doc/ChangeLog

FreeRADIUS 3.0.14 Mon 06 Mar 2017 13:00:00 EDT urgency=medium
	Feature improvements
	* Enforce TLS client certificate expiration on
	  session resumption, and Session-Timeout.
	* Updated dictionary.cisco.vpn3000, dictionary.patton
	* Added dictionary.dellemc
	* Lowered the log output for failed PEAP sessions.
	* ALlow utc in rlm_date.  Patch from
	  Peter Lambrechtsen.
	* The internal OpenSSL session cache has been
	  disabled.  Please see mods-available/eap
	* Update detail reader documentation.
	  Patch from Matthew Newton.  Fixes #1973.

	Bug fixes
	* radtest uses Cleartext-Password for EAP, not
	  User-Password.
	* Update documentation for mods-enabled/ linking.
	* Enhanced checks for moonshot salt.  Fixes #1933.
	* Allow session resumption for RadSec connections.
	  Fixes #1936.
	* Update "huntgroups" file to note that port ranges
	  are not supported.
	* Fix OpenSSL permissions issues on default key files.
	  Fixes #1941.
	* Certificates are not required when PSK is used.
	* Allow SubjectAltName as first extension in cert.
	  Fixes #1946.
	* Fixed talloc issue with TLS session resumption.
	  Fixes #1980.
	* "&Attr-26 := 0x01" now produces useful error messages.
	* Handle connection error in rlm_ldap_cacheable_groupobj.
	  Fixes #1951.
	* Fix endian issues in DHCP.
	* Multiple minor fixes for Coverity complaints.
	* Handle unexpected regex.  Fixes #1959.
	* Fix minor issues in dictionaries.
	* Fix typos and grammar.  Patches from Alan Buxey.
	* Fix erroneous VP creation in rlm_preproces.
	* Fix MIB.  Patch from Jeff Gehlbach.
	* Trust router updates from Alejandro Perez.
	* Allow build with LibreSSL.  Fixes #1989
	* Use correct packet for channel bindings.  Fixes #1990.
	* Many fixes found by PVS-Studio.  Thanks to PVS-Studio
	  for giving us a test license.  Please see the git commit
	  history for more information.

FreeRADIUS 3.0.13 Mon 06 Mar 2017 13:00:00 EDT urgency=medium
	Feature improvements
	* Add dictionary.rfc7930.  Note that we do not implement
	  the RFC.
	* Added 'cipher_server_preference' to mods-available/eap
	  Patch from #1797.
	* OpenSSL 1.1.0 compatibility fixes.
	* rlm_perl: radiusd::xlat to evaluate xlat string
	  within perl script
	* Allow authentication retry in winbind. Patch from
	  Herwin Weststrate. See raddb/mods-available/mschap.
	* Added "recv-coa" method to rlm_rest.  It behaves the
	  same as "authorize".
	* Document Trust Router tr_port option.  Patch from
	  Stefan Paetow.
	* Update elasticsearch/logstash examples so that they work
	  with elastic stack v5.  Patch from Matthew Newton.
	* Print information about packets, replies, and contents
	  in the detail file reader.
	* Update abfab-tr policy.  Pull request #1893
	  from Stefan Paetow.
	* Reject packets which contain User-Password and
	  EAP-Message.
	* Add example for filtering Access-Challenge.
	  See sites-enabled/default.
	* Pull symlink fixes from v4.0.x.  Fixes #1859.
	* Add systemd reload.  Not everything is reloaded, but
	  some is.  Fixes #1662.
	* Better documentation for listen "ipaddr".  Fixes #1921
	* Add dictionary.cnergee, updated dictionary.nomadix.
	* radclient no longer needs -x to print statistics with -s.

