Version 2.2.0 is released: upgrade NOW
Alan DeKok
aland at deployingradius.com
Mon Sep 10 14:25:23 CEST 2012
We're happy (and sad) to announce 2.2.0. It's been a year since the
last release, so it's needed.
However, this release announces an issue with unknown certificates in
EAP-TLS, PEAP, and EAP-TTLS. Some certificates can overflow a field in
the server, causing a crash. See:
http://freeradius.org/security.html
Everyone should upgrade to 2.2.0 immediately, or obtain a patched
version from their vendor.
Sorry for the issue. We'll take care to run Coverity more often in
the future.
FreeRADIUS 2.2.0 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium
Feature improvements
* 100% configuration file compatible with 2.1.x.
The only fix needed is to disallow "hashsize=0" for rlm_passwd
* Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware,
Redback, and Mikrotik dictionaries
* Switch to using SHA1 for certificate digests instead of MD5.
See raddb/certs/*.cnf
* Added copyright statements to the dictionaries, so that we know
when people are using them.
* Better documentation for radrelay and detail file writer.
See raddb/modules/radrelay and raddb/radrelay.conf
* Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
* Added -F <file> to radwho
* Added query timeouts to MySQL driver. Patch from Brian De Wolf.
* Add /etc/default/freeradius to debian package.
Patch from Matthew Newton
* Finalize DHCP and DHCP relay code. It should now work everywhere.
See raddb/sites-available/dhcp, src_ipaddr and src_interface.
* DHCP capabilitiies are now compiled in by default.
It runs as a DHCP server ONLY when manually enabled.
* Added one letter expansions: %G - request minute and %I request
ID.
* Added script to convert ISC DHCP lease files to SQL pools.
See scripts/isc2ippool.pl
* Added rlm_cache to cache arbitrary attributes.
* Added max_use to rlm_ldap to force connection to be re-established
after a given number of queries.
* Added configtest option to Debian init scripts, and automatic
config test on restart.
* Added cache config item to rlm_krb5. When set to "no" ticket
caching is disabled which may increase performance.
Bug fixes
* Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12,
and 802.1X should upgrade immediately.
* Fix typo in detail file writer, to skip writing if the packet
was read from this detail file.
* Free cached replies when closing resumed SSL sessions.
* Fix a number of issues found by Coverity.
* Fix memory leak and race condition in the EAP-TLS session cache.
Thanks to Phil Mayers for tracking down OpenSSL APIs.
* Restrict ATTRIBUTE names to character sets that make sense.
* Fix EAP-TLS session Id length so that OpenSSL doesn't get
excited.
* Fix SQL IPPool logic for non-timer attributes. Closes bug #181
* Change some informational messages to DEBUG rather than error.
* Portability fixes for FreeBSD. Closes bug #177
* A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols
nonsense.
* Safely handle extremely long lines in conf file variable expansion
* Fix for Debian bug #606450
* Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
* The passwd module no longer permits "hashsize = 0". Setting that
is pointless for a host of reasons. It will also break the server.
* Fix proxied inner-tunnel packets sometimes having zero authentication
vector. Found by Brian Julin.
* Added $(EXEEXT) to Makefiles for portability. Closes bug #188.
* Fix minor build issue which would cause rlm_eap to be built twice.
* When using "status_check=request" for a home server, the username
and password must be specified, or the server will not start.
* EAP-SIM now calculates keys from the SIM identity, not from the
EAP-Identity. Changing the EAP type via NAK may result in
identities changing. Bug reported by Microsoft EAP team.
* Use home server src_ipaddr when sending Status-Server packets
* Decrypt encrypted ERX attributes in CoA packets.
* Fix registration of internal xlat's so %{mschap:...} doesn't
disappear after a HUP.
* Can now reference tagged attributes in expansions.
e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
* Correct calculation of Message-Authenticator for CoA and Disconnect
replies. Patch from Jouni Malinen
* Install rad_counter, for managing rlm_counter files.
* Add unique index constraint to all SQL flavours so that alternate
queries work correctly.
* The TTLS diameter decoder is now more lenient. It ignores
unknown attributes, instead of rejecting the TTLS session.
* Use "globfree" in detail file reader. Prevents very slow leak.
Closes bug #207.
* Operator =~ shouldn't copy the attribute, like :=. It should
instead behave more like ==.
* Build main Debian package without SQL dependencies
* Use max_queue_size in threading code
* Update permissions in raddb/sql/postgresql/admin.sql
* Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL
wouldn't use methods it knew about.
* Add more sanity checks in dynamic_clients code so the server won't
crash if it attempts to load a badly formated client definition.
<
More information about the Freeradius-Users
mailing list