Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features
On 11/03/2015 10:25 PM, Ullfig, Roberto Alfredo wrote: > Ah, the Android 6 support is in base 4.16 then - my mistake. Thanks! Yes. 4.16 should do the right thing no matter what the OpenSSL and Net::SSLeay versions are. It will also log during the startup about the versions it finds and what they can be done with (if TLS 1.2 is support and can be enabled etc.). Besides Android 6, some of the recent Linux distributions ship with wpa_supplicant that will try to use TLS 1.2, just like Android 6 does. The working TLS 1.2 support should keep these users happy too. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features
Ah, the Android 6 support is in base 4.16 then - my mistake. Thanks! --- Roberto Ullfig - rull...@uic.edu ACCC Research Programmer -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Tuesday, November 03, 2015 2:22 PM To: radiator@open.com.au Subject: Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features On 11/03/2015 09:54 PM, Ullfig, Roberto Alfredo wrote: > Also, is it typical for patches to not be released in RPMs? Yes, the patches work best with the .tgz package: - untar the release .tgz - untar the patches on top of this - then proceed with 'perl Makefile.PL' as described in the installation manual for the .tgz package. While it's possible to replace files that were installed with rpm, I'd do it only when there's a specific need for it. > We installed the previous version from RPM. Should we remove that RPM before > installing this version plus patches? 'rpm -Uvh Radiator-4.16-1.noarch.rpm' should be enough to upgrade if you do not need patches and want to stay with rpm packaging. If there's something in the patches you do need, then you could consider switching to .tgz + patches. I'd say the current patches are not worth switching from rpm unless you want to try the RadSec Gossip features. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features
On 11/03/2015 09:54 PM, Ullfig, Roberto Alfredo wrote: > Also, is it typical for patches to not be released in RPMs? Yes, the patches work best with the .tgz package: - untar the release .tgz - untar the patches on top of this - then proceed with 'perl Makefile.PL' as described in the installation manual for the .tgz package. While it's possible to replace files that were installed with rpm, I'd do it only when there's a specific need for it. > We installed the previous version from RPM. Should we remove that RPM before > installing this version plus patches? 'rpm -Uvh Radiator-4.16-1.noarch.rpm' should be enough to upgrade if you do not need patches and want to stay with rpm packaging. If there's something in the patches you do need, then you could consider switching to .tgz + patches. I'd say the current patches are not worth switching from rpm unless you want to try the RadSec Gossip features. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features
Also, is it typical for patches to not be released in RPMs? --- Roberto Ullfig – rull...@uic.edu ACCC Research Programmer -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Ullfig, Roberto Alfredo Sent: Tuesday, November 03, 2015 1:48 PM To: radiator@open.com.au Subject: Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features We installed the previous version from RPM. Should we remove that RPM before installing this version plus patches? --- Roberto Ullfig – rull...@uic.edu ACCC Research Programmer -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Tuesday, October 27, 2015 4:57 AM To: radiator@open.com.au Subject: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features We are pleased to announce the release of Radiator version 4.16 This version contains two important security fixes. Upgrade is recommended. Please review OSC security advisory OSC-SEC-2015-02 for more information: https://www.open.com.au/OSC-SEC-2015-02.html As usual, the new version is available to current licensees from: https://www.open.com.au/radiator/downloads/ and to current evaluators from: https://www.open.com.au/radiator/demo-downloads Licensees with expired access contracts can renew at: https://www.open.com.au/renewal.html An extract from the history file https://www.open.com.au/radiator/history.html is below: - Revision 4.16 (2015-10-27) Selected bug fixes, compatibility notes, new features