Press Releases

17 July 2017 - Version 3.0.15 has been released.

The focus of this release is stability.

Feature improvements

  • Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148.
  • Updated dictionary.cisco.vpn3000, dictionary.patton
  • Added dictionary.dellemc
  • Lowered the log output for failed PEAP sessions.
  • ALlow utc in rlm_date. Patch from Peter Lambrechtsen.
  • The internal OpenSSL session cache has been disabled. Please see mods-available/eap
  • Update detail reader documentation. Patch from Matthew Newton. Fixes #1973.
  • Make outgoing RadSec connections non-blocking.
  • Add SQL backing to Moonshot-*-TargetedId generation. Patch from Stefan Paetow.

Bug Fixes

  • radtest uses Cleartext-Password for EAP, not User-Password.
  • Update documentation for mods-enabled/ linking.
  • Enhanced checks for moonshot salt. Fixes #1933.
  • Allow session resumption for RadSec connections. Fixes #1936.
  • Update "huntgroups" file to note that port ranges are not supported.
  • Fix OpenSSL permissions issues on default key files. Fixes #1941.
  • Certificates are not required when PSK is used.
  • Allow SubjectAltName as first extension in cert. Fixes #1946.
  • Fixed talloc issue with TLS session resumption. Fixes #1980.
  • "&Attr-26 := 0x01" now produces useful error messages.
  • Handle connection error in rlm_ldap_cacheable_groupobj. Fixes #1951.
  • Fix endian issues in DHCP.
  • Multiple minor fixes for Coverity complaints.
  • Handle unexpected regex. Fixes #1959.
  • Fix minor issues in dictionaries.
  • Fix typos and grammar. Patches from Alan Buxey.
  • Fix erroneous VP creation in rlm_preproces.
  • Fix MIB. Patch from Jeff Gehlbach.
  • Trust router updates from Alejandro Perez.
  • Allow build with LibreSSL. Fixes #1989
  • Use correct packet for channel bindings. Fixes #1990.
  • Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more information.
  • Fix incorrect length check in EAP-PWD. This may be exploitable.
17 July 2017 - Version 2.2.10 has been released.

The focus of this release is stability.

Feature improvements

  • None.

Bug Fixes

  • Fix multiple security issues. See http://freeradius.org/security/fuzzer-2017.html Thanks to Guido Vranken for working with us to discover the issues and test the fixes.
  • FR-GV-207 Avoid zero-length malloc() in data2vp()
  • FR-GV-206 correct decoding of option 60
  • FR-GV-205 check for "too long" WiMAX options
  • FR-GV-204 free VP if decoding fails, so we don't leak memory.
  • FR-GV-203 fix memory leak when using decode_tlv()
  • FR-GV-202 check for "too long" attributes
  • FR-GV-201 check input/output length in make_secret()
  • FR-AD-001 Use strncmp() instead of memcmp() for bounded data.
  • Disable in-memory TLS session caches due to OpenSSL API issues.
  • Allow issuer_cert to be empty.
  • Look for extensions using correct index
  • Fix types
  • Work around OpenSSL 1.0.2 problems, which cause failures in TLS-based EAP methods.
  • Revert RedHat contributed bug which removes run-time checks for OpenSSL consistency.
  • Allow OCSP responder URL to be later in the packet. Fix by Ean Pasternak.
  • Catch empty subject and non-existent issuer cert in OCSP. Fix by Ean Pasternak.
  • Allow non-FIPS for MD5. Fix by Ean Pasternak.
26 May 2017 - Version 3.0.14 has been released.

The focus of this release is stability.

Feature improvements

  • Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148.
  • Updated dictionary.cisco.vpn3000, dictionary.patton
  • Added dictionary.dellemc
  • Lowered the log output for failed PEAP sessions.
  • ALlow utc in rlm_date. Patch from Peter Lambrechtsen.
  • The internal OpenSSL session cache has been disabled. Please see mods-available/eap
  • Update detail reader documentation. Patch from Matthew Newton. Fixes #1973.
  • Make outgoing RadSec connections non-blocking.
  • Add SQL backing to Moonshot-*-TargetedId generation. Patch from Stefan Paetow.

Bug Fixes

  • radtest uses Cleartext-Password for EAP, not User-Password.
  • Update documentation for mods-enabled/ linking.
  • Enhanced checks for moonshot salt. Fixes #1933.
  • Allow session resumption for RadSec connections. Fixes #1936.
  • Update "huntgroups" file to note that port ranges are not supported.
  • Fix OpenSSL permissions issues on default key files. Fixes #1941.
  • Certificates are not required when PSK is used.
  • Allow SubjectAltName as first extension in cert. Fixes #1946.
  • Fixed talloc issue with TLS session resumption. Fixes #1980.
  • "&Attr-26 := 0x01" now produces useful error messages.
  • Handle connection error in rlm_ldap_cacheable_groupobj. Fixes #1951.
  • Fix endian issues in DHCP.
  • Multiple minor fixes for Coverity complaints.
  • Handle unexpected regex. Fixes #1959.
  • Fix minor issues in dictionaries.
  • Fix typos and grammar. Patches from Alan Buxey.
  • Fix erroneous VP creation in rlm_preproces.
  • Fix MIB. Patch from Jeff Gehlbach.
  • Trust router updates from Alejandro Perez.
  • Allow build with LibreSSL. Fixes #1989
  • Use correct packet for channel bindings. Fixes #1990.
  • Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more information.
  • Fix incorrect length check in EAP-PWD. This may be exploitable.
06 March 2017 - Version 3.0.13 has been released.

