Hello community,
here is the log from the commit of package freeradius-server for
openSUSE:Factory checked in at 2017-02-09 11:16:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/freeradius-server (Old)
and /work/SRC/openSUSE:Factory/.freeradius-server.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "freeradius-server"
Changes:
--------
--- /work/SRC/openSUSE:Factory/freeradius-server/freeradius-server.changes
2017-01-11 12:03:13.286140063 +0100
+++ /work/SRC/openSUSE:Factory/.freeradius-server.new/freeradius-server.changes
2017-02-09 11:16:20.708889097 +0100
@@ -1,0 +2,20 @@
+Mon Jan 30 15:46:54 UTC 2017 - adam.ma...@suse.de
+
+- Merge changes from SLE to openSUSE (FATE#322416):
+ * freeradius-server-radclient-init-error-buffer.patch - make sure
+ we initialize error buffer. bsc#911886: radclient error free()
+ invalid pointer
+ * freeradius-server-opensslversion.patch: remove OpenSSL version
+ check and assume we know what we are doing. (bnc#1013311)
+ * merge .changes file, mostly.
+- do not attempt to detect "vulnerable" OpenSSL versions. SUSE
+ security fixes do not necessarily bump version numbers as
+ does upstream OpenSSL (bnc#1021375)
+- do not generate certificates in %post. End-user needs to do this
+ manually.
+- keep FreeTDS disabled on SLE12 - we never shipped it enabled
+- require OpenSSL 1.0+
+- use pkgconfig(systemd) instead of plain systemd as BuildRequires
+- don't list manual pages as %doc
+
+-------------------------------------------------------------------
@@ -8,0 +29,6 @@
+Fri Nov 18 14:48:59 UTC 2016 - adam.ma...@suse.de
+
+- Add upstream keyring
+- 2 new modules: rlm_sql_freetds and rlm_eap_fast
+
+-------------------------------------------------------------------
@@ -11,3 +37,78 @@
-- update to 3.0.12
- * for a detailed list of changes look at:
- /usr/share/doc/packages/freeradius-server/ChangeLog
+- update to 3.0.12 - still fate#320481
+ The focus of this release is stability.
+ * Feature improvements
+ + Add support for =~ and !~ in update sections. See "man unlang"
+ + Add dictionary.checkpoint.
+ + Simultaneous-Use prints out more information.
+ + Print WARNING in debug mode when packets may be truncated.
+ + Added expansions %{home_server:state} and
+ %{home_server_pool:state}, which show the state of the
+ server / pool.
+ + Mark rlm_sql_freetds as stable.
+ + Make rlm_perl less fragile. Patch from Herwin Weststrate.
+ + Allow extended attributes to have "encrypt=2"
+ + Update dictionary.aruba.
+ + Add support for EAP-FAST. This is an isolated feature which
+ does not affect anything else.
+ + Update OpenSSL vulnerability list. Use a version of OpenSSL
+ released after September 20, 2016.
+ + EAP certificate verification is now done when "verify" is
+ enabled and "ocsp" is disabled.
+ + New dhcpclient and rlm_rad_counter man pages.
+ + Minor abfab and moonshot additions.
+ + Pass CFLAGS through from environment in RPM builds. Allows
+ more custom builds.
+ + Build with Heimdal in addtion to libkrb5.
+ * Bug Fixes
+ + Use correct typedef for older versions of sqlite.
+ + Update mssql schema to add priority
+ + don't complain on /dev/urandom in ldap
+ + fix == operator in update sections
+ + Don't create DHCP strings with many trailing zeros.
+ + Allow MS-CHAP change passwords instead of complaining on
+ large buffer.
+ + Allow assignment or equality operator on SQL.
+ + Update aclocal tests for FreeBSD 10.
+ + Remove occasional hang in rlm_linelog.
+ + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544
+ + A few minor bugfixes caught in v3.1.x cleanup, and
+ back-ported to v3.0.x.
+ + do_not_respond again works in post-proxy
+ + Allow realm "~^.*$" {} and User-Name with no realm.
+ + Fix leak when creating unknown attributes
+ + Fix Debian / logrotate.
+ + Make OpenSSL error functions thread-safe.
+ + Fix crash with rlm_sql and updating SQL-User-Name.
+ + Debian build updates.
