head 1.2; access; symbols pkgsrc-2026Q1:1.1.0.14 pkgsrc-2026Q1-base:1.1 pkgsrc-2025Q4:1.1.0.12 pkgsrc-2025Q4-base:1.1 pkgsrc-2025Q3:1.1.0.10 pkgsrc-2025Q3-base:1.1 pkgsrc-2025Q2:1.1.0.8 pkgsrc-2025Q2-base:1.1 pkgsrc-2025Q1:1.1.0.6 pkgsrc-2025Q1-base:1.1 pkgsrc-2024Q4:1.1.0.4 pkgsrc-2024Q4-base:1.1 pkgsrc-2024Q3:1.1.0.2 pkgsrc-2024Q3-base:1.1; locks; strict; comment @ * @; 1.2 date 2026.05.13.09.30.42; author adam; state dead; branches; next 1.1; commitid 0yFuwCfybrdLrDFG; 1.1 date 2024.07.24.14.28.05; author manu; state Exp; branches; next ; commitid 1OgfmcxL5znse6jF; desc @@ 1.2 log @freeradius: updated to 3.2.8 FreeRADIUS 3.2.8 Wed 20 Aug 2025 12:00:00 UTC urgency=low Configuration changes * Replace dictionary.infinera with the correct one. * Update dictionary.alteon Feature improvements * Add support for automated fuzzing. This doesn't affect normal operations, but it does allow for testing of the RADIUS decoder. * Allow tagged attributes to use ":V" as a tag in some cases. The tag is then read from the value which is being assigned to the attribute. This functionality is allowed in 'update' sections, including 'update' in module configurations. See mods-available/ldap for an example. * Add kafka module. See mods-available/kafka. * Allow &control:Packet-SRC-IP-Address to be used when proxying needs a given source address. * Change lower limit for reject_delay to 0.5s. Apparently some NASes will panic and go crazy with a 1s reject_delay. * Rate limit complaints when limiting new connections. * Update raddb/certs/Makefile to support DER output. * Elapsed statistics for packets do not include proxy timers, which helps clarify where any issues are. The total time is still available by adding "our" time to the "proxy" time. * Added kafka module. See mods-available/kafka. * json module can now print dates as integers. See mods-available/json * The debug output now points to the online documentation in many cases, when there are syntax errors in the configuration. * Add support for 389ds password hashes. Patch from Gerald Vogt. * reject_delay does not _add_ a delay, but instead ensures that the reject is delayed for _at least_ that time. This change means that reject_delay can be set in more situations, including for proxies. * Add delay_proxy_rejects. By default, proxied rejects are not delayed. Setting this flag means that reject_delay is applied to proxied rejects, too. * The proxy_rate_limit module can now be listed in the "authorize" section. * Update dpsk module to be faster, and be easier to configure with databases. See mods-available/dpsk Bug fixes * Move assertion in thread / queue code, which only affects debug builds. * Update CRL checks to avoid crash in some cases. * More tweaks to the TEAP code. * Allow building when OpenSSL is missing PSK. * Move assertion so that it isn't triggered when the incoming queue is full, and the server is blocked. * Fix crash when multiple certs are used along with CRL distribution points. * Fix typo in rlm_cache which could cause crashes. * Be more forgiving about '%' in strings. * Move assertion in threading code. * Fixes to interaction with python interpreter * Don't crash when setting client hostname in RADIUS/TLS. * Ignore ".dpkg*" and ".rpm*" files when loading configuration directories. Package managers can leave these around. * Complain more loudly if all of the "authorize" etc. sections have been removed, but the server is still configured to process Access-Request packets. * Use OCIStmtPrepare2 to prepare Oracle queries. * Allow dynamic clients with TCP listeners. @ text @$NetBSD: patch-src_main_stats.c,v 1.1 2024/07/24 14:28:05 manu Exp $ From upstream https://github.com/FreeRADIUS/freeradius-server/commit/3a9449539e4c5a74c85685cad6abe6edf412f701 From 3a9449539e4c5a74c85685cad6abe6edf412f701 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Wed, 10 Jul 2024 09:29:39 -0400 Subject: [PATCH] ignore home server "ping" packets. Fixes #5363 --- src/main/stats.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/main/stats.c b/src/main/stats.c index 29f2c48f4b9c..64cbafea931f 100644 --- ./src/main/stats.c.orig +++ ./src/main/stats.c @@@@ -95,6 +95,14 @@@@ void request_stats_final(REQUEST *request) if ((request->options & RAD_REQUEST_OPTION_STATS) != 0) return; + /* + * This packet was originated by the server, and not + * received from a client. It's a status-server or home + * server "ping" packet. So we ignore it for statistics + * purposes. + */ + if (!request->packet) return; + /* don't count statistic requests */ if (request->packet->code == PW_CODE_STATUS_SERVER) { return; @ 1.1 log @Update freeradius to 3.2.5, with mitigations for BlastRADIUS FreeRADIUS 3.2.5 Tue 09 Jul 2024 12:00:00 UTC urgency=high Configuration changes * BlastRADIUS mitigations have been added to the "security" section. See "require_message_authenticator" and also "limit_proxy_state". * BlastRADIUS mitigations have been added to radclient. See "man radclient", and the "-b" option. Feature improvements * TOTP now supports TOTP-Time-Offset for tokens with times that are out of sync. See mods-available/totp * radclient now supports forcing the Request Authenticator and ID for Access-Request packets. * Update dictionary.3gpp. * Update advice on shared secrets, including suggesting a secure method for generating useful secrets. Bug fixes * Allow proxying by pool / home server name to work with auth+acct servers * Fix OpenSSL API usage which sometimes caused crash in MS-CHAP Previously it would either always crash immediately, or never crash. * Fix packet statistics. Stop double counting some packets, and track packet statistics even if a socket is closed. * Reverted patch in TTLS which broke compatibility with some systems. * Don't crash in debug mode when multiple intermediate certs are used Patch from Alexander Chernikov. @ text @d1 1 a1 1 $NetBSD$ @