Press Releases

21 March 2014 - Version 3.0.2 has been released.

The focus of this release is stability.

Feature improvements

  • secret keys and LDAP / SQL passwords are now printed as '<<< secret >>>' in debugging mode. Use -Xx to see the actual passwords.
  • Print out more information about passwords in -Xx, including hashes, comparisons, etc.
  • Allow cast (and implicit conversion) of integers to IPv4 addresses
  • More xlats allow attribute references. This means they can operate on binary data. e.g. expr, base64, md5, sha1.
  • Added more tests.
  • The dictionaries are now auto-loaded. raddb/dictionary should no longer have $INCLUDE ${prefix}/share/dictionary
  • A "panic_action" can be set to have the server dump a gdb log on SEGV or other fatal error. See radiusd.conf
  • Add support for SHA-224, SHA-256, SHA-384, SHA-512 to rlm_pap.
  • Add "%{sha256:}" and "%{sha512:}" xlat functions.
  • Cache CUI in EAP session resumption.
  • templates can now have sub-sections, which will be included in the section referencing the template.
  • Update more dictionaries.
  • Added more instances of the "always" module, for all return codes.
  • Suppress broken NASes when proxying. Retransmits which occur more than once per second are rate-limited to once per second.
  • Allow '&' in more xlat expansions.
  • Update PostgreSQL schema and queries to record last updated time, and accounting interim.
  • Optimize more "if" conditions when the server loads. This will avoid work at run time. e.g. ("foo" == "bar") --> FALSE.
  • Allow removal of all attributes within a list with !* operator.
  • Allow list to list copies with request qualifiers (outer.).
  • Add support for ipv4 prefixes and ipv6 addresses and prefixes to %{integer:}.
  • allow radmin command "set module status <module> <code>" which can be used to forcibly enable/disable modules.
  • pap module now assumes Cleartext-Password if Password-With-Header doesn't have a {...} header.
  • Added "unpack" module. It can unpack binary data from horrible VSA formats. See raddb/mods-available/unpack
  • Added example IP Pool for DHCP, using sqlite. From Matthew Newton See raddb/mods-config/sql/ippool-dhcp/

Bug Fixes

  • Fix SQL groups.
  • Fix operation of fr_strerror() with RE*() macros.
  • Don't assert if the connection we're trying to reconnect is not in_use.
  • Fix %{mschap:User-Name} xlat.
  • Allow comparisons of signed integers and of ethernet addresses.
  • Fix parsing of text-based ascend binary filters.
  • Fix a few minor Coverity and clang analyzer issues.
  • Log WARNING and ERROR prefixes only once, not twice.
  • Fix attribute truncation seen in Perl and other places.
  • Use correct port when DHCP relaying.
  • Fix behaviour on FreeBSD where sending packets from an interface bound to an IP address would fail when the server was built with udpfromto.
  • Don't abort() when freeing home servers on exit.
  • Fix edge case in pairmove() when some attributes could be over- written.
  • Do checks for individual sqlite v2 functions so rlm_sqlite builds correctly with more versions of the library.
  • In heimdal kerberos, create MEMORY ccaches on a per context basis. This prevents issues with the root ccache being used.
  • Fix corner case with proxying, where home server goes down.
  • Rate-limit "max_requests" complaint. We don't want to fill the logs when something goes wrong.
  • Use /dev/urandom for raddb/certs/random, if it exists.
  • Issue WARNING that old-style clients should no longer be used.
  • Auto-set secret to "radsec" for tcp+tls home servers.
  • Fix double free in home_server_add when there is a parse error on startup.
  • rlm_unix checks if the dictionaries are broken, instead of crashing
  • Fix potential memory corruption when normalising salted password hashes from hex, where the combined hash and salt was > 64 bytes.
  • Register sqlcounter attributes correctly, and other issues with it
  • treat 127.0.0.1/32 as being identical to 127.0.0.1
  • Don't mangle error output of SQL drivers like PostgreSQL
  • Fix usage of "tls = ${tls}". It could previously cause problems when the reference was used multiple times.
  • Fix TLS session leak for incoming sockets.
  • Try harder to clean up memory on exit when using "-mM"
  • Fix memory leak when home server is down for RadSec connections
  • rate-limit outgoing connection attempts when the home server is down. It will retry no more than once per second.
  • When parsing ipv6 address prefixes, always mask off the host portion.
  • Fix rlm_counter so that it does not create two reply attributes.
  • Fix issues with DHCP Sub-TLVs where the value of the first Sub-TLV would appear corrupted, and subsequent TLVs would not appear in debug output.
  • Initialize scope in IP address parsing
  • Prevent vendor attributes and RFC space attributes from clashing in rlm_attr_filter.
  • Set source IP address for DHCP packets from DHCP-Server-IP-Address, or DHCP-DHCP-Server-Identifier, if we're unable to otherwise determine the source IP.
  • Fix POST attribute parsing in rlm_rest.
  • Fix JSON attribute parsing in rlm_rest.
  • Don't append trailing & to POST options in rlm_rest (minor).
  • Process HTTP 100 Continue messages correctly in rlm_rest
  • Fix generation of long > 512 byte POST payloads, where attribute values on the chunk boundary may have been omitted in rlm_rest.
  • Remove duplicate escape sequence parsing in rlm_sqlippool and rlm_sqlcounter which caused issues with escaping %. Escape sequence parsing is now handled purely by the xlat functions.
  • Ensure %% is treated as a string literal, and so not passed to any xlat escape functions for processing.
  • Correct calculation of Message-Authenticator for CoA packets. Closes #556

19 March 2014 - Version 2.2.4 has been released.

The focus of this release is stability.

Feature improvements

  • A "panic_action" can be set to have the server dump a gdb log on SEGV or other fatal error.
  • allow radmin command "set module status <module> <code>" which can be used to forcibly enable/disable modules.

Bug Fixes

  • If the server fails to bind() after fork(), that is now reported to the parent, which exits with an error.
  • Session / delay times in MySQL are unsigned int.
  • Use --tag=CC for libtool. Closes 497. Because libtool is too stupid to notice that compiling means compilation.
  • Fix bug when copying attributes for vendors > 32767
  • Fix behaviour on FreeBSD where sending packets from an interface bound to an IP address would fail when the server was built with udpfromto.
  • Don't fail config check if were listening on an IP which is also a home server. Some deployments have valid reasons to loop packets back to another virtual server.
  • Use correct port when DHCP relaying.
  • Set source IP address for DHCP packets from DHCP-Server-IP-Address, or DHCP-DHCP-Server-Identifier, if we're unable to otherwise determine the source IP.

Older Press Releases

2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005.