| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
Bug fixes: Fix crash (memcpy with length -1) when invalid Tunnel-Password
attributes are received.
|
|
|
|
|
|
|
|
|
|
|
|
MAKE_JOBS=2 and worked without.
|
|
|
|
|
|
on packages that are affected by the switch from the openssl 0.9.7
branch to the 0.9.8 branch. ok jlam@
|
|
|
|
Also do some pkglintification while we are here.
|
|
Feature Improvements
* Updated LDAP documentation.
* Added note on DH parameters in eap.conf, and debugging messages which complain if DH is used, but not configured properly.
* Updated the Mikrotik dictionary. Added a note that the sample dictionary they supply is broken.
* Output more information on blocked threads, which should help narrow down which modules is causing the problem.
* Added more eDirectory support.
* rlm_ldap now prints out attributes in the standard format
* Enabled server-side handling of procedures in MySQL
Bug Fixes
* Added NT-Hash support for mschap_xlat.
* Corrected documentation to point to correct location of files.
* Checks for more recent FreeBSD versions.
* uses -DLDAP_DEPRECATED to avoid OpenLDAP crashes.
* Use correct value for authentication name in rlm_mschap.
* Fix over-ride for usernames when use_tunneled_reply = yes.
|
|
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
|
|
Feature Improvements
* Added more dictionaries
Bug Fixes
* Corrected typo in rlm_pap.c (closes #440)
* Corrected typo in src/main/auth.c (closes #437)
* Suppress SSL error messages if error is zero. (closes #436)
* Don't complain about "Error in read client certificate A" if we expect to
read it in the next packet. Fix based on patch by Dan Lukes.
* Corrected nearly 30 bugs found by Coverity See also http://scan.coverity.com
* Don't die on HUP. Instead leak memory (sorry). After a few hundred HUP's, the
server will have leaked a few megabytes of memory, and you should probably
re-start it. It's ugly, but better than dying. (Closes #426)
* Corrected a few double free's
* Corrected typo in radrelay, which prevented it from working
* Made Firebird module build
* Fixed bug in PostgreSQL module that caused server crash.
* Fixed bug in SQL module that could cause server to crash.
|
|
2006.03.05 Version 1.1.5 has been released.
The focus of this release is stability.
Feature Improvements
* Added more dictionaries
* Dictionary files now MUST NOT be globally writable.
* Configuration files now MUST NOT be globally writable.
* Be more aggressive about freeing memory on clean exit.
* Updated rlm_python.
* Added another experimental SQL IP Pool module
Bug Fixes
* Corrected base64 decoding in rlm_pap
* Don't retransmit accounting packets. The NAS should do this.
* Handle Client-Error in EAP-SIM. (Closes #419)
* Port OpenSSL locking fixes from CVS head. This makes PEAP more stable on i
some systems.
* Require Message-Authenticator in Status-Server packets.
* Correct Tunnel-Medium-Type VALUEs in dictionary.rfc2868.
* Increase buffer size for dynamic expansion, which allows longer SQL queries.
(Closes #405)
* Use correct line number when there's a parse error in one of the
configuration sections. (Closes #421)
* Terminate SSL sessions in EAP on error, rather than continuing in some cases.
* Increase buffer size to allow parsing of long octet strings,
* Fix string termination on xlat in rlm_perl.
|
|
Patch provided by Sergey Svishchev in private mail.
|
|
* Major enhancements to rlm_pap, that make "encryption_scheme"
a think of the past. See "man rlm_pap" for details.
* Added SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag to use
work-arounds that enable Windows Vista clients to work.
* Added preliminary code to support Firebird.
Use at your own risk!
* Send MS-CHAP2-Success, which makes EAP-TTLS/MSCHAP work on more
platforms.
* Add a new "reply-name" directive in rlm_sqlcounter to define the
name of the reply attribute.
* Added more dictionaries and attributes
* Print ntlm_auth failure reason in Module-Failure-Message
* radsqlrelay is able to get the DB password from a file instead
of command line.
Bug fixes
* Fix a parse error in the digest module, where malformed
digest requests would result in the user being accepted. Oops...
* VALUEs can only be defined for 'integer', to catch mistakes
with setting VALUEs for type 'string'.
* Better parsing of VALUE names, so that values starting with
a digit work correctly.
* Check return from malloc
* Fix a double free() in rlm_eap_tls.c
* Check return code of malloc() during initialization.
* Fix a corner case where the proxy port isn't set either in
radiusd.conf or in proxy.conf.
|
|
|
|
This version has been released to fix build issues in 1.1.2. The build
tools (autoconf, libtool, libltld) have been upgraded to a recent version,
and the server now builds "out of the box" on more platforms. Other fixes
include:
* More dictionary updates
* Oracle support for radsqlrelay
* Security and portability fixes to rlm_otp
* Experimental module to store IP's in an SQL table.
* Miscellaneous bug fixes
|
|
|
|
PAM support.
