freeradius-2.2.6-4.AXS4

The FreeRADIUS Server Project is a high performance and highly configurable
GPL'd free RADIUS server. The server is similar in some respects to
Livingston's 2.0 server. While FreeRADIUS started as a variant of the
Cistron RADIUS server, they don't share a lot in common any more. It now has
many more features than Cistron or Livingston, and is much more configurable.

FreeRADIUS is an Internet authentication daemon, which implements the RADIUS
protocol, as defined in RFC 2865 (and others). It allows Network Access
Servers (NAS boxes) to perform authentication for dial-up users. There are
also RADIUS clients available for Web servers, firewalls, Unix logins, and
more. Using RADIUS allows authentication and authorization for a network to
be centralized, and minimizes the amount of re-configuration which has to be
done when adding or deleting new users.

Security issues fixed with this release:

CVE-2014-2015

Fixed bugs:

* The number of dictionaries have been updated.
* This update implements several Extensible Authentication Protocol (EAP)
improvements.
* A number of new expansions have been added, including: %{randstr:...},
%{hex:...}, %{sha1:...}, %{base64:...}, %{tobase64:...}, and %{base64tohex:...}.
* Hexadecimal numbers (0x...) are now supported in %{expr:...} expansions.
* This update adds operator support to the rlm_python module.
* The Dynamic Host Configuration Protocol (DHCP) and DHCP relay code have been
finalized.
* This update adds the rlm_cache module to cache arbitrary attributes.
* The /var/log/radius/radutmp file was configured to rotate at one-month
intervals, even though this was unnecessary. With this update,
the described problem was fixed.
* The radiusd service could not write the output file created by the raddebug
utility. The raddebug utility now sets appropriate ownership to the output file,
allowing radiusd to write the output.
* After starting raddebug using the "raddebug -t 0" command, raddebug exited
immediately. A typo in the special case comparison has been fixed, and raddebug
now runs for 11.5 days in this situation.
* MS-CHAP authentication failed when the User-Name and MS-CHAP-User-Name
attributes used different encodings, even when the user provided correct
credentials. With this update, authentication with correct credentials no longer fails in this
situation.
* Automatically generated default certificates used the SHA-1 algorithm message
digest, which is considered insecure. The default certificates now use the more
secure SHA-256 algorithm message digest.
* During the Online Certificate Status Protocol (OCSP) validation, radiusd
terminated unexpectedly with a segmentation fault after attempting to access the
next update field that was not provided by the OCSP responder. With this update,
this problem is fixed.
* Previously, radiusd failed to work with some of the more recent
MikroTIK attributes, because the installed directory.mikrotik file did not
include them. With this update, the bug was fixed.