Changelog for
radsecproxy-1.10.0-lp156.1.2.x86_64.rpm :
* Mon Jun 12 2023 Stefan Botter
1.10.0- 1.10.0 New features: - Native dynamic discovery for NAPTR and SRV records (#2, #83) - Optionally log accounting requests when respoinding directly (#72) - SNI support for outgoing connections (#90) - Optionally specify server name for certificate name check (#106) - Manual MTU setting for DTLS on non-linux platforms Misc: - Don\'t require server type to be set by dyndisc scripts - Improve locating openssl lib using pkg-config Bug Fixes: - Fix radius message length handling- 1.9.3 Bug Fixes: - Fix shutdown TLS connection on malformed radius message (#122) - Fix handling of lost requests in DTLS - Fix flush requests when dyndisc fails
* Fri Feb 17 2023 Stefan Botter 1.9.2- 1.9.2 Bug Fixes: - Fix potential segfault in tcp log message - Fix DTLS over IPv6 - Fix SSL shutdown/EOF for openssl 3.x (#108)
* Sat Nov 20 2021 Stefan Botter 1.9.1- 1.9.1 Misc: - OpenSSL 3.0 compatibility (#70) Bug Fixes: - Fix refused startup with openssl <1.1 (#82) - Fix compiler issue for Fedora 33 on s390x (#84) - Fix small memory leak in config parser - Fix lazy certificate check when connecting to TLS servers - Fix connect is aborted if first host in list has invalid certificate - Fix setstacksize for glibc 2.34 (#91) - Fix system defaults/settings for TLS version not honored (#92)- remove patch to fix setstacksize for glibc 2.34 (fix #91) from package
* Tue Oct 05 2021 Stefan Botter - add upstream patch to fix setstacksize for glibc 2.34 (fix #91) radsecproxy-1.9.0_fix-glibc-2.34-setstacksize.diff + will not be needed abter next release
* Fri Jun 11 2021 Stefan Botter 1.9.0- 1.9.0 New features: - Accept multiple source
* configs for IPv4/v6 - Specify source per server - User configurable cipher-list and ciphersuites - User configurable TLS versions - Config option for DH-file - Add rID and otherName options to certifcateAttributeCheck - Allow multiple matchCertificateAttribute - Option to start dynamic server in blocking mode Misc: - Move radsecproxy manpage to section 8 - Log CUI and operator-name if present - Log CN for incomming TLS connections Bug Fixes: - Fix overlapping log lines - Fix memory leak in logging - Fix dynidsc example scripts input validation (CVE-2021-32642)
* Mon Mar 22 2021 Stefan Botter 1.8.2- 1.8.2 Bug fixes: - Fix wrong config-unhexing if %25 (%) occurs - Fix compatibility with GCC 10 (#63) - Fix spelling in manpage - Fix modifyVendorAttribute not applied (#62) - Fix unncessary status-server when in minimal mode (#61)- remove unneeded patch radsecproxy-declare_pthread_attr_as_extern_in_header.diff
* Sun Jun 14 2020 Stefan Botter - add upstream patch to fix GCC 10 incompatibility radsecproxy-declare_pthread_attr_as_extern_in_header.diff + will not bee needed after next release
* Tue Nov 05 2019 Stefan Botter - 1.8.1 Bug fixes: - Handle Tunnel-Password attribute correctly - Fix BSD platform issues - Fix spelling in log messages and manpages - Fix compile issues for unit tests
* Thu Jul 04 2019 Stefan Botter - 1.8.0 New features: - Rewrite: supplement attribute (add attribute if not present) (#19) - Rewrite: modify vendor attribute - Rewrite whitelist mode - Autodetect status-server capability of servers - Minimalistic status-server - Explicit SubjectAltName:DNS and :IP match on certificates Misc: - No longer require docbook2x tools, but include plain manpages - Fail on startup if overlapping clients with different tls blocks Compile fixes: - Fix compile issues on bsd Bug fixes: - Handle %00 in config correctly (#31) - Fix server selection when udp were unreachable for long periods
* Wed Nov 21 2018 obsAATTbotter.cc- add logrotate definition file
* Wed Sep 05 2018 obsAATTbotter.cc- 1.7.2 Misc: - Always copy proxy-state attributes in own responses - Authenticate own access-reject responses - Retry outstanding requests after connection reset Compile fixes: - Fix compile issues on some platforms (#14) - Fix compile issue when dtls disabled (#16) - Fix compile issue on Cygwin (#18) - Fix radsecproxy.conf manpage not installed when docbook2x not available Bug fixes: - Fix request might be dropped if udp client uses multiple source ports - Fix tls output might drop requests under high load - Check for IP literals in Certificate SubjectAltName:DNS records - Fix tls connection might hang during SSL_connect and SSL_accept