The focus of this release is stability.

Feature improvements

  • Add dictionary.rfc7930. Note that we do not implement the RFC.
  • Added 'cipher_server_preference' to mods-available/eap Patch from #1797.
  • OpenSSL 1.1.0 compatibility fixes.
  • rlm_perl: radiusd::xlat to evaluate xlat string within perl script
  • Allow authentication retry in winbind. Patch from Herwin Weststrate. See raddb/mods-available/mschap.
  • Added "recv-coa" method to rlm_rest. It behaves the same as "authorize".
  • Document Trust Router tr_port option. Patch from Stefan Paetow.
  • Update elasticsearch/logstash examples so that they work with elastic stack v5. Patch from Matthew Newton.
  • Print information about packets, replies, and contents in the detail file reader.
  • Update abfab-tr policy. Pull request #1893 from Stefan Paetow.
  • Reject packets which contain User-Password and EAP-Message.
  • Add example for filtering Access-Challenge. See sites-enabled/default.
  • Pull symlink fixes from v4.0.x. Fixes #1859.
  • Add systemd reload. Not everything is reloaded, but some is. Fixes #1662.
  • Better documentation for listen "ipaddr". Fixes #1921
  • Add dictionary.cnergee, updated dictionary.nomadix.
  • radclient no longer needs -x to print statistics with -s.

Bug Fixes

  • Minor typos. Fixes #1763
  • Fix typo in RPM build. Closes #1767.
  • rlm_mschap check for password expiry only if password was correct. Fixes #1762.
  • Update debian build.
  • update rlm_counter "man" page. Fixes #1775.
  • Remove erroneous assert. Fixes #1778.
  • fix mschap password change test. Fixes #1792.
  • Cleanup config file on data remove. Fixes #1795.
  • passwd module returns "notfound" if not found.
  • Check for old OpenSSL, and don't build rlm_eap_fast if it necessary. Fixes #1803
  • Cleanup memory better after ldap version query. Patch from Aleksey Katargin.
  • Rename lt_* functions to avoid linker issues with libtool. Fixes #1277
  • Many miscellaneous fixes and typos.
  • Allow long strings in %{%{foo} bar:-%{baz} blah". Fixes #1866
  • Fix filtering operators, along with more documentation and more tests for them.
  • Fix OpenSSL fixes. Fixes #1876.
  • Finish SQL select queries even when SELECT returns no rows. Fixes #1879.
  • Set Module-Failure-Message for more EAP errors.
  • Correct typo in dictionary.rfc5580. Fixes #1882
  • Remove obselete systemd syslog.target.
  • Client-Port-Balance load-balancing now uses client port.
  • Radrelay examples fixed from Alex Clouter.
  • Update systemd target. Pull request #1896.
  • Trim starting whitespace in xlat strings.
  • Get MySQL result lengths using normal API.
  • suid down after fchown(). Fixes #1914.
  • Fix cases of comparing pointer to NUL character. Fixes #1915.
  • OpenSSL v1.1 fixes. Pull request #1921.
  • Better Handle v4/v6 host names. Pull request #1919.
  • Remove "Auth-Type = System" from docs and examples.
  • Don't crash on malformed %{home_server}. Fixes #1922
  • fix erroneous use of talloc destructor in rlm_eap
  • Issue trigger modules.sql.fail. Fixes #1923
  • Document python_path gotcha's. Fixes #1845
  • dlopen() the specific version of Python. Fixes #1592
29 September 2016 - Version 3.0.12 has been released.

The focus of this release is stability.

Feature improvements

  • Add support for =~ and !~ in update sections. See "man unlang"
  • Add dictionary.checkpoint.
  • Simultaneous-Use prints out more information.
  • Print WARNING in debug mode when packets may be truncated.
  • Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool.
  • Mark rlm_sql_freetds as stable.
  • Make rlm_perl less fragile. Patch from Herwin Weststrate.
  • Allow extended attributes to have "encrypt=2"
  • Update dictionary.aruba.
  • Add support for EAP-FAST. This is an isolated feature which does not affect anything else.
  • Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016.
  • EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled.
  • New dhcpclient and rlm_rad_counter man pages.
  • Minor abfab and moonshot additions.
  • Pass CFLAGS through from environment in RPM builds. Allows more custom builds.
  • Build with Heimdal in addtion to libkrb5.