	Bug fixes
	* Minor typos.  Fixes #1763
	* Fix typo in RPM build.  Closes #1767.
	* rlm_mschap check for password expiry only
	  if password was correct.  Fixes #1762.
	* Update debian build.
	* update rlm_counter "man" page.  Fixes #1775.
	* Remove erroneous assert.  Fixes #1778.
	* fix mschap password change test.  Fixes #1792.
	* Cleanup config file on data remove.  Fixes #1795.
	* passwd module returns "notfound" if not found.
	* Check for old OpenSSL, and don't build rlm_eap_fast
	  if it necessary.  Fixes #1803
	* Cleanup memory better after ldap version query.
	  Patch from Aleksey Katargin.
	* Rename lt_* functions to avoid linker issues with
	  libtool.  Fixes #1277
	* Many miscellaneous fixes and typos.
	* Allow long strings in %{%{foo} bar:-%{baz} blah".
	  Fixes #1866
	* Fix filtering operators, along with more documentation and
	  more tests for them.
	* Fix OpenSSL fixes.  Fixes #1876.
	* Finish SQL select queries even when SELECT returns no rows.
	  Fixes #1879.
	* Set Module-Failure-Message for more EAP errors.
	* Correct typo in dictionary.rfc5580.  Fixes #1882
	* Remove obselete systemd syslog.target.
	* Client-Port-Balance load-balancing now uses client port.
	* Radrelay examples fixed from Alex Clouter.
	* Update systemd target.  Pull request #1896.
	* Trim starting whitespace in xlat strings.
	* Get MySQL result lengths using normal API.
	* suid down after fchown().  Fixes #1914.
	* Fix cases of comparing pointer to NUL character.  Fixes #1915.
	* OpenSSL v1.1 fixes.  Pull request #1921.
	* Better Handle v4/v6 host names.  Pull request #1919.
	* Remove "Auth-Type = System" from docs and examples.
	* Don't crash on malformed %{home_server}.  Fixes #1922
	* fix erroneous use of talloc destructor in rlm_eap
	* Issue trigger modules.sql.fail.  Fixes #1923
	* Document python_path gotcha's.  Fixes #1845
	* dlopen() the specific version of Python.  Fixes #1592

FreeRADIUS 3.0.12 Thur 29 Sep 2016 13:00:00 EDT urgency=medium
	Feature improvements
	* Add support for =~ and !~ in update sections.
	  See "man unlang"
	* Add dictionary.checkpoint.
	* Simultaneous-Use prints out more information.
	* Print WARNING in debug mode when packets may be
	  truncated.
	* Added expansions %{home_server:state} and
	  %{home_server_pool:state}, which show the
	  state of the server / pool.
	* Mark rlm_sql_freetds as stable.
	* Make rlm_perl less fragile.  Patch from
	  Herwin Weststrate.
	* Allow extended attributes to have "encrypt=2"
	* Update dictionary.aruba.
	* Add support for EAP-FAST.  This is an isolated
	  feature which does not affect anything else.
	* Update OpenSSL vulnerability list.  Use a version
	  of OpenSSL released after September 20, 2016.
	* EAP certificate verification is now done when
	  "verify" is enabled and "ocsp" is disabled.
	* New dhcpclient and rlm_rad_counter man pages.
	* Minor abfab and moonshot additions.
	* Pass CFLAGS through from environment in RPM builds.
	  Allows more custom builds.
	* Build with Heimdal in addition to libkrb5.