and enhancements Compatibility update for EAP-based TLS methods for clients that support TLS 1.2. Examples are the future Apple iOS and OS X releases and Android 6 Marshmallow. Two important security fixes. OSC recommends all users to review OSC security advisory OSC-SEC-2015-02 https://www.open.com.au/OSC-SEC-2015-02.html TLS session resumption may not currently work with all Windows clients. A workaround is to configure the EAPTLS_SessionResumption parameter to 0 or wait for the client to retry the authentication. Radiator now supports new module AddressAllocator DHCPv6 for IPv6 address allocation and prefix delegation Detailed changes Created separate directory for PPM files compiled for ActivePerl. Moved files from ppm to ppm/activeperl/ and updated the meta file contents. Win32-Lsa is now compiled for both ActivePerl 5.18 and 5.20 flavours up to Perl 5.20: 64bit and 32bit with 64bit integer. Created separate directory for PPM files compiled for Strawberry Perl. Win32-Lsa is now compiled for all Strawberry Perl flavours up to Perl 5.22: 64bit, 32bit with 32bit integers and 32bit with 64bit integers. Radiator now logs the Net::SSLeay and SSL/TLS library version during the radiusd startup. TLS v1.2 for TLS based EAP methods is not used if it can not be determined that the MPPE keys can be correctly calculated. These changes enhance compatibility with future Apple iOS, OS X and Android 6 Marshmallow. If all TLS versions are not available, details of what can be used is logged. Net::SSLeay 1.53 or later and OpenSSL 1.0.1 or later is required to fully utilise all TLS versions for TLS based EAP methods. Thanks to radiator mailing list members for comments and suggestions. AuthLog SYSLOG and Log SYSLOG clauses now support LogPort configuration parameter. This parameter requires Sys::Syslog version 0.28 or later. Suggested by Michael and Kilian Krause. LDAP modules now support BindFailedHook which is called when LDAP bind operation fails. The default is to log the failure. Bind password is no longer logged. To log the password, configure the hook to log it or configure the LDAP clause with the Debug configuration parameter and see the console output. With the kind help of Scott Bertilson. AuthBy LDAP2 now logs PasswordAttr as **obscured** when debugging is enabled. Binary attribute values are now logged in text format similarly to RADIUS attributes. To debug the password, use the Debug configuration parameter and see the console output or configure PasswordLogFileName for the Handler. Resolver for AuthBy DNSROAM now uses eval to catch exceptions from Net::DNS. The Net:DNS API had been changed around version 0.72 to raise exceptions when errors occurred. Uncaught exceptions could cause Radiator to crash. Reports and help with patches from Bjoern A. Zeeb and Paul Dekkers. Updated error levels for Resolver log messages. Most of the log messages are now using WARNING instead of ERR. These messages are logged for example for DNS failures or badly formatted DNS domains. ServerHTTP authentication now creates a request that can be correctly proxied to a remote server. Previously the proxied authentication would always fail. AuthBy RADIUS and its derived modules still required 'ipv6:' prefix for LocalAddress parameter. R
Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features
We installed the previous version from RPM. Should we remove that RPM before installing this version plus patches? --- Roberto Ullfig – rull...@uic.edu ACCC Research Programmer -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Tuesday, October 27, 2015 4:57 AM To: radiator@open.com.au Subject: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features We are pleased to announce the release of Radiator version 4.16 This version contains two important security fixes. Upgrade is recommended. Please review OSC security advisory OSC-SEC-2015-02 for more information: https://www.open.com.au/OSC-SEC-2015-02.html As usual, the new version is available to current licensees from: https://www.open.com.au/radiator/downloads/ and to current evaluators from: https://www.open.com.au/radiator/demo-downloads Licensees with expired access contracts can renew at: https://www.open.com.au/renewal.html An extract from the history file https://www.open.com.au/radiator/history.html is below: - Revision 4.16 (2015-10-27) Selected