Bug Fixes

  • Use correct typedef for older versions of sqlite.
  • Update mssql schema to add priority
  • don't complain on /dev/urandom in ldap
  • fix == operator in update sections
  • Don't create DHCP strings with many trailing zeros. Patch from Nicolas C. Fixes #1526.
  • Allow MS-CHAP change passwords instead of complaining on large buffer.
  • Allow assignment or equality operator on SQL.
  • Update aclocal tests for FreeBSD 10. Patches from Mathieu Simon.
  • Remove occasional hang in rlm_linelog.
  • Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544
  • A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x.
  • do_not_respond again works in post-proxy
  • Allow realm "~^.*$" {} and User-Name with no realm.
  • Fix leak when creating unknown attributes
  • Fix Debian / logrotate.
  • Make OpenSSL error functions thread-safe.
  • Fix crash with rlm_sql and updating SQL-User-Name.
  • Debian build updates.
  • Allow regular expression comparisons in radclient fixes #1574.
  • Fix memory leak on unknown attributes in detail file reader.
  • Update example paths in "man" pages when installing them
  • Build fixes for rlm_mschap. Fixes #1489.
  • BSD build fixes. Patch from issue #1583.
  • Be more careful about /lib/ when building. Fixes #1585.
  • Correct ifdef placement error. Fixes #1572.
  • Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time.
  • Remove support for statically built EAP modules. Fixes #1591.
  • Many fixes to rlm_python from Guillaume Pannatier.
  • Use correct week adjustment in SQLcounter. Fixes #1608
  • Minor fixes to allow compilation without DHCP, VMPS, or TCP.
  • Fix checks for module / config file change on HUP.
  • Compile regex comparisons when sent via "debug condition". Fixes #1632.
  • Update filenames in documentation and examples. Patch from Alan Buxey, #1655.
  • Don't crash if SQL connection becomes unavailable. Fixes #1640.
  • Disallow originate_coa when proxy_requests = no Fixes #1684.
  • Free rad_perlconf_hv in correct perl context. Fixes #1675.
  • Multiple fixes for Debian builds. #1510, among others.
  • Set OpenSSL FIPS compatibility flag when necessary.
  • Pulled fixes for the build system over from other branches.
  • Fix OCSP for RADIUS over TLS.
  • Fix skip_if_ocsp_ok behavior.
  • Better fixes for systems without closefrom() but which have /proc. Fixes #1757.
  • Minor build fixes back-ported from v4.0.x.
  • build --whout-ascend-binary. Fixes #1761.
  • Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604.
25 January 2016 - Version 3.0.11 has been released.

The focus of this release is stability.

Feature improvements

  • "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast.
  • Allow shorthand form of ipv4prefix values e.g. 127/8.
  • Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong.
  • Added printing of coa and disconnect stats (radmin).
  • radclient defaults to expecting Access-Accept responses to Status-Server.
  • Updated dictionary.lancom, dictionary.starent.
  • Portability fixes for Solaris.
  • More errors from ntlm_auth gets passed to MS-CHAP.
  • Update abfab-tr-idp virtual server.
  • Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients.
  • The server now issues a WARNING message if duplicate configuration items are found.
  • TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok".
  • Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check.
  • Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap.
  • TTLS and PEAP now require "virtual_server" to be a real server.
  • Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements.
  • Various rlm_python fixes from Herwin Weststrate.
  • Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond.
  • elasticsearch updates from Matthew Newton

Bug Fixes

  • Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL.
  • Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types.
  • Data type "ipv4prefix" is parsed correctly.
  • Use correct talloc context in rlm_exec. Fixes #1338.
  • Complain in unlang if "else" is used with no previous "if" or "elsif".
  • Send accounting status packets to the accounting port. Fixes #1364.
  • Print out CFLAGS when doing "radiusd -Xxv"
  • Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira.
  • Fixes for LEAP proxying. Don't use LEAP!
  • Fix issue with "directory already exists" seen when doing "make install".
  • Fixed bug with radmin related to the option "stats detail <filename>"
  • Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398
  • Fixed SoH. Attributes were not being copied to the virtual server.
  • Used a wrong list to global statistics in "stats".
  • Create EAP-PWD identity correctly. Prevents segfaults.
  • Dynamically validate authentication types for PEAP and EAP-MSCHAPv2.
  • Fix includes in installed headers.
  • OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2"
  • Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries.
  • Fix home server fail-over for home servers using TCP and/or RadSec.
  • Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape.
  • Use correct authentication vector when sending Access-Reject replies for RadSec.
  • Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute.
  • Fix debugging constants in rlm_perl. Patch from Herwin Weststrate.
  • Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API.
  • Automatically skip zero-length attributes when sending packets, instead of erroring out.

Older Press Releases

2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005.