Added more instances of the "always" module, for all return codes.
  • Suppress broken NASes when proxying. Retransmits which occur more than once per second are rate-limited to once per second.
  • Allow '&' in more xlat expansions.
  • Update PostgreSQL schema and queries to record last updated time, and accounting interim.
  • Optimize more "if" conditions when the server loads. This will avoid work at run time. e.g. ("foo" == "bar") --> FALSE.
  • Allow removal of all attributes within a list with !* operator.
  • Allow list to list copies with request qualifiers (outer.).
  • Add support for ipv4 prefixes and ipv6 addresses and prefixes to %{integer:}.
  • allow radmin command "set module status <module> <code>" which can be used to forcibly enable/disable modules.
  • pap module now assumes Cleartext-Password if Password-With-Header doesn't have a {...} header.
  • Added "unpack" module. It can unpack binary data from horrible VSA formats. See raddb/mods-available/unpack
  • Added example IP Pool for DHCP, using sqlite. From Matthew Newton See raddb/mods-config/sql/ippool-dhcp/

Bug Fixes

  • Fix SQL groups.
  • Fix operation of fr_strerror() with RE*() macros.
  • Don't assert if the connection we're trying to reconnect is not in_use.
  • Fix %{mschap:User-Name} xlat.
  • Allow comparisons of signed integers and of ethernet addresses.
  • Fix parsing of text-based ascend binary filters.
  • Fix a few minor Coverity and clang analyzer issues.
  • Log WARNING and ERROR prefixes only once, not twice.
  • Fix attribute truncation seen in Perl and other places.
  • Use correct port when DHCP relaying.
  • Fix behaviour on FreeBSD where sending packets from an interface bound to an IP address would fail when the server was built with udpfromto.
  • Don't abort() when freeing home servers on exit.
  • Fix edge case in pairmove() when some attributes could be over- written.
  • Do checks for individual sqlite v2 functions so rlm_sqlite builds correctly with more versions of the library.
  • In heimdal kerberos, create MEMORY ccaches on a per context basis. This prevents issues with the root ccache being used.
  • Fix corner case with proxying, where home server goes down.
  • Rate-limit "max_requests" complaint. We don't want to fill the logs when something goes wrong.
  • Use /dev/urandom for raddb/certs/random, if it exists.
  • Issue WARNING that old-style clients should no longer be used.
  • Auto-set secret to "radsec" for tcp+tls home servers.
  • Fix double free in home_server_add when there is a parse error on startup.
  • rlm_unix checks if the dictionaries are broken, instead of crashing
  • Fix potential memory corruption when normalising salted password hashes from hex, where the combined hash and salt was > 64 bytes.
  • Register sqlcounter attributes correctly, and other issues with it
  • treat 127.0.0.1/32 as being identical to 127.0.0.1
  • Don't mangle error output of SQL drivers like PostgreSQL
  • Fix usage of "tls = ${tls}". It could previously cause problems when the reference was used multiple times.
  • Fix TLS session leak for incoming sockets.
  • Try harder to clean up memory on exit when using "-mM"
  • Fix memory leak when home server is down for RadSec connections
  • rate-limit outgoing connection attempts when the home server is down. It will retry no more than once per second.
  • When parsing ipv6 address prefixes, always mask off the host portion.
  • Fix rlm_counter so that it does not create two reply attributes.
  • Fix issues with DHCP Sub-TLVs where the value of the first Sub-TLV would appear corrupted, and subsequent TLVs would not appear in debug output.
  • Initialize scope in IP address parsing
  • Prevent vendor attributes and RFC space attributes from clashing in rlm_attr_filter.
  • Set source IP address for DHCP packets from DHCP-Server-IP-Address, or DHCP-DHCP-Server-Identifier, if we're unable to otherwise determine the source IP.
  • Fix POST attribute parsing in rlm_rest.
  • Fix JSON attribute parsing in rlm_rest.
  • Don't append trailing & to POST options in rlm_rest (minor).
  • Process HTTP 100 Continue messages correctly in rlm_rest
  • Fix generation of long > 512 byte POST payloads, where attribute values on the chunk boundary may have been omitted in rlm_rest.
  • Remove duplicate escape sequence parsing in rlm_sqlippool and rlm_sqlcounter which caused issues with escaping %. Escape sequence parsing is now handled purely by the xlat functions.
  • Ensure %% is treated as a string literal, and so not passed to any xlat escape functions for processing.
  • Correct calculation of Message-Authenticator for CoA packets. Closes #556

19 March 2014 - Version 2.2.4 has been released.

The focus of this release is stability.

Feature improvements

  • A "panic_action" can be set to have the server dump a gdb log on SEGV or other fatal error.
  • allow radmin command "set module status <module> <code>" which can be used to forcibly enable/disable modules.

Bug Fixes

  • If the server fails to bind() after fork(), that is now reported to the parent, which exits with an error.
  • Session / delay times in MySQL are unsigned int.
  • Use --tag=CC for libtool. Closes 497. Because libtool is too stupid to notice that compiling means compilation.
  • Fix bug when copying attributes for vendors > 32767
  • Fix behaviour on FreeBSD where sending packets from an interface bound to an IP address would fail when the server was built with udpfromto.
  • Don't fail config check if were listening on an IP which is also a home server. Some deployments have valid reasons to loop packets back to another virtual server.
  • Use correct port when DHCP relaying.
  • Set source IP address for DHCP packets from DHCP-Server-IP-Address, or DHCP-DHCP-Server-Identifier, if we're unable to otherwise determine the source IP.

Older Press Releases

2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005.