Skip to content

3.0.27

Compare
Choose a tag to compare
@mcnewton mcnewton released this 09 Jul 12:37
· 34683 commits to master since this release
f317c5b

Configuration changes

  • BlastRADIUS mitigations have been added to the "security" section. See require_message_authenticator and also limit_proxy_state.
  • BlastRADIUS mitigations have been added to radclient. See man radclient, and the -b option.

Feature improvements

  • Update dictionary.alcatel.sr
  • Added dictionary.eleven, dictionary.tplink
  • Relax EAP pre-proxy checks based on discussions in the IETF.
  • Update advice on shared secrets, including suggesting a secure method for generating useful secrets.

Bug fixes

  • Don't leak MD contexts with OpenSSL 3.0.
  • Fix rlm_python3 build with python >= 3.10. Fixes #4441
  • The DS-Lite-Tunnel-Name data type should be 'octets'.
  • Fix rlm_expr destroying MD context, causing leaks with OpenSSL >= 3.0 #4893
  • Many small ASAN / LSAN fixes from Jorge Pereira.
  • Allow auth+acct for TCP sockets, and allow both types of packets.
  • Call atomic_queue_free function on exit, which avoids talloc complaints on exit.
  • Clear old module instances before reloading which helps lower peak memory usage. Patch from Nick Porter.
  • Note that rlm_ldap does not support "-=".
  • Force reply packet type to Reject when running Post-Auth-Type Reject.
  • Back-port RPM fixes from 3.2.
  • Don't lock when TLS connections block. Fixes #3051. See "nonblock" configuration sites-available/tls
  • Clean up state ctx storage for lost packets. Fixes #5055.
  • Fix compiler warning when building without TCP. Fixes #5054.
  • Use virtual server "default" when passed "-i" and "-p" on the command line.
  • Clean up several debug messages.
  • Fix Message-Authenticator for CoA replies.
  • Don't add a delay for proxied reject packets from a home server.
  • Improve Python exception handling. #5242
  • Correctly trim whitespace in rlm_unpack.
  • Handle returned NULL column values in rlm_sql_freetds.
  • Fix crash with TLS Status-Server requests. Fixes #5326.
  • Fix OpenSSL API usage which sometimes caused crash in MS-CHAP Previously it would either always crash immediately, or never crash.
  • Fix packet statistics. Stop double counting some packets, and track packet statistics even if a socket is closed.
  • Don't crash in debug mode when multiple intermediate certs are used Patch from Alexander Chernikov.