	Bug fixes
	* Use correct typedef for older versions of sqlite.
	* Update mssql schema to add priority
	* Don't complain on /dev/urandom in ldap
	* Fix == operator in update sections
	* Don't create DHCP strings with many trailing zeros.
	  Patch from Nicolas C.  Fixes #1526.
	* Allow MS-CHAP change passwords instead of complaining
	  on large buffer.
	* Allow assignment or equality operator on SQL.
	* Update aclocal tests for FreeBSD 10.  Patches from
	  Mathieu Simon.
	* Remove occasional hang in rlm_linelog.
	* Copy VSAs to inner tunnel for TTLS and PEAP.
	  Fixes #1544
	* A few minor bugfixes caught in v3.1.x cleanup, and
	  back-ported to v3.0.x.
	* do_not_respond again works in post-proxy
	* Allow realm "~^.*$" {} and User-Name with no realm.
	* Fix leak when creating unknown attributes
	* Fix Debian / logrotate.
	* Make OpenSSL error functions thread-safe.
	* Fix crash with rlm_sql and updating SQL-User-Name.
	* Debian build updates.
	* Allow regular expression comparisons in radclient
	  fixes #1574.
	* Fix memory leak on unknown attributes in detail file
	  reader.
	* Update example paths in "man" pages when installing
	  them
	* Build fixes for rlm_mschap.  Fixes #1489.
	* BSD build fixes.  Patch from issue #1583.
	* Be more careful about /lib/ when building.
	  Fixes #1585.
	* Correct ifdef placement error.  Fixes #1572.
	* Allow for more files in internal "exfile" API
	  So it will be possible to open more than 64
	  "detail" files at the same time.
	* Remove support for statically built EAP modules.
	  Fixes #1591.
	* Many fixes to rlm_python from Guillaume Pannatier.
	* Use correct week adjustment in SQLcounter.
	  Fixes #1608
	* Minor fixes to allow compilation without DHCP,
	  VMPS, or TCP.
	* Fix checks for module / config file change on HUP.
	* Compile regex comparisons when sent via
	  "debug condition".  Fixes #1632.
	* Update filenames in documentation and examples.
	  Patch from Alan Buxey, #1655.
	* Don't crash if SQL connection becomes unavailable.
	  Fixes #1640.
	* Disallow originate_coa when proxy_requests = no
	  Fixes #1684.
	* Free rad_perlconf_hv in correct perl context.
	  Fixes #1675.
	* Multiple fixes for Debian builds.  #1510, among
	  others.
	* Set OpenSSL FIPS compatibility flag when necessary.
	* Pulled fixes for the build system over from other
	  branches.
	* Fix OCSP for RADIUS over TLS.
	* Fix skip_if_ocsp_ok behavior.
	* Better fixes for systems without closefrom() but
	  which have /proc.  Fixes #1757.
	* Minor build fixes back-ported from v4.0.x.
	* build --whout-ascend-binary.  Fixes #1761.
	* Be more aggressive about not opening new connections
	  in debug mode after CTRL-C.  Address #1604.

FreeRADIUS 3.0.11 Mon 25 Jan 2016 14:00:00 EST urgency=medium
	Feature improvements
	* "unlang" comparisons of IP addresses to IP prefixes
	  are now detected, and types automatically cast.
	* Allow shorthand form of ipv4prefix values e.g. 127/8.
	* Add "auto_chain" to raddb/mods-available/eap, tls
	  subsection.  This allows the disabling of OpenSSL
	  auto-chaining of certificates.  Which might be wrong.
	* Added printing of coa and disconnect stats (radmin).
	* radclient defaults to expecting Access-Accept responses
	  to Status-Server.
	* Updated dictionary.lancom, dictionary.starent.
	* Portability fixes for Solaris.
	* More errors from ntlm_auth gets passed to MS-CHAP.
	* Update abfab-tr-idp virtual server.
	* Added "filter_password" in policy.d/filter.  This
	  removes embedded zero bytes in User-Password, for
	  compatibility with broken clients.
	* The server now issues a WARNING message if duplicate
	  configuration items are found.
	* TLS can skip the "verify" section if OCSP returns OK.
	  See raddb/mods-available/eap, "skip_if_ocsp_ok".
	* Set TLS-OCSP-Cert-Valid = yes / no / skipped, which
	  is the result from the OCSP check.
	* Interoperate with AD and "LmCompatibiltyLevel = 5",
	  by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for
	  native winbind in rlm_mschap.
	* TTLS and PEAP now require "virtual_server" to be a real server.
	* Print WARNING when TTLS or PEAP identities are spoofed
	  or not properly anonymized.  See RFC 7542 for requirements.
	* Various rlm_python fixes from Herwin Weststrate.
	* Allow setting Response-Packet-Type in "Post-Proxy-Type Fail",
	  which is useful when the home server does not respond.
	* elasticsearch updates from Matthew Newton