+ + Allow regular expression comparisons in radclient.
+ + Fix memory leak on unknown attributes in detail file reader.
+ + Update example paths in "man" pages when installing them
+ + Build fixes for rlm_mschap. Fixes #1489.
+ + BSD build fixes. Patch from issue #1583.
+ + Be more careful about /lib/ when building. Fixes #1585.
+ + Correct ifdef placement error. Fixes #1572.
+ + Allow for more files in internal "exfile" API So it will be
+ possible to open more than 64 "detail" files at the same
+ time.
+ + Remove support for statically built EAP modules. Fixes #1591.
+ + Many fixes to rlm_python from Guillaume Pannatier.
+ + Use correct week adjustment in SQLcounter. Fixes #1608
+ + Minor fixes to allow compilation without DHCP, VMPS, or TCP.
+ + Fix checks for module / config file change on HUP.
+ + Compile regex comparisons when sent via "debug condition".
+ + Update filenames in documentation and examples.
+ + Don't crash if SQL connection becomes unavailable.
+ + Disallow originate_coa when proxy_requests = no.
+ + Free rad_perlconf_hv in correct perl context.
+ + Multiple fixes for Debian builds. #1510, among others.
+ + Set OpenSSL FIPS compatibility flag when necessary.
+ + Pulled fixes for the build system over from other branches.
+ + Fix OCSP for RADIUS over TLS.
+ + Fix skip_if_ocsp_ok behavior.
+ + Better fixes for systems without closefrom() but which have
+ /proc.
+ + Minor build fixes back-ported from v4.0.x.
+ + build --whout-ascend-binary. Fixes #1761.
+ + Be more aggressive about not opening new connections in
+ debug mode after CTRL-C. Address #1604.
+
@@ -27,3 +128,94 @@
-- update to 3.0.11
- * for a detailed list of changes look at:
- /usr/share/doc/packages/freeradius-server/ChangeLog
+- update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763,
+ bsc#935573, CVE-2015-4680)
+ * Changes of version 3.0.11
+ + Feature improvements
+ - "unlang" comparisons of IP addresses to IP prefixes are now
+ detected, and types automatically cast.
+ - Allow shorthand form of ipv4prefix values e.g. 127/8.
+ - Add "auto_chain" to raddb/mods-available/eap, tls subsection.
+ This allows the disabling of OpenSSL auto-chaining of
+ certificates. Which might be wrong.
+ - Added printing of coa and disconnect stats (radmin).
+ - radclient defaults to expecting Access-Accept responses to
+ Status-Server.
+ - Updated dictionary.lancom, dictionary.starent.
+ - Portability fixes for Solaris.
+ - More errors from ntlm_auth gets passed to MS-CHAP.
+ - Update abfab-tr-idp virtual server.
+ - Added "filter_password" in policy.d/filter. This removes
+ embedded zero bytes in User-Password, for compatibility with
+ broken clients.
+ - The server now issues a WARNING message if duplicate
+ configuration items are found.
+ - TLS can skip the "verify" section if OCSP returns OK. See
+ raddb/mods-available/eap, "skip_if_ocsp_ok".
+ - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the
+ result from the OCSP check.
+ - Interoperate with AD and "LmCompatibiltyLevel = 5", by
+ always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind
+ in rlm_mschap.
+ - TTLS and PEAP now require "virtual_server" to be a real
+ server.
+ - Print WARNING when TTLS or PEAP identities are spoofed or
+ not properly anonymized. See RFC 7542 for requirements.
+ - Various rlm_python fixes from Herwin Weststrate.
+ - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail",
+ which is useful when the home server does not respond.
+ - elasticsearch updates from Matthew Newton
+ + Bug Fixes
+ - Fix issue where field nas_type would not be accessible via
+ the %{client:} xlat, for clients loaded from SQL.
+ - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to
+ msg_callback with 'pseudo' content types.
+ - Data type "ipv4prefix" is parsed correctly.
+ - Use correct talloc context in rlm_exec. Fixes #1338.
+ - Complain in unlang if "else" is used with no previous "if"
+ or "elsif".
+ - Send accounting status packets to the accounting port.
+ Fixes #1364.
+ - Print out CFLAGS when doing "radiusd -Xxv"
+ - Fixed bug with coa/acct stats value #1339. Based on patch
+ from Jorge Pereira.
