Version 2.2.0 is released: upgrade NOW

Alan DeKok aland at
Mon Sep 10 14:25:23 CEST 2012

  We're happy (and sad) to announce 2.2.0.  It's been a year since the
last release, so it's needed.

  However, this release announces an issue with unknown certificates in
EAP-TLS, PEAP, and EAP-TTLS.  Some certificates can overflow a field in
the server, causing a crash.  See:

  Everyone should upgrade to 2.2.0 immediately, or obtain a patched
version from their vendor.

  Sorry for the issue.  We'll take care to run Coverity more often in
the future.

FreeRADIUS 2.2.0 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium
Feature improvements
* 100% configuration file compatible with 2.1.x.
  The only fix needed is to disallow "hashsize=0" for rlm_passwd
* Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware,
  Redback, and Mikrotik dictionaries
* Switch to using SHA1 for certificate digests instead of MD5.
  See raddb/certs/*.cnf
* Added copyright statements to the dictionaries, so that we know
  when people are using them.
* Better documentation for radrelay and detail file writer.
  See raddb/modules/radrelay and raddb/radrelay.conf
* Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
* Added -F <file> to radwho
* Added query timeouts to MySQL driver.  Patch from Brian De Wolf.
* Add /etc/default/freeradius to debian package.
  Patch from Matthew Newton
* Finalize DHCP and DHCP relay code.  It should now work everywhere.
  See raddb/sites-available/dhcp, src_ipaddr and src_interface.
* DHCP capabilitiies are now compiled in by default.
  It runs as a DHCP server ONLY when manually enabled.
* Added one letter expansions: %G - request minute and %I request
* Added script to convert ISC DHCP lease files to SQL pools.
  See scripts/
* Added rlm_cache to cache arbitrary attributes.
* Added max_use to rlm_ldap to force connection to be re-established
  after a given number of queries.
* Added configtest option to Debian init scripts, and automatic
  config test on restart.
* Added cache config item to rlm_krb5. When set to "no" ticket
  caching is disabled which may increase performance.

Bug fixes
* Fix CVE-2012-3547.  All users of 2.1.10, 2.1.11, 2.1.12,
  and 802.1X should upgrade immediately.
* Fix typo in detail file writer, to skip writing if the packet
  was read from this detail file.
* Free cached replies when closing resumed SSL sessions.
* Fix a number of issues found by Coverity.
* Fix memory leak and race condition in the EAP-TLS session cache.
  Thanks to Phil Mayers for tracking down OpenSSL APIs.
* Restrict ATTRIBUTE names to character sets that make sense.
* Fix EAP-TLS session Id length so that OpenSSL doesn't get
* Fix SQL IPPool logic for non-timer attributes.  Closes bug #181
* Change some informational messages to DEBUG rather than error.
* Portability fixes for FreeBSD.  Closes bug #177
* A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols
* Safely handle extremely long lines in conf file variable expansion
* Fix for Debian bug #606450
* Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
* The passwd module no longer permits "hashsize = 0".  Setting that
  is pointless for a host of reasons.  It will also break the server.
* Fix proxied inner-tunnel packets sometimes having zero authentication
  vector.  Found by Brian Julin.
* Added $(EXEEXT) to Makefiles for portability.  Closes bug #188.
* Fix minor build issue which would cause rlm_eap to be built twice.
* When using "status_check=request" for a home server, the username
  and password must be specified, or the server will not start.
* EAP-SIM now calculates keys from the SIM identity, not from the
  EAP-Identity.  Changing the EAP type via NAK may result in
  identities changing.  Bug reported by Microsoft EAP team.
* Use home server src_ipaddr when sending Status-Server packets
* Decrypt encrypted ERX attributes in CoA packets.
* Fix registration of internal xlat's so %{mschap:...} doesn't
  disappear after a HUP.
* Can now reference tagged attributes in expansions.
  e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
* Correct calculation of Message-Authenticator for CoA and Disconnect
  replies.  Patch from Jouni Malinen
* Install rad_counter, for managing rlm_counter files.
* Add unique index constraint to all SQL flavours so that alternate
  queries work correctly.
* The TTLS diameter decoder is now more lenient.  It ignores
  unknown attributes, instead of rejecting the TTLS session.
* Use "globfree" in detail file reader.  Prevents very slow leak.
  Closes bug #207.
* Operator =~ shouldn't copy the attribute, like :=.  It should
  instead behave more like ==.
* Build main Debian package without SQL dependencies
* Use max_queue_size in threading code
* Update permissions in raddb/sql/postgresql/admin.sql
* Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL
  wouldn't use methods it knew about.
* Add more sanity checks in dynamic_clients code so the server won't
  crash if it attempts to load a badly formated client definition.

More information about the Freeradius-Users mailing list