	Bug fixes
	* Fix issue where field nas_type would not be accessible via
	  the %{client:} xlat, for clients loaded from SQL.
	* Fix compatiblity issues with OpenSSL 1.0.2.  Ignore
	  calls to msg_callback with 'pseudo' content types.
	* Data type "ipv4prefix" is parsed correctly.
	* Use correct talloc context in rlm_exec.  Fixes #1338.
	* Complain in unlang if "else" is used with no previous
	  "if" or "elsif".
	* Send accounting status packets to the accounting port.
	  Fixes #1364.
	* Print out CFLAGS when doing "radiusd -Xxv"
	* Fixed bug with coa/acct stats value #1339. Based on patch from
	  Jorge Pereira.
	* Fixes for LEAP proxying.  Don't use LEAP!
	* Fix issue with "directory already exists" seen when doing
	  "make install".
	* Fixed bug with radmin related to the option "stats detail <filename>"
	* Complain if the detail file reader does not have permission
	  to read the "detail.work" file.  Fixes #1398
	* Fixed SoH. Attributes were not being copied to the virtual server.
	* Used a wrong list to global statistics in "stats".
	* Create EAP-PWD identity correctly.  Prevents segfaults.
	* Dynamically validate authentication types for PEAP and EAP-MSCHAPv2.
	* Fix includes in installed headers.
	* OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly.
	  See raddb/mods-available/eap, "disable_tlsv1_2"
	* Allow password change to work for MS-CHAP.  This requires 'r=0',
	  because password changes are not retries.
	* Fix home server fail-over for home servers using TCP and/or RadSec.
	* Special characters in expanded regexes are now escaped
	  e.g. User-Name containing '.', and comparing /%{User-Name}/,
	  the '.' will now be escaped.  See src/tests/keywords/regex-escape.
	* Use correct authentication vector when sending Access-Reject replies
	  for RadSec.
	* Set FreeRADIUS-Proxied-To in TTLS again.  You should use the
	  "inner-tunnel" virtual server, instead of relying on this attribute.
	* Fix debugging constants in rlm_perl.  Patch from Herwin Weststrate.
	* Add samba-dev / samba4-dev to debian builds so that rlm_mschap can
	  automatically use the new winbind API.
	* Automatically skip zero-length attributes when sending packets,
	  instead of erroring out.

FreeRADIUS 3.0.10 Mon 05 Oct 2015 15:00:00 EDT urgency=medium
	Feature improvements
	* Do more optimization of unlang policies.  This makes
	  run-time a bit faster.
	* Re-name most of the functions in src/lib.  Third-party
	  module authors will have to do the same.
	* More documentation on contributing and how to write
	  modules.
	* Update radiusd.service for systemd.
	* Open IPv6 proxy socket if the server is listening on IPV6
	  auth / acct / coa packets.
	* Create debian packages for DHCP.  Fixes #1125.
	* Add more tests for "update" section parsing.
	* Update "man" pages.
	* Update attributes for Alcatel 7750
	* Add dictionary for Boingo Wi-Fi
	* Add support for DHCP lease queries.
	  See raddb/sites-available/dhcp
	* On HUP, check all modules for config files which have
	  changed.  And only re-load those modules.
	* Allow FreeRADIUS-Response-Delay(-USec) to be set for
	  RADIUS packets.  Patch from Herwin Weststrate.
	* Documentation fixes from Alan Buxey and Matthew Newton.
	* Update "logrotate" script.
	* Added more RFCs to doc/rfc for new standards implemented
	  by FreeRADIUS.
	* Don't crash when doing "radmin -e "help hup".
	  Patch from Matthew Newton.
	* The dictionary parser now does more sanity checks, which
	  prevents run-time problems with invalid attributes.
	* Update debian packages.  Patches from Christopher Hoskin.
	* Many other debian packaging fixes from Matthew Netwon
	  and Herwin Weststrate.
	* Add "session-state" to Perl.  Patch from Herwin Weststrate.

