diff options
Diffstat (limited to 'doc/ChangeLog')
| -rw-r--r-- | doc/ChangeLog | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/doc/ChangeLog b/doc/ChangeLog index 6b7006e..0392c28 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,102 @@ +FreeRADIUS 3.2.5 Tue 09 Jul 2024 12:00:00 UTC urgency=high + Configuration changes + * BlastRADIUS mitigations have been added to the "security" + section. See "require_message_authenticator" and also + "limit_proxy_state". + * BlastRADIUS mitigations have been added to radclient. + See "man radclient", and the "-b" option. + + Feature improvements + * TOTP now supports TOTP-Time-Offset for tokens with times that + are out of sync. See mods-available/totp + * radclient now supports forcing the Request Authenticator and ID + for Access-Request packets. + * Update dictionary.3gpp. + * Update advice on shared secrets, including suggesting a secure + method for generating useful secrets. + + Bug fixes + * Allow proxying by pool / home server name to work with auth+acct servers + * Fix OpenSSL API usage which sometimes caused crash in MS-CHAP + Previously it would either always crash immediately, or never crash. + * Fix packet statistics. Stop double counting some packets, + and track packet statistics even if a socket is closed. + * Reverted patch in TTLS which broke compatibility with some systems. + * Don't crash in debug mode when multiple intermediate certs are used + Patch from Alexander Chernikov. + +FreeRADIUS 3.2.4 Wed 29 May 2024 12:00:00 EDT urgency=low + Configuration changes + * Better handle backslashes in strings in the configuration files. + If the configuration items contain backslashes, then behavior may change. + However, the previous behavior didn't work as expected, and therefore is not + likely to be used. + * reject_delay no longer applies to proxied packets. All servers should now + set "reject_delay = 1" for security and scalability. + * %{randstr:...} now returns the requested amount of data, instead of + one too many bytes. + + Feature improvements + * Preliminary support for TEAP. + * Update EAP module pre_proxy checks to make them less restrictive. + This prevents the "middle box" effect from affecting future traffic. + * Many fixes and updates for Docker images + * Add dpsk module. See mods-available/dpsk + * Print out what cause the TLS operations to be made, such as the EAP + method name (peap, ttls, etc), or RADIUS/TLS listen / proxy socket. + * Add auto_escape to sample SQL module config + * Add 'if not exists' to mysql create table queries. ref #5032 (#5137) + * Update dictionary.aruba; add dictionary.tplink, dictionary.alphion + * Allow for 'encrypt=1' attributes to be longer than 128 characters. + * Added "radsecret" program which generates strong secrets. See the + top of the "clients.conf" file for more information. + * radclient now prints packets as hex when using -xxx. + * Added "-t timeout" to radsniff. It will stop processing packets + after <timeout> seconds. + * Support "interface = ..." on OSX and other *BSD which have IP_BOUND_IF. + * The detail module now has a "dates_as_integer" configuration item. + See mods-available/detail for more information. + * Add lookback/lookforward steps and more configuration to totp. See + mods-available/totp. + * Add "time_since" xlat to calculate elapsed time in seconds, milliseconds + and microseconds. + * Support "Post-Auth-Type Challenge" in the inner tunnel. Patch from + Alexander Clouter. PR #5320. + * Add "proxy_dedup_window". See radiusd.conf. + * Document KRB5_CLIENT_KTNAME in the "env" section of radiusd.conf. + * Add "dedup_key" for misbehaving supplicants. See mods-available/eap + + Bug fixes + * Fix corner case with empty defaults in rlm_files. Fixes #5035 + * When we have multiple attributes of the same name, always use the + canonical attribute + * Make FreeRADIUS-Server-EMA* attributes work again for home server + exponential moving average statistics. + * Don't send the global server stats when asked for client stats. They + use the same attributes, so the result is confusing. + * Fix multiple typos in MongoDB query.conf (#5130) + * Add define for illumos. Fixes #5135 + * Add client configuration for TLS PSK. + * Permit originate CoA after proxying to an internal virtual server + * Use virtual server "default" when passed "-i" and "-p" on the command line. + * Fix locking issues with rlm_python3. + * The detail file reader will catch bad times in the file, and will not + update Acct-Delay-Time with extreme values. + * Fix issue where Message-Authenticator was calculated incorrectly for + CoA / Disconnect ACK and NAK packets. + * Update Python thread and error handling. Fixes #5208. + * Fix handling of Session-State when proxying. Fixes #5288. + * Run relevant post-proxy Fail-* section on CoA / Disconnect timeout. + * Add "limit" section to AWS health check configurtion. Fixes 35300. + * Use MAX in sqlite queries instead of GREATEST. + * Fix typo in Mongo queries. Fixes #5301. + * Fix occasional crash with bad home servers. Fixes #5308. + * Minor bug fixes to the SQL freetds modules. + * Fix blocking issue with RADIUS/TLS connection checks. + * Fix run-time crash on configuration typos of %{substr ...} instead + of %{substr:...} Fixes #5321. + * Fix crash with TLS Status-Server requests. Fixes #5326. + FreeRADIUS 3.2.3 Fri 26 May 2023 12:00:00 EDT urgency=low Configuration changes * The rlm_ldap and rlm_sql modules now have a "max_retries" configuration |