[RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features

Ullfig, Roberto Alfredo rullfig at uic.edu
Tue Nov 3 13:54:23 CST 2015 

Also, is it typical for patches to not be released in RPMs?

---
Roberto Ullfig – rullfig at uic.edu
ACCC Research Programmer


-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Ullfig, Roberto Alfredo
Sent: Tuesday, November 03, 2015 1:48 PM
To: radiator at open.com.au
Subject: Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features

We installed the previous version from RPM. Should we remove that RPM before installing this version plus patches?

---
Roberto Ullfig – rullfig at uic.edu
ACCC Research Programmer


-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
Sent: Tuesday, October 27, 2015 4:57 AM
To: radiator at open.com.au
Subject: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features

We are pleased to announce the release of Radiator version 4.16

This version contains two important security fixes. Upgrade is recommended. Please review OSC security advisory OSC-SEC-2015-02 for more information:
https://www.open.com.au/OSC-SEC-2015-02.html

As usual, the new version is available to current licensees from:
https://www.open.com.au/radiator/downloads/

and to current evaluators from:
https://www.open.com.au/radiator/demo-downloads

Licensees with expired access contracts can renew at:
https://www.open.com.au/renewal.html

An extract from the history file
https://www.open.com.au/radiator/history.html is below:

-----------------------------

Revision 4.16 (2015-10-27)

   Selected bug fixes, compatibility notes, new features and enhancements

Compatibility update for EAP-based TLS methods for clients that support TLS 1.2. Examples are the future Apple iOS and OS X releases and Android
6 Marshmallow.

Two important security fixes. OSC recommends all users to review OSC security advisory OSC-SEC-2015-02 https://www.open.com.au/OSC-SEC-2015-02.html

TLS session resumption may not currently work with all Windows clients. 
A workaround is to configure the EAPTLS_SessionResumption parameter to 0 or wait for the client to retry the authentication.

Radiator now supports new module AddressAllocator DHCPv6 for IPv6 address allocation and prefix delegation



   Detailed changes


Created separate directory for PPM files compiled for ActivePerl. Moved files from ppm to ppm/activeperl/ and updated the meta file contents.
Win32-Lsa is now compiled for both ActivePerl 5.18 and 5.20 flavours up to Perl 5.20: 64bit and 32bit with 64bit integer.
Created separate directory for PPM files compiled for Strawberry Perl.
Win32-Lsa is now compiled for all Strawberry Perl flavours up to Perl
5.22: 64bit, 32bit with 32bit integers and 32bit with 64bit integers.

Radiator now logs the Net::SSLeay and SSL/TLS library version during the radiusd startup. TLS v1.2 for TLS based EAP methods is not used if it can not be determined that the MPPE keys can be correctly calculated. 
These changes enhance compatibility with future Apple iOS, OS X and Android 6 Marshmallow. If all TLS versions are not available, details of what can be used is logged. Net::SSLeay 1.53 or later and OpenSSL 1.0.1 or later is required to fully utilise all TLS versions for TLS based EAP methods. Thanks to radiator mailing list members for comments and suggestions.

AuthLog SYSLOG and Log SYSLOG clauses now support LogPort configuration parameter. This parameter requires Sys::Syslog version 0.28 or later. 
Suggested by Michael and Kilian Krause.

LDAP modules now support BindFailedHook which is called when LDAP bind operation fails. The default is to log the failure. Bind password is no longer logged. To log the password, configure the hook to log it or configure the LDAP clause with the Debug configuration parameter and see the console output. With the kind help of Scott Bertilson.

AuthBy LDAP2 now logs PasswordAttr as **obscured** when debugging is enabled. Binary attribute values are now logged in text format similarly to RADIUS attributes. To debug the password, use the Debug configuration parameter and see the console output or configure PasswordLogFileName for the Handler.

Resolver for AuthBy DNSROAM now uses eval to catch exceptions from Net::DNS. The Net:DNS API had been changed around version 0.72 to raise exceptions when errors occurred. Uncaught exceptions could cause Radiator to crash. Reports and help with patches from Bjoern A. Zeeb and Paul Dekkers.

Updated error levels for Resolver log messages. Most of the log messages are now using WARNING instead of ERR. These messages are logged for example for DNS failures or badly formatted DNS domains.

ServerHTTP authentication now creates a request that can be correctly proxied to a remote server. Previously the proxied authentication would always fail.

AuthBy RADIUS and its derived modules still required 'ipv6:' prefix for LocalAddress parameter. Reported by Claudio Ramirez. Correct address is now logged if binding to LocalAddress fails.