	Bug fixes
	* Fix rlm_files so that there are no collisions when loading
	  10's of 1000's of users.
	* Fix radclient to use our internal v4/v6 parsing functions.
	  v6 addresses with ports now work correctly.
	* Fix sending/receiving packet messages to wrap v6 addresses
	  in square brackets '[]'.
	* Check for sasl/sasl.h when building rlm_ldap, and disable
	  SASL functionality if unavailable.
	* Fix issue which caused a non \0 terminated buffer to be
	  assigned to attributes if the value being assigned contained
	  an invalid escape sequence.
	* Fix deadlock when reconnecting connections in the connection
	  pool.
	* Fix potential overrun in functions that used fr_utf8_char
	  with a non nul terminated buffer.
	* Fix decoding issue for Tunnel-Password type attributes
	  which were very long.  Found by Denis Andzakovic.
	* Fix radclient issue with TCP sockets on FreeBSD.
	* The server now creates ${run_dir} and ${logdir} directories
	  in daemon mode, when running as "root".
	* Handle tags when using maps.  Fixes #1191.
	* Fix crash when CoA packets time out.
	* Fix parse error in rediswho
	* Fix regex support in SQL radcheck the "users" file and radsniff.
	* Register listen xlat earlier, so that it's available when the
	  virtual servers are being parsed.
	* Parse Ascend-Data-Filter when given as "0x..."
	* Print Ascend-Data-Filter correctly.  Add test cases for both.
	* Allow old-style clients again.  They will be disallowed for
	  3.1.0 and following.
	* Complain instead of crash when "else" and "elsif" are in
	  the wrong place.
	* Clean up memory more aggressively.  This lowers the
	  maximum memory used, most typically for TLS based EAP methods.
	* Prevent the server from unlinking the control socket of an
	  already running instance.
	* Fallback to using the configured OCSP URL if one exists, and
	  no URL is provided in the certificate.
	* Return CoA-NAK if proxying CoA fails.  Based on patch from
	  Jorge Pereira.
	* Lower peak memory usage by decreasing size of internal
	  memory pools.
	* The control socket is now left in place if a second copy
	  of the server is accidentally started.
	* Allow virtual attributes in "switch", "case", etc.
	  Fixes #1240 and #1265.
	* Many spell check / typo fixes in comments and example
	  configuration files.
	* Better handle multiple DHCP listeners.
	* Don't print secrets for old-style realms.  Fixes #1267.
	* Don't fall through in empty "case" statements.
	  Fixes #1274.
	* Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2.
	* Always delete MS-MPPE-* from the TTLS inner tunnel. This allows
	  TTLS / EAP-MSCHAPv2 to work. Fixes #1206.
	* Fix off by one error that caused some MSCHAP-Error messages to
	  be sent without the password change version (V=3) and the textual
	  message component (M=).
	* Always include C= V= and M= in MSCHAPv2 errors.  RFC 2759 does not say
	  that any of these fields are optional, and not including V= caused
	  errors with wpa_supplicant.
	* Do not include M= in MSCHAPv1 errors.  It's not supported.

FreeRADIUS 3.0.9 Wed 08 Jul 2015 12:00:00 EDT urgency=medium
	Feature improvements
	* Make "pool" configurations more consistent, and
	  update documentation for them.
	* Move connection pool logic to "most recently started",
	  instead of MRU.  This should help with pool stability.
	* More VSAs for 3GPP2
	* Added examples of multi-value attributes to rlm_perl.
	* LDAP-Group and SQL-Group attributes are now dynamically
	  allocated.
	* Only the "sql" module registers SQL-Group.  Other instances
	  register "instance-name-SQL-Group", similarly to "ldap".
	* Unknown attributes are now complained about more often
	  when used in unlang statements.  e.g. if (Foo-Bar == 3)
	  used to be a string to string comparison.  It is now a
	  parse error.
	* Rename RLM_COMPONENT_* to MOD_* in the code.
	  This makes many things easier.
	* Move to C99 initializers for modules.
	* Load modules in raddb/mods-enabled.  This allows attributes
	  like "LDAP-Group" to be used in the "files" module,
	  without explicit ordering or listing in "instantiate".
	* Added 'bootstrap' section to modules.  Third-party modules
	  will need to be updated.
	* When adding clients from a DB, add them to a virtual server
	  if that virtual server has a "listen" section.  Otherwise,
	  add the clients to the global list.
	* When reading dynamic clients from a file, don't expire them
	  if the underlying file is unchanged.
	* Allow the server to originate CoA requests from the post-auth
	  stage.
	* The server creates ${run_dir} and ${logdir} in daemon mode,
	  if they do not already exist.
	* Add dictionary for Wi-Fi Alliance Hotspot 2.0.  The server
	  now supports all mandatory and optional attributes for this
	  specification.
	* HUP now re-loads the configuration only if the files have
	  changed.  If all files are unchanged, HUP re-opens the
	  log file, and does nothing else.
	* Much better debug messages for EAP-TLS, including which
	  attributes are cached, and when they are retrieved.
	* Increase default max_requests to 16384.  Memory is cheap now.
	* Added "stats memory" commands to radmin.  Debug build only.
	* Aptilo controller dictionary updates.
	* SQL modules now use Acct-Unique-Session-Id everywhere.
	* The redis modules are now stable.
	* The LDAP module now supports SASL "interactive bind" method.
	  This allows Kerberos based administrator and user binds.
	* DHCP code is now in libfreeradius-dhcp.
	* More DHCP encoding / decoding unit tests.
	* rlm_replicate can now be listed in the "accounting" section.
	* Better sqlite debugging output.
	* Remove "required" option from many sql_ippool directives.
	* Set default CA "basic constraints" to "critical".  Fixes #1073
	* Updates to help / man pages from Jorge Pereira.
	* Added more tests.