From discussions with John Nemeth.
|
|
bump to nb2
|
|
Fix mySQL PLIST
Fix all PLISTs to avoid a nightmare when the nb number is changed
Bump to nb1
|
|
* Updated dictionaries (as always),
* Extended Ascend "abinary" support for Juniper,
* Configurable "cipher_list" for EAP methods that use TLS,
* Additional checks on cert issuer validation for EAP methods that use TLS,
* SQL IODBC bug fixes,
* Updates to the LDAP module,
* Better catching of errors in the config files,
* Miscellaneous other fixes
In addition to this add an extra option to options.mk which is
"freeradius-simul-use". This will enable Simultaneous-Use and is
enabled by default. If you disable it freeradius can be built without
depending on the net-snmp package. Original idea from John Nemeth.
|
|
Add kerberos support - Patch from Kevin Sullivan in PR #33732
Bump to nb4
|
|
set OVERRIDE_DIRDEPTH to find any libtool scripts deeper in the WRKSRC
tree unless they're named something other than "libtool".
SHLIBTOOL_OVERRIDE generally doesn't need to be specified either -- just
define it to the empty list and shlibtool-override will look for libtool
scripts.
|
|
packages. Convert LDAP-based applications to depend on openldap-client, and
bump PKGREVISION for those that depend on it by default.
|
|
Bump revision.
|
|
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
|
|
for libtool archives, remove the .a and .so entries. Bump revision.
Add DragonFly detection for shared libraries. Always try to find -lssl
with -lcrypto, unbreaking the test at least on DragonFly, but should
not harm elsewhere.
|
|
Issue found by Wolfgang Solfrank.
|
|
Use our libtool
Update to 1.1.1
Fixes security issue (DoS):
http://secunia.com/advisories/19300/
> Security fixes
> * Additional state checking in the EAP-MSCHAPv2 module.
> Bug found by Steffen Schuster.
>
> Feature improvements
> * More dictionary updates
> * Additional tests and fixes for Digest module from Phillipe Sultan.
> * Add new "phone" response mode to rlm_otp/cryptocard.
> * Put the eap sessions into a tree, so that looking them up is very
> fast, and no longer O(n) in the number of sessions.
> * Install the schema examples for a set of backends with the rest
> of the documentation.
> * Add support for xlat expansion of attributes from LDAP.
>
> Bug fixes
> * Fix rlm_perl crash. (closes: #348)
> * Fix handling of CoA-Request packets (close #344). Also correct
> name of CoA packets.
> * Fix an error on x86_64 machines when reading dictionaries.
> (closes: #312)
> * Fix compilation errors on FreeBSD and NetBSD because of rlm_otp
> module. (closes: #314 #328)
> * Workaround Cisco bug in State attribute handling in rlm_otp.
> * Support LP64 for async mode in rlm_otp.
> * Fix libtool problems on Debian with rlm_eap_peap and rlm_eap_ttls
> modules. (closes: #75)
> * Make "use_tunneled_reply" work properly for PEAP.
> * Copy the whole string when getting a one-to-one-mapped attribute
> from LDAP (closes: #261)
> * Fix net-snmp's ucd-snmp compatibility mode.
|
|
|
|
> FreeRADIUS 1.1.0 ; $Date: 2006/01/04 05:55:19 $, urgency=low
> Feature improvements
> * rlm_ldap has "set_auth_type" configuration option, which should
> address some configuration problems when using it.
> * Fix MIT Kerberos bug
> * Modules can be load balanced, both in isolation and redundantly.
> See doc/load-balance.txt for more information.
> * rlm_perl is now marked "stable"
> * N-tier certificate patch from Mohammed Petiwala.
> * Copied dictionaries from the CVS head (many, many, more vendors)
> * Enabled support for weird VSA formats, like Lucent and Starent.
> * Support encrypted IP address and integers, for Juniper clients.
> * Add PEAP machine authentication support in module "rlm_mschap".
> * Support User-Password field encryption in digest mode.
> * rlm_x99_token has become rlm_otp (with lots of changes).
> * Add rlm_sqlcounter to the list of stable modules.
> * Read MySQL specific options in sections [freeradius] and [client]
> from file "my.cnf".
> * Support the ${Cisco-AVPair[n]} syntax.
> * Execute modules in {Pre,Post}-Proxy-Type stanzas.
> * Add new options to radclient to run stress tests on the server.
> * New module "rlm_sql_log" to postpone the storage of accounting data
> in a SQL database. See rlm_sql_log(5) manpage.
> * New program "radsqlrelay" which sends the SQL logfile according to
> the SQL server's capabilities.
>
> Bug fixes
> * 306 (HUP when built with threads, but executed with -s)
> * 285 (more attributes in dictionary.cisco.vpn3000)
> * rlm_digest has a number of bug fixes to authentication types.
> * Don't leak memory in module "rlm_sql".
> * Update the dictionaries, so that VALUEs with the same name,
> but different numbers, aren't allowed.
> * Queue the request before looking for available threads.
> * Don't free the check items after we received the proxy reply.
> * Expand config variables in included files, too.
> * Check the return value of accounting modules and don't proxy
> invalid requests.
> * In rlm_passwd, don't close a file stream more than once.