Huawei-DNS-Server-IPv6-Address, Huawei-Framed-IPv6-Address, Alc-Ipv6-Address, Alc-Ipv6-Primary-Dns and Alc-Ipv6-Secondary-Dns had incorrect type ipv6addr. The correct type is ipaddrv6 for IPv6 addresses.

SqlDb now initialises the DBD::ODBC odbc_query_timeout attribute with the Timeout configuration parameter value. This attribute is valid only for ODBC and is set only when Radiator runs on a Windows host. The default value for odbc_query_timeout is 0 which can cause very long timeouts on Windows with SQL queries.

While RADIUS dictionaries are loaded, attributes with unknown types are logged with trace level WARNING. The treatment of unknown types has not
changed: the unknown types are treated as binary.

Incorrectly formatted textual IPv6 addresses in configuration files or retrieved for example from SQL backend could cause address resolution loops.

Added support for additional IPv6 functions in Util.pm and UtilSocket6.pm for AddressAllocator DHCPv6 and other modules that require packing IPv6 socket structures with scope ID number and flow information.

AuthBy DYNADDRESS now supports multivalued allocation results. For example, multiple DNS server addresses from DHCPv6 based allocations. 
The multiple values are mapped to the configured RADIUS attribute, one value per one attribute instance.

AuthBy DYNADDRESS now supports MapResultHook. This hook allows modifying the allocation results after they have been received, and before Radiator has processed the MapAttribute definitions.

Added support for AddressAllocator DHCPv6. AddressAllocator DHCPv6 works in conjunction with AuthBy DYNADDRESS and a DHCPv6 server to dynamically allocate IPv6 addresses and prefixes, and provide other configuration information. Both stateless and stateful DHCPv6 configuration is supported.

See the configuration sample files addressallocatordhcpv6.cfg and addressallocatordhcpv6-dhcpd.conf for Radiator and ISC DHCP server in goodies for more examples including use of Delegated-IPv6-Prefix and Framed-IPv6-Prefix for prefix delegation.

Added better logging for invalid EAPType names. Unknown types are logged during the configuration check. Clarified the error message if the default EAPType is unknown. Thanks to Patrick Honing for informing about the unclear log messages.

Failures with send() when sending RADIUS messages over UDP are now correctly logged.

TLS based EAP methods EAP-FAST, EAP-TLS, EAP-TTLS and PEAP now log the TLS version and cipher chosen for the EAP session. TLS values related to the EAP session are also available as special formatting variables. You can use, for example, %{EAPTLS:Protocol} and %{EAPTLS:Cipher} with AuthLog. Suggested by Alexander Hartmaier.

Updated Stream base class to work correctly with non-blocking sockets on some Windows Perl distributions. Windows returns POSIX::EWOULDBLOCK
(140) or WSAEWOULDBLOCK instead of EINPROGRESS. 140 was first seen with Strawberry Perl 5.20 and 5.22

Diameter AttrList get_attrs_d now returns empty list instead of single entry with undef value when the requested attribute was not present.

Changed the type of Cisco-VPN-WebVPN-HTML-Filter in dictionary.cisco-vpn from unsupported bitmap to integer. Reported by Alex Hartmaier.

diapwtst updates: added missing attributes and removed a couple of RADIUS related options

Fixed a bug which could result in an infinite loop when formatting special variables and could be used to create a DOS attack crashing the radiusd process. Reported by Øyvind Aabling.

AuthBy RADIUS and AuthBy RADSEC now use 32 bit id space when UseExtendedIds is set. While the previous 16 bit id space should be enough, the new value matches the value documented in the reference manual.

Unified Session ID based resumption handling for EAP-TLS, EAP-TTLS and PEAP.

radpwtst now supports subsecond resolution with the -time command line option when Time::HiRes Perl module is available. Time::HiRes is part of all recent Perl distributions.

Updated the recent formatting patch and enhanced its compatibility with older Perl versions.

Added support for tracing TLS handshake and session state for the TLS based EAP methods. Tracing can be enabled with one of: new AuthBy level configuration flag parameter EAPTLS_TraceState, setting the Trace configuration parameter to 5 (EXTRA_DEBUG) or with the PacketTrace configuration parameter.

LogFILE now checks for recursion allowing runHook to call logging if needed. This avoids infinite recursion if LogFormatHook raises an exception. Added a JSON example in LogFormatHook for Log FILE in goodies/logformat.cfg and Radius/LogFormat.pm.

Added LogFormatHook for Log SYSLOG and AuthLog SYSLOG. Updated logformat.cfg with JSON format hook example. Suggested by Craig Simons.

Added example of EAPTLS_TraceState in goodies EAP-TLS, EAP-TTLS and PEAP sample files.

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list