	Bug fixes
	* Be more careful about unused config item warnings
	  when using -Xx.
	* Move more defines to be auto-generated.
	* Allow virtual servers in proxy fallback.
	* Allow %{module:} to work.
	* Don't crash in RadSec.  Closes #980.
	* Return better errors when a unix group / user
	  is not found.
	* Re-enable detail module "locking" parameter.
	* Don't crash when logging replies from Status-Server packets.
	* The couchbase module now uses "update" instead of "map",
	  for consistent with the rest of the server.  See
	  raddb/mods-available/couchbase
	* Don't require NT-Password for MS-CHAP password changes.
	* Be a bit more careful about decrypting MS-CHAP-MPPE-Key
	  attributes. Closes #1013.  There is no perfect fix, tho.
	* Fix security issues with EAP-PWD.
	  See http://freeradius.org/security.html#eap-pwd-2015
	* Fix dynamic clients read from SQL in non-debug mode
	* MS-CHAP now allows retries (i.e. password change) when
	  passwords are expired.
	* Allow "user=radiusd" when the server is already user
	  "radiusd"
	* suid up/down works on non-Linux systems.  This means
	  that the control socket should have the correct
	  ownership.
	* Fix issue which caused the server to sometimes have problems
	  when a home server was marked zombie.
	* Fix format.pl because Perl is now more picky.
	* Fix proxy to Packet-Dst-IP-Address, so that it uses the
	  correct destination port.
	* Fix corner case with cursor functions and removal.
	* OpenDirectory fixes and documentation.
	* Fix leaks in rlm_redis.
	* RFC 6929 "evs" attributes are now encoded / decoded
	  properly.
	* Fix talloc pool leaks when receiving malformed or
	  retransmitted Accounting/CoA requests.
	* Printed attributes again use double quotes instead of
	  single quotes.
	* Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl"
	  to eap.conf.  Fixes oCert CVE-2015-4680.
	* rlm_expr now errors out correctly on malformed attribute
	  references instead of triggering an assert.
	* Make "break" work in "foreach" loops
	* Allow dynamic expansions to work again in the "hints" file.
	* Correct minor typos in comments and examples from Alan Buxy.
	* Re-urlencode the path portion of ldapi:// urls before
	  passing it to ldap_initialise.

FreeRADIUS 3.0.8 Wed 22 Apr 2015 13:30:00 EDT urgency=medium
	Feature improvements
        * Allow syslog_severity to be set in rlm_linelog.
	* Allow defaults to be set for bulk clients in LDAP and couchbase.
	* Updates to dhcpclient.  Patches from Nicolas C.
	* rlm_mschap now supports direct connections to winbind, which
	  is faster than ntlm_auth.  See raddb/mods-available/mschap.
	  Patch from Matthew Newton.
	* Recommend /dev/urandom for TLS randomness, instead of
	  ${certdir}/random
	* Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}.
	* Allow Expanded EAP types where vendor is 0 (IETF) and
	  type is normal EAP type.  Supplicants sending Expanded
	  EAP types like this are broken.
	* Add support for server side sort controls when searching for
	  user objects in rlm_ldap.