bug fixes, compatibility notes, new features and enhancements Compatibility update for EAP-based TLS methods for clients that support TLS 1.2. Examples are the future Apple iOS and OS X releases and Android 6 Marshmallow. Two important security fixes. OSC recommends all users to review OSC security advisory OSC-SEC-2015-02 https://www.open.com.au/OSC-SEC-2015-02.html TLS session resumption may not currently work with all Windows clients. A workaround is to configure the EAPTLS_SessionResumption parameter to 0 or wait for the client to retry the authentication. Radiator now supports new module AddressAllocator DHCPv6 for IPv6 address allocation and prefix delegation Detailed changes Created separate directory for PPM files compiled for ActivePerl. Moved files from ppm to ppm/activeperl/ and updated the meta file contents. Win32-Lsa is now compiled for both ActivePerl 5.18 and 5.20 flavours up to Perl 5.20: 64bit and 32bit with 64bit integer. Created separate directory for PPM files compiled for Strawberry Perl. Win32-Lsa is now compiled for all Strawberry Perl flavours up to Perl 5.22: 64bit, 32bit with 32bit integers and 32bit with 64bit integers. Radiator now logs the Net::SSLeay and SSL/TLS library version during the radiusd startup. TLS v1.2 for TLS based EAP methods is not used if it can not be determined that the MPPE keys can be correctly calculated. These changes enhance compatibility with future Apple iOS, OS X and Android 6 Marshmallow. If all TLS versions are not available, details of what can be used is logged. Net::SSLeay 1.53 or later and OpenSSL 1.0.1 or later is required to fully utilise all TLS versions for TLS based EAP methods. Thanks to radiator mailing list members for comments and suggestions. AuthLog SYSLOG and Log SYSLOG clauses now support LogPort configuration parameter. This parameter requires Sys::Syslog version 0.28 or later. Suggested by Michael and Kilian Krause. LDAP modules now support BindFailedHook which is called when LDAP bind operation fails. The default is to log the failure. Bind password is no longer logged. To log the password, configure the hook to log it or configure the LDAP clause with the Debug configuration parameter and see the console output. With the kind help of Scott Bertilson. AuthBy LDAP2 now logs PasswordAttr as **obscured** when debugging is enabled. Binary attribute values are now logged in text format similarly to RADIUS attributes. To debug the password, use the Debug configuration parameter and see the console output or configure PasswordLogFileName for the Handler. Resolver for AuthBy DNSROAM now uses eval to catch exceptions from Net::DNS. The Net:DNS API had been changed around version 0.72 to raise exceptions when errors occurred. Uncaught exceptions could cause Radiator to crash. Reports and help with patches from Bjoern A. Zeeb and Paul Dekkers. Updated error levels for Resolver log messages. Most of the log messages are now using WARNING instead of ERR. These messages are logged for example for DNS failures or badly formatted DNS domains. ServerHTTP authentication now creates a request that can be correctly proxied to a remote server. Previously the proxied authentication would always fail. AuthBy RADIUS and its derived modules still required 'ipv6:' prefix for LocalAddress parameter. Reported by Claudio Ramirez. Correct address is now logged if binding to LocalAddress fails. Huawei-DNS-Server-IPv6-Address, Huawei-Framed-IPv6-Address, Alc-Ipv6-Address, Alc-Ipv6-Primary-Dns and Alc-Ipv6-Secondary-Dns had incorrect type ipv6addr. The correct type is ipaddrv6 for IPv6 addresses. SqlDb now initialises the DBD::ODBC odbc_query_timeout attribute with the Timeout configuration parameter value. This attribute is
[RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features