+ - Fixes for LEAP proxying. Don't use LEAP!
+ - Fix issue with "directory already exists" seen when doing
+ "make install".
+ - Fixed bug with radmin related to the option "stats detail
+ <filename>"
+ - Complain if the detail file reader does not have permission
+ to read the "detail.work" file. Fixes #1398
+ - Fixed SoH. Attributes were not being copied to the virtual
+ server.
+ - Used a wrong list to global statistics in "stats".
+ - Create EAP-PWD identity correctly. Prevents segfaults.
+ - Dynamically validate authentication types for PEAP and
+ EAP-MSCHAPv2.
+ - Fix includes in installed headers.
+ - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys
+ correctly. See raddb/mods-available/eap, "disable_tlsv1_2"
+ - Allow password change to work for MS-CHAP. This requires
+ 'r=0', because password changes are not retries.
+ - Fix home server fail-over for home servers using TCP and/or
+ RadSec.
+ - Special characters in expanded regexes are now escaped e.g.
+ User-Name containing '.', and comparing /%{User-Name}/, the
+ '.' will now be escaped. See src/tests/keywords/regex-escape.
+ - Use correct authentication vector when sending Access-Reject
+ replies for RadSec.
+ - Set FreeRADIUS-Proxied-To in TTLS again. You should use the
+ "inner-tunnel" virtual server, instead of relying on this
+ attribute.
+ - Fix debugging constants in rlm_perl. Patch from Herwin
+ Weststrate.
+ - Add samba-dev / samba4-dev to debian builds so that
+ rlm_mschap can automatically use the new winbind API.
+ - Automatically skip zero-length attributes when sending
++++ 316 more lines (skipped)
++++ between
/work/SRC/openSUSE:Factory/freeradius-server/freeradius-server.changes
++++ and
/work/SRC/openSUSE:Factory/.freeradius-server.new/freeradius-server.changes
New:
----
freeradius-server-opensslversion.patch
freeradius-server-radclient-init-error-buffer.patch
freeradius.keyring
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ freeradius-server.spec ++++++
--- /var/tmp/diff_new_pack.PbGrmw/_old 2017-02-09 11:16:21.844728333 +0100
+++ /var/tmp/diff_new_pack.PbGrmw/_new 2017-02-09 11:16:21.852727200 +0100
@@ -25,16 +25,21 @@
%if 0%{?suse_version} > 1140
%bcond_without systemd
-%bcond_without freetds
%bcond_without libjson
%define runpath /run
%else
%bcond_with systemd
-%bcond_with freetds
%bcond_with libjson
%define runpath /var/run
%endif
+# Disable FreeTDS on SLE12. We never shipped it enabled with FreeTDS.
+%if 0%{?suse_version} > 1330 || ( 0%{?suse_version} > 1140 && 0%{?is_opensuse}
)
+%bcond_without freetds
+%else
+%bcond_with freetds
+%endif
+
%if 0%{?is_opensuse}
%bcond_without memcached
%else
@@ -47,6 +52,8 @@
Url: http://www.freeradius.org/
Source:
ftp://ftp.freeradius.org/pub/freeradius/%{name}-%{version}.tar.bz2
Source99:
ftp://ftp.freeradius.org/pub/freeradius/%{name}-%{version}.tar.bz2.sig
+# keyring downloaded via link @ ftp://ftp.freeradius.org/pub/freeradius/README
+Source100: freeradius.keyring
Source1: radiusd.service
Source2: freeradius-tmpfiles.conf
Patch1: freeradius-server-tmpfiles.patch
@@ -54,6 +61,8 @@
Patch3: freeradius-server-rcradiusd.patch
Patch4: freeradius-server-fix-cert-bootstrap.patch
Patch5: freeradius-server-rlm_sql_unixodbc-configure.patch
+Patch6: freeradius-server-radclient-init-error-buffer.patch
+Patch7: freeradius-server-opensslversion.patch
BuildRequires: apache2-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: db-devel
@@ -84,7 +93,7 @@
BuildRequires: ncurses-devel
BuildRequires: net-snmp-devel
BuildRequires: openldap2-devel
-BuildRequires: openssl-devel
+BuildRequires: openssl-devel > 1.0