	Bug fixes
	* Don't complain about "authorize" in "server {}" blocks, but
	  only if there's no "server" block.
	* Fix cosmetic issue where debug from the first packet read by
	  a detail reader thread would be emited during config parsing.
	* Fix ASSERT on truncated detail packets.
	* Don't use main server log functions from within panic_action,
	  as in the case of syslog this would cause deadlocks if the
	  fault was triggered from within a malloc.
	* Fix issue in "switch" when "correct_escapes = false".
	  Fixes #911.
	* Fix sqlcounter configuration to use "%%b" instead of "%b",
	  otherwise the new syntax validation will fail.
	* Allow forward references in configuration items.  Modules
	  aren't always loaded in a sane order.
	* Fix more escaping issues.  Closes #912.
	* Decode MAC addresses correctly for VMPS.
	* Fix memory leak with TLS connections.
	* Fix state machine threading issues for conflicting packets.
	* Fix copy_request_to_tunnel issues for tagged attributes.
	* Allow "ok" to over-ride "updated" inside of Auth-Type sections.
	* Update state machine so that post-proxy is run though child
	  threads for performance, instead of blocking the main thread.
	* Allow "netmask" to work again in client definitions.
	* Relax restrictions on SQL group queries.
	* track outgoing proxy sockets and clean them up more aggressively.
	* track proxy statistics, including CoA and Disconnect.
	* If radmin has a connection failure when running a command,
	  it re-connects and runs the command again.
	* mark home servers "unknown" less aggressively.
	* Fix potential SEGV in PostgreSQL driver on error.
	* Fix issue where fields like nas_type would not be accessible via
	  the %{client:} xlat, for dynamic clients.
	* Set default busy_timeout (of 200ms) in the sqlite driver, so writes
	  don't cause selects to fail in multithreaded mode. This is user
	  configurable, and may be increased if required.
	* Convert Password-With-Header attributes to binary (from hex or
	  base64), in the authorize method of rlm_pap.
	* Fix invalid assert in state.c, that could cause abort in
	  post-auth.
	* Fix double free when -m flag is used, and connection pools are
	  referenced by multiple modules.
	* RADIUS over TLS accounting uses the same port as authentication.
	* Regularized return codes from radmin commands.
	* Fix RHEL spec file so it works correctly for Centos7 which uses
	  systemd, and didn't like the SystemV init script.
	* radwho and radlast now have a -D option to load dictionaries
	* DHCP packets are no longer checked for duplicates.
	* Don't crash in sql module group comparisons in corner case.
	* Calculate MPPE keys correctly when using TLS 1.2.
	* Fix load-balance sections.  Closes #945
	* TLS certificates are available again in the post-auth section.
	  They are not available for session resumption.
	* radclient encodes CHAP-Password properly when using -c.
	  Closes #955.
	* Fix issue in rlm_cache_memcached driver that caused variable
	  length values to be truncated.
	* Fix track functionality in detail reader, so it no longer
	  fails with a "Failed marking detail request as done: Bad file
	  descriptor" error.
	* Actually add the peer identity (as User-Name) to the inner
	  tunnel in EAP-PWD requests, so it's available for lookups.
	* Fixes to PostgreSQL queries.  Patches from Santiago Gimeno.