We are pleased to announce the release of Radiator version 4.16 This version contains two important security fixes. Upgrade is recommended. Please review OSC security advisory OSC-SEC-2015-02 for more information: https://www.open.com.au/OSC-SEC-2015-02.html As usual, the new version is available to current licensees from: https://www.open.com.au/radiator/downloads/ and to current evaluators from: https://www.open.com.au/radiator/demo-downloads Licensees with expired access contracts can renew at: https://www.open.com.au/renewal.html An extract from the history file https://www.open.com.au/radiator/history.html is below: - Revision 4.16 (2015-10-27) Selected bug fixes, compatibility notes, new features and enhancements Compatibility update for EAP-based TLS methods for clients that support TLS 1.2. Examples are the future Apple iOS and OS X releases and Android 6 Marshmallow. Two important security fixes. OSC recommends all users to review OSC security advisory OSC-SEC-2015-02 https://www.open.com.au/OSC-SEC-2015-02.html TLS session resumption may not currently work with all Windows clients. A workaround is to configure the EAPTLS_SessionResumption parameter to 0 or wait for the client to retry the authentication. Radiator now supports new module AddressAllocator DHCPv6 for IPv6 address allocation and prefix delegation Detailed changes Created separate directory for PPM files compiled for ActivePerl. Moved files from ppm to ppm/activeperl/ and updated the meta file contents. Win32-Lsa is now compiled for both ActivePerl 5.18 and 5.20 flavours up to Perl 5.20: 64bit and 32bit with 64bit integer. Created separate directory for PPM files compiled for Strawberry Perl. Win32-Lsa is now compiled for all Strawberry Perl flavours up to Perl 5.22: 64bit, 32bit with 32bit integers and 32bit with 64bit integers. Radiator now logs the Net::SSLeay and SSL/TLS library version during the radiusd startup. TLS v1.2 for TLS based EAP methods is not used if it can not be determined that the MPPE keys can be correctly calculated. These changes enhance compatibility with future Apple iOS, OS X and Android 6 Marshmallow. If all TLS versions are not available, details of what can be used is logged. Net::SSLeay 1.53 or later and OpenSSL 1.0.1 or later is required to fully utilise all TLS versions for TLS based EAP methods. Thanks to radiator mailing list members for comments and suggestions. AuthLog SYSLOG and Log SYSLOG clauses now support LogPort configuration parameter. This parameter requires Sys::Syslog version 0.28 or later. Suggested by Michael and Kilian Krause. LDAP modules now support BindFailedHook which is called when LDAP bind operation fails. The default is to log the failure. Bind password is no longer logged. To log the password, configure the hook to log it or configure the LDAP clause with the Debug configuration parameter and see the console output. With the kind help of Scott Bertilson. AuthBy LDAP2 now logs PasswordAttr as **obscured** when debugging is enabled. Binary attribute values are now logged in text format similarly to RADIUS attributes. To debug the password, use the Debug configuration parameter and see the console output or configure PasswordLogFileName for the Handler. Resolver for AuthBy DNSROAM now uses eval to catch exceptions from Net::DNS. The Net:DNS API had been changed around version 0.72 to raise exceptions when errors occurred. Uncaught exceptions could cause Radiator to crash. Reports and help with patches from Bjoern A. Zeeb and Paul Dekkers. Updated error levels for Resolver log messages. Most of the log messages are now using WARNING instead of ERR. These messages are logged for example for DNS failures or badly formatted DNS domains. ServerHTTP authentication now creates a request that can be correctly proxied to a remote server. Previously the proxied authentication would always fail. AuthBy RADIUS and its derived modules still required 'ipv6:' prefix for LocalAddress parameter. Reported by Claudio Ramirez. Correct address is now logged if binding to LocalAddress fails. Huawei-DNS-Server-IPv6-Address, Huawei-Framed-IPv6-Address, Alc-Ipv6-Address, Alc-Ipv6-Primary-Dns and Alc-Ipv6-Secondary-Dns had incorrect type ipv6addr. The correct type is ipaddrv6 for IPv6 addresses. SqlDb now initialises the DBD::ODBC odbc_query_timeout attribute with the Timeout configuration parameter value. This attribute is valid only for ODBC and is set only when Radiator runs on a Windows host. The default value for odbc_query_timeout is 0 which can cause very long timeouts on Windows with SQL queries. While RADIUS dictionaries are loaded, attributes with unknown types are logged with trace level WARNING. The treatment of unknown types has not changed: the unknown types are treated as binary. Incorrectly formatted textual IPv6 addresses in configuration files or retrieved for example from SQL bac