Configuration changes
- BlastRADIUS mitigations have been added to the "security" section. See
require_message_authenticator
and alsolimit_proxy_state
. - BlastRADIUS mitigations have been added to radclient. See
man radclient
, and the-b
option.
Feature improvements
- Update dictionary.alcatel.sr
- Added dictionary.eleven, dictionary.tplink
- Relax EAP pre-proxy checks based on discussions in the IETF.
- Update advice on shared secrets, including suggesting a secure method for generating useful secrets.
Bug fixes
- Don't leak MD contexts with OpenSSL 3.0.
- Fix rlm_python3 build with python >= 3.10. Fixes #4441
- The DS-Lite-Tunnel-Name data type should be 'octets'.
- Fix rlm_expr destroying MD context, causing leaks with OpenSSL >= 3.0 #4893
- Many small ASAN / LSAN fixes from Jorge Pereira.
- Allow auth+acct for TCP sockets, and allow both types of packets.
- Call atomic_queue_free function on exit, which avoids talloc complaints on exit.
- Clear old module instances before reloading which helps lower peak memory usage. Patch from Nick Porter.
- Note that rlm_ldap does not support "-=".
- Force reply packet type to Reject when running Post-Auth-Type Reject.
- Back-port RPM fixes from 3.2.
- Don't lock when TLS connections block. Fixes #3051. See "nonblock" configuration sites-available/tls
- Clean up state ctx storage for lost packets. Fixes #5055.
- Fix compiler warning when building without TCP. Fixes #5054.
- Use virtual server "default" when passed "-i" and "-p" on the command line.
- Clean up several debug messages.
- Fix Message-Authenticator for CoA replies.
- Don't add a delay for proxied reject packets from a home server.
- Improve Python exception handling. #5242
- Correctly trim whitespace in rlm_unpack.
- Handle returned NULL column values in rlm_sql_freetds.
- Fix crash with TLS Status-Server requests. Fixes #5326.
- Fix OpenSSL API usage which sometimes caused crash in MS-CHAP Previously it would either always crash immediately, or never crash.
- Fix packet statistics. Stop double counting some packets, and track packet statistics even if a socket is closed.
- Don't crash in debug mode when multiple intermediate certs are used Patch from Alexander Chernikov.