Adding upstream version 3.2.3+dfsg.upstream/3.2.3+dfsg

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 189 insertions, 0 deletions

diff --git a/doc/ChangeLog b/doc/ChangeLog
new file mode 100644
index 0000000..6b7006e
--- /dev/null
+++ b/doc/ChangeLog
@@ -0,0 +1,189 @@
+FreeRADIUS 3.2.3 Fri 26 May 2023 12:00:00 EDT urgency=low
+	Configuration changes
+	* The rlm_ldap and rlm_sql modules now have a "max_retries" configuration
+	  item in the pool section.  This sets a limit on how many times an operation
+	  will be retried if it fails indicating a connection issue.
+	* Added "check_crl" configuration to rlm_ldap.  This only works with OpenSSL.
+	  Many Linux distributions use other TLS libraries, which won't work.
+	* Note that rlm_ldap does not support "-=" operators.  The documentation
+	  disagreed with the code, so we fixed the documentation.
+	* If checkrad is called from SQL Simultaneous-Use checks it will now be
+	  passed NAS-Port-Id (as stored in the database), rather than NAS-Port.
+
+	Feature improvements
+	* Add "max_retries" for connection pools. Fixes #4908. Patch from Nick Porter.
+	* Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and
+	  dictionary.wispr; add dictionary.eleven.
+	* You can now list "eap" in the "pre-proxy" section.  If the packet
+	  contains a malformed EAP message, then the request will be rejected.
+	  The home server will either reject (or discard) this packet anyways,
+	  so this change can only help with large proxy scenarios.
+	* Show warnings if libldap is not using OpenSSL.
+	* Support RADIUS/1.1.  See https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/
+	  Disabled by default, can be enabled by passing `--with-radiusv11` to the
+	  configure script. For now, this is for testing interoperability.
+	* Add extra sanity checks for malformed EAP attributes.
+	* More TLS debugging output
+	* Clear old module instance data before HUP reload. Avoids burst memory use
+	  when e.g. using large data files with rlm_files. Patch from Nick Porter.
+	* `rlm_cache_redis` is now included in the freeradius-redis packages.
+	* Separate out python2/python3 in Debian Packages. Previously python 2 or 3
+	  was built depending on the system default which led to confusion. We now build
+	  both freeradius-python2 and freeradius-python3 packages where possible.
+
+	Bug fixes
+	* Don't leak MD contexts with OpenSSL 3.0.
+	* Increase internal buffer size for TLS connections, which
+	  can help with high-load proxies.
+	* Send Status-Server checks for TLS connections
+	* Give descriptive error if "update CoA" is used with "fake" packets,
+	  as it won't work. i.e. inner-tunnel and virtual home servers.
+	* Many small ASAN / LSAN fixes from Jorge Pereira.
+	* Close inbound RADIUS/TLS socket on TLS errors.  When a home server
+	  sees a TLS error, it will now close the socket, so proxies do not
+	  have an open (but dead) TLS connection.
+	* Fix mutex locking issues on inbound RADIUS/TLS connections.
+	  This change avoids random issues with "bad record mac".
+	* Improve REST encoding loop. Patch from Herwin Weststrate. Closes #4950
+	* Correctly report the LDAP group a user was found in. Fixes #3084.
+	  Patch from Nick Porter.
+	* Force correct packet type when running Post-Auth-Type. Helps with #4980
+	* Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996
+	* Fix TCP socket statistics. Closes #4990
+	* Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use
+	  checks. Helps with #5010
+
+FreeRADIUS 3.2.2 Thu 16 Feb 2023 12:00:00 EDT urgency=low
+	Configuration changes
+	* The linelog module now has a "header" configuration item,
+	  which places a header in any new file it creates.
+	* The ldap module now supports setting "cipher_list".  See
+	  mods-available/ldap.
+	* Add "connect_timeout" for outgoing TLS sockets.  Helps with #3501.
+	* Add config section for xlats in rlm_rest and an option to
+	  control REST body data encoding. Patches by Nick Porter.
+	* Allow Operator-Name and Called-Station-Id in attr_filter when
+	  proxying.  Helps with less work in Eduroam configurations.
+	* Ensure that the AcctUpdateTime field in SQL is always updated.
+	  This is so that we can track when the last packet arrived.
+	* Update the default configuration to reply to NAS when accounting
+	  proxying fails, but we still write to the detail file.
+
+	Feature improvements
+	* The "configure" process now gives a much clearer report
+	  when it's finished.  Patches by Matthew Newton.
+	* Fallback to "uname -n" on missing "hostname".  Fixes #4771
+	* Export thread details in radmin "stats threads".  Fixes #4770
+	* Improve queries for processing radacct into periodic usage data.
+	  Fix from Nick Porter.
+	* Update dictionary.juniper
+	* Add dictionary.calix
+	* Fix dictionary.rfc6519 DS-Lite-Tunnel-Name to be "octets"
+	* Update documentation for robust-proxy-accounting, and be more
+	  aggressive about sending packets.
+	* Add per-module README.md files in the source.
+	* Add default Visual Studio configuration for developers.
+	* Postgres can now automatically use alternate queries for errors
+	  other than duplicate keys.
+	* %{listen:TLS-PSK-Identity} is now set when using PSK and psk_query
+	  This helps the server track the identity of the client which is
+	  connecting.