> * Fix format string errors in rlm_sql.c, spotted by Primoz Bratanic.
> * Walk the whole string in when escaping strings in rlm_ldap.
> * Include crypt.h if it is available so we get a prototype for crypt(),
> spotted by Konstantin Kubatkin.
> * Removed (for almost all uses) length restrictions on vendor names
> and VALUE names.
> * Don't leak memory when proxying an Access-Challenge response.
> * Make the sleep time user-defined, so radrelay can send more than
> 7 requests/s.
> * Fix a memory leak in rlm_checkval.
> * radclient doesn't resend countless times packets with invalid
> signature.
> * Fix segfault and mem leak in rlm_pam.
|
|
pkg has been changed to 5.x). Reminded by wiz... thanks.
|
|
automatically detects whether we want the pkginstall machinery to be
used by the package Makefile.
|
|
CONFIGURE_ARGS.
|
|
example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some
other changes are outlined in
http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
|
|
Add -fPIC for amd64 platform to fix build. Reported in PR 31225 by Eric Radman
|
|
Bump to nb2
|
|
Bump to nb1
|
|
> Security Fixes
> * SQL injection attack in the module "rlm_sqlcounter".
> * Buffer overflows in the module "rlm_sqlcounter".
> * Expansion of variable %t may write 26 bytes beyond the buffer
> bound. Primoz Bratanic is credited with the discovery of these
> three bugs.
>
> Bug fixes
> * Don't de-reference a NULL pointer if the auth-type is unknown
> in the function rad_check_password().
> * Escape more characters in the LDAP queries.
> Bug found by Suse engineers.
> * In rlm_sql_unixodbc, don't call rad_malloc from sql_error(),
> it leaks memory.
> * Fix an off-by-one error in the module rlm_sql_unixodbc.
> Bug found by Suse engineers.
> * In rlm_sql, resize the buffer for the value of SQL-User-Name.
> * Initialize memory for a new SQL socket in the module rlm_sql.
> * Don't add too many attributes after running an external program.
> Bug found by Suse engineers.
> * Fix an off-by-one error in the function getthing().
> * snprintf() and vsnprintf() replacements were not compiled if
> the autoconf tests didn't find the functions.
> * Don't use vsprintf() anymore, but the replacement for vsnprintf()
> in libradius instead.
> * The function decode_attribute() may write beyond buffer bounds.
> Bug found by Suse engineers.
> * Fix a memset() in the function request_enqueue() which was
> begining at the wrong address. Bug found by Matthias Ruttman.
> * Fix an off-by-one error in the function xlat_copy().
> Bug found by Primoz Bratanic.
> * Fix other off-by-one errors in module "rlm_unix", too.
> Bug found by Allan Bazinet.
> * Fix a 2-byte over-run read in function rad_decode().
> * Update thread pool queue properly.
> * Autonconf tests try first any user-specified directory,
> otherwise they may pick up the wrong version.
> * Delete the autoconf tests for the libldap dependancies.
> * Install all the regular files under the "doc" directory.
> * Distinguish between exit code <0 (failure) and >0 (reject)
> in Exec-Program-Wait. Patch from Thor Spruyt.
> * Make Expiration work.
> * Clean up the code for opening a proxy socket.
> * When finding a realm to proxy to, if all are dead, wake them
> if wake_all_if_all_dead is true.
> * In radwho, print the NAS-Port as unsigned int.
> * Use extended regex instead of basic regex in rlm_attr_filter.
> * Catch the case where someone deletes a directory that rlm_detail
> is using.
> * Use the variable $(LDFLAGS) when linking a module.
> * Ignore the Stripped-User-Name when a realm has the "nostrip"
> directive.
> * Add support for NT-Password in rlm_pap.
> * In rlm_sqlcounter, use the time left to the next reset if it's
> inferior to the time left in the counter.
> * Calculate Message-Authenticator correctly for Accounting-Request
> and Accounting-Response. Bug found by Paolo Rotela.
> * Build on MAC OS X. Still need --disable-shared, though.
> * Fix bug #255 (crash with expired CRL's, etc.)
> * Fix quote removal of the values from a SQL database.
> * Reap the zombie process after a command run from "Exec-Program".
> * Allow to cancel proxy of accounting with "Proxy-To-Realm := LOCAL".
> * Don't copy VSA's to an Access-Reject packet.
|
|
|
|
a builtin Berkeley DB 1.8x can now be used with option "bdb -gdbm"; no
dbm support at all can be selected with "-gdbm".)
- Specify --with/--without exactly once per option.
- Merge postgresql support to a single option (pgsql), and correspondingly
use pgsql.buildlink3.mk to pick the builder's desired implementation.
This aligns freeradius with the rest of pkgsrc, wrt pgsql support.
|
|
Bump PKGREVISION
|
|
around at either build-time or at run-time is:
USE_TOOLS+= perl # build-time
USE_TOOLS+= perl:run # run-time
Also remove some places where perl5/buildlink3.mk was being included
by a package Makefile, but all that the package wanted was the Perl
executable.
|