* Fri Jul 27 2018 obsAATTbotter.cc- 1.7.1 License and copyright changes: - Copyright SWITCH - 3-clause BSD license only, no GPL. Enhancements: - Support the use of OpenSSL version 1.1 and 1.0 series (RADSECPROXY-66, RADSECPROXY-74). - Reload TLS certificate CRLs on SIGHUP (RADSECPROXY-78). - Make use of SO_KEEPALIVE for tcp sockets (RADSECPROXY-12). - Optionally include the thread-id in log messages - Allow hashing MAC addresses in the log (same as for F-Ticks) - Log certificate subject if rejected - Log own responses (RADSECPROXY-61) - Allow f-ticks prefix to be configured - radsecproxy-hash: allow MAC addresses to be passed on command line Misc: - libnettle is now an unconditional dependency. - FTicks support is now on by default and not optional. - Experimental code for dynamic discovery has been removed. - Replace several server status bits with a single state enum. (RADSECPROXY-71) - Use poll instead of select to allow > 1000 concurrent connections. - Implement locking for all SSL objects (openssl states it is not thread-safe) - Rework DTLS code. Bug fixes: - Detect the presence of docbook2x-man correctly. - Make clang less unhappy. - Don\'t use a smaller pthread stack size than what\'s allowed. - Avoid a deadlock situation with dynamic servers (RADSECPROXY-73). - Don\'t forget about good dynamically discovered (TLS) connections (RADSECPROXY-69). - Fix refcounting in error cases when loading configuration (RADSECPROXY-42) - Fix potential crash when rewriting malformed vendor attributes. - Properly cleanup expired requests from server output-queue. - Fix crash when dynamic discovered server doesn\'t resolve.
* Thu Jun 21 2018 obsAATTbotter.cc- add Restart=always to service file
* Thu Dec 07 2017 obsAATTbotter.cc- Changes between 1.6.8 and the master branch License and copyright changes: - Copyright UNINETT AS and NORDUnet A/S. - 3-clause BSD license only, no GPL. Enhancements: - Support the use of OpenSSL version 1.1 series (RADSECPROXY-66). Misc: - libnettle is now an unconditional dependency. - FTicks support is now on by default and not optional. - Experimental code for dynamic discovery has been removed. Be aware that use of the DynamicLookupCommand configuration option still enables code known to be buggy. - Use a listen(2) backlog of 128 (RADSECPROXY-72). Bug fixes: - Detect the presence of docbook2x-man correctly. - Make clang less unhappy. - Don\'t use a smaller pthread stack size than what\'s allowed. - Don\'t follow NULL the pointer at debug level 5 (RADSECPROXY-68). - Avoid a deadlock situation with dynamic servers (RADSECPROXY-73). - Completely reload CAs and CRLs with cacheExpiry (RADSECPROXY-50). - Tie Access-Request log lines to response log lines (RADSECPROXY-60). - Take lock on realm refcount before updating it (RADSECPROXY-77). - Fix a couple of memory leaks and NULL ptr derefs in error cases. 2016-09-21 1.6.8 Bug fixes: - Stop waiting on writable when reading a TCP socket. - Stomp less on the memory of other threads (RADSECPROXY-64). 2016-03-14 1.6.7 Enhancements (security): - Negotiate TLS1.1, TLS1.2 and DTLS1.2 when possible, client and server side. Fixes RADSECPROXY-62. Enhancements: - Build HTML documentation properly. 2015-01-19 1.6.6 Bug fixes (security): - Fix two use-after-free, a null pointer dereference and three heap overflows. Patches by Stephen Röttger. Bug fixes: - Have rewriteIn for servers use the correct config section. We used to apply rewriteIn using the rewrite block of the client rather than the server. Patch by Fabian Mauchle. Fixes RADSECPROXY-59. - Handle CHAP authentication properly when there is no CHAP-Challenge. Fixes RADSECPROXY-58. - Install radsecproxy.conf.5 unconditionally. Keep regeneration of it dependent on configure finding docbook2x-man(1).