+	* Include thread stats in Status-Server attributes.  Fixes #4870.
+	* Mark rlm_unbound stable and add to packages. Patches by Nick Porter.
+	* Remove broken/unsupported Dockerfiles for centos8 and
+	  debian9.
+	* Ensure Docker containers have stable uid/gid. Patches
+	  from Terry Burton.
+
+	Bug fixes
+	* Preliminary support for non-blocking TLS sockets. Helps with #3501.
+	* Fix support for partial certificate chains after adding reload
+	  support.  Fixes #4753
+	* Fix handling of debug_condition.
+	* Clean up home server states, and re-sync with the dictionaries.
+	* Correct certificate order when creating TLS-* attributes.
+	  Fixes #4785
+	* Update use of isalpha() etc. so broken configurations have less
+	  impact on the server.
+	* Outgoing TLS sockets now set SNI correctly from the "hostname"
+	  configuration item.
+	* Support Apple Homebrew on the M1.  Fixes #4754
+	* Better error messages when %{listen:TLS-...} is used.
+	* Getting statistics via Status-Server can now be done within a
+	  virtual server.  Fixes #4868
+	* Make TTLS+MS-CHAP work with TLS 1.3.  Fixes #4878.
+	* Fix md5 xlat memory leak when using OpenSSL 3. Fix by Terry Burton.
+
+FreeRADIUS 3.2.1 Mon 03 Oct 2022 12:00:00 EDT urgency=low
+	Feature improvements
+	* Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries.
+	* Add simultaneous-use queries for MS SQL.
+	* Add radmin command for "stats pool <module-name>"
+	  Which prints out statistics about the connection pools
+	* Client statistics now shows "conflicts", to count conflicting
+	  packets.
+	* New optional "lightweight accounting-on/off" strategy.  When
+	  refreshing queries.conf you should also add the new nasreload table
+	  and corresponding GRANTs to your DB schema.
+	* Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps with
+	  Eduroam.  Suggested by Stefan Winter.
+	* Allow auth+acct for TCP sockets, too.
+	* Add rlm_cache_redis. See raddb/mods-available/cache for details
+	* Allow radmin to look up home servers by name, too.
+	* Ensure that dynamic clients don't create loops on duplicates.
+	  Reported by Sam Yee.
+	* Removed rlm_sqlhpwippool.  There was no documentation, no configuration,
+	  and the module was ~15 years old with no one using it.
+	* Marked rlm_python3 as stable.
+	* Add sigalgs_list.  See raddb/mods-available/eap.  Patch from
+	  Boris Lytochkin.
+	* For rlm_linelog, when opening files in /dev, look at "permissions" to see
+	  whether to open them r/w.
+	* More flexibility for dynamic home servers.  See doc/configuration/dynamic_home_servers.md
+	  and raddb/home_servers/README.md
+	* Allow setting of application_name for PostgreSQL.  See mods-available/sql.
+
+	Bug fixes
+	* Correct test for open sessions in radacct for MS SQL.
+	* The linelog module now opens /dev/stdout in "write-only" mode
+	  if the permissions are set to "u+w" (0002).
+	* Various fixes to rlm_unbound from Nick Porter.
+	* PEAP now correctly runs Post-Auth-Type Accept
+	* Create "TLS-Cert-*" for outbound Radsec, instead of TLS-Client-Cert-*
+	  Fixes #4698.  See sites-available/tls, and fix_cert_order.
+	* Minor updates and fixes to CI, Dockerfiles and packaging.
+	* Fix rlm_python3 build with python >= 3.10. Fixes #4441
+
+FreeRADIUS 3.2.0 Thu 21 Apr 2022 12:00:00 EDT urgency=low
+	Configuration changes
+	* "correct_escapes" has been removed, and is always set to "true"
+	  internally. Configuration changes may be required if you are
+	  using configurations from before 3.0.5.  Other than this
+	  difference, 3.2.x is compatible with 3.0.x, and configurations
+	  from 3.0.x can be simply copied into a system running 3.2.x.
+
+	Feature improvements
+	* All features from 3.0.x are included in the 3.2.x releases. In addition:
+	* Support PEAP and TTLS with TLS 1.3.  This has been
+	  tested with wpa_supplicant and Windows 11.
+	* Add 'reset_day' and '%%r' parameter for rlm_sqlcounter to specify which
+	  day of the month the counter should be reset.
+	* Partial backport of rlm_json from v4, providing the json_encode xlat.
+	  See mods-available/json for documentation.
+	* Support for haproxy "PROXY" protocol.
+	  See sites-available/tls, "proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/
+	* Support for sending CoA-Request and Disconnect-Request packets
+	  in "reverse" down RadSec tunnels.  Experimental for now, and
+	  undocumented.
+	* It is now possible to run a virtual server when saving / loading
+	  TLS cache attributes.  See sites-available/tls-cache for
+	  more information.
+	* Removed the "cram" module.  It was undocumented, and used old
+	  and insecure authentication methods.
+	* Remove the "otp" module.  The "otpd" program it needs is no longer available,
+	  and the module has not been usable since at least 2015.
+	* All features from 3.0.x are included in the 3.2.x releases.
+	* 3.2.0 requires OpenSSL 1.0.2 or greater.
+
+	Bug fixes
+	* All bug fixes from 3.0.x are included in the 3.2.x releases.