BuildRequires: pam-devel
BuildRequires: perl
BuildRequires: postgresql-devel
@@ -112,7 +121,7 @@
%{?libperl_requires}
Conflicts: radiusd-livingston radiusd-cistron icradius
%if %{with systemd}
-BuildRequires: systemd
+BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
%endif
@@ -226,6 +235,8 @@
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
+%patch7 -p1
%build
modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")"
@@ -259,12 +270,13 @@
--without-rlm_cache_memcached \
%endif
%if ! %{with freetds}
- --without-rlm_freetds \
+ --without-rlm_sql_freetds \
%endif
%if ! %{with json}
--without-rlm_rest \
%endif
- --disable-silent-rules
+ --disable-silent-rules \
+ --disable-openssl-version-check
make %{?_smp_mflags}
%install
@@ -346,12 +358,6 @@
%endif
%post
-# Generate default certificates
-if [ $1 -eq 1 ]; then
- %{_sysconfdir}/raddb/certs/bootstrap
-fi
-chgrp radiusd %{_sysconfdir}/raddb/certs/*
-
%if %{with systemd}
%service_add_post %{unitname}.service
systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf
@@ -604,8 +610,8 @@
%{_sbindir}/radrelay
%{_sbindir}/raddebug
# man-pages
-%doc %{_mandir}/man5/*
-%doc %{_mandir}/man8/*
+%{_mandir}/man5/*
+%{_mandir}/man8/*
# dictionaries
%attr(755,root,root) %dir %{_datadir}/freeradius
%{_datadir}/freeradius/*
@@ -665,7 +671,9 @@
%{_libdir}/freeradius/rlm_sql.so
%{_libdir}/freeradius/rlm_sqlcounter.so
%{_libdir}/freeradius/rlm_sqlippool.so
+%if %{with freetds}
%{_libdir}/freeradius/rlm_sql_freetds.so
+%endif
%{_libdir}/freeradius/rlm_sql_null.so
%{_libdir}/freeradius/rlm_test.so
%{_libdir}/freeradius/rlm_unix.so
@@ -681,7 +689,7 @@
%files utils
%defattr(-,root,root)
-%doc %{_mandir}/man1/*
+%{_mandir}/man1/*
%{_bindir}/*
%files libs
++++++ freeradius-server-opensslversion.patch ++++++
Author: Adam Majer <adam.ma...@suse.de>
Summary: SUSE OpenSSL version scheme does not follow upstream.
Relax, breathe, apply.
Index: freeradius-server-3.0.12/src/main/version.c
===================================================================
--- freeradius-server-3.0.12.orig/src/main/version.c
+++ freeradius-server-3.0.12/src/main/version.c
@@ -50,36 +50,7 @@ static long ssl_built = OPENSSL_VERSION_
*/
int ssl_check_consistency(void)
{
- long ssl_linked;
-
- ssl_linked = SSLeay();
-
- /*
- * Status mismatch always triggers error.
- */
- if ((ssl_linked & 0x0000000f) != (ssl_built & 0x0000000f)) {
- mismatch:
- ERROR("libssl version mismatch. built: %lx linked: %lx",
- (unsigned long) ssl_built,
- (unsigned long) ssl_linked);
-
- return -1;
- }
-
- /*
- * Use the OpenSSH approach and relax fix checks after version
- * 1.0.0 and only allow moving backwards within a patch
- * series.
- */
- if (ssl_built & 0xf0000000) {
- if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000) ||
- (ssl_built & 0x00000ff0) > (ssl_linked & 0x00000ff0)) goto
mismatch;
- /*
- * Before 1.0.0 we require the same major minor and fix version
- * and ignore the patch number.
- */
- } else if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000)) goto
mismatch;
-
+ // noop, since ABI is compatible for SUSE OpenSSL
return 0;
}
++++++ freeradius-server-radclient-init-error-buffer.patch ++++++
Index: freeradius-server-3.0.3/src/main/radclient.c
===================================================================
--- freeradius-server-3.0.3.orig/src/main/radclient.c
+++ freeradius-server-3.0.3/src/main/radclient.c
@@ -1180,6 +1180,7 @@ int main(int argc, char **argv)
fr_perror("radclient");
return 1;
}
+ fr_strerror_printf(""); /* Initialize the error buffer */
fr_strerror(); /* Clear the error buffer */
/*