FreeRADIUS 3.0.7 Thu 19 Feb 2015 12:00:00 EDT urgency=medium
	Feature improvements
	* Allow coa home_servers to be derived from client
	  sections if a coa_server section is provided.
	* Automatically determine the correct port if no port is
	  provided for a home server.
	* Allow foreach to operate over lists.
	* Add compile time features to ${feature.*} and versions
	  of core libraries to ${version.*}.  Feature and version
	  names match output of radiud -xv. %v is now deprecated.
	* Add support for PATCH method in rlm_rest.
	* Validate more module xlats on startup, and warn if an
	  xlat expansion is found in a double quoted config item
	  which will not be expanded.
	* Add support for sub-second timeouts in rlm_rest.
	* Add support for connection timeouts in rlm_rest.
	* Add %{jsonquote:<str>} xlat to escape strings for insertion
	  into json documents.
	* Add %{ldapquote:<str>} xlat to escape strings for insertion
	  into ldap DNs.
	* Add %{explode:&ref <char>}, splits value of &ref on
	  <char> and creates new &ref type attributes with the
	  fragments.
	* Allow rlm_ldap to use attribute references for base_dn and
	  filter config items. The attribute references are not
	  escaped, allowing DNs and filters to be created dynamically.
	* Add %{nexttime:[<int>]h|d|w|y} to calculate the number of
	  seconds before the next <int> hour(s), day(s), week(s),
	  or year(s).
	* Allow the left side of update sections to be xlat expansions.
	  The result of the expansion is then used to reference the
	  attribute to be modified.
	* Added %{lpad:&Attribute-Name 7 x} and rpad.  These produce
	  fixed-width output strings, with padding to the left (lpad)
	  or the right (rpad).
	* For some SQL drivers (MySQL, sqlite) distinguish between
	  constraints violations (on insert), invalid queries, and
	  server errors, and return noop, invalid, and error respectively.
	* Call SHOW WARNINGS in the MySQL driver and write them to
	  the request log, if libmysqlclient indicates warnings are
	  available on the server.
	* Forbid the creation of Vendor-Specific for non-standard
	  VSAs.  Use Attr-26 = 0x... instead.
	* Make dhcpclient work with raw sockets and various other
	  improvements - Contributed by nchaigne
	* Add support for SSHA2 - Contributed by PDD.
	* Add perle dictionary - Contributed by Hachmer
	* Modernise init scripts for RHEL, SUSE and Debian.
	* radmin now tracks the return code of commands, and exits
	  with status "1" if any command failed to execute.
	* radmin now sends error messages from the server to
	  stderr, instead of to stdout.
	* radmin now looks for sockets matching it's UID and GID,
	  rather than just always using the first one it finds.
	* radmin can how delete clients which are tied to a listener.
	* Moved RADIUS attribute definitions to src/include/rfc*.h
	* Move to talloc pools for requests.  For in-memory tests
	  (default config, 'users' file), performance increases by 30%.
	* In rlm_ldap allow sasl_mech to be specified for admin and
	  user binds. Only non-interactive mechs (like EXTERNAL)
	  are currently supported.
	* Remove support for ephemeral RSA keys.  They were "export only",
	  and should not be used by anyone.
	* Syntax errors in the "users" file now produce better
	  error messages.

	Bug fixes
	* Fix issues parsing LDAP hostnames with non-standard ports.
	* Fix issues with realms containing regular expressions.
	* Allow unary negation before parantheses in rlm_expr.
	* Fix infinite loop in kevent event loop code. Issue only
	  presented on FreeBSD.
	* Be more careful to define Auth-Types before loading modules.
	* Link libfreeradius-radius against OpenSSL too, to avoid
	  multi-version symbols in SSL libraries.
	* When rlm_ldap rebinds a connection, it should use bind
	  credentials from the module that created the connection
	  pool, not credentials from the module referencing it.
	* Empty server config pairs should be allowed in rlm_ldap
	  instances that reference another module's connection pool.
	* Mark rlm_always as huppable, so its rcode can be changed
	  via radmin (allows policy toggles).
	* Emit warnings when ignoring user configured pool values.
	* Fix issue that would cause radclient to complain
	  intermittently about differing numbers of filters and
	  requests.
	* Fix cosmetic issues in connection pool logging, that made
	  it appear as if the same connection was being opened
	  multiple times.
	* Fix threadsafety issues in SQL drivers, where a static
	  buffer was used to store error messages.
	* Log RERROR, RWARN, RINFO to the global log if request
	  logging is not enabled.
	* Link to libldap instead of libldap_r. libldap_r
	  is not supported for use by projects outside of OpenLDAP.
	* Set connection timeout correctly in rlm_sql_mysql.
	* Build with older versions of libcurl, and use CFLAGS from
	  curl-config.
	* Honour Packet-Src-Port and Packet-Src-IP-address in radclient.
	* Initialise ldapai_info_version field, so libldap will report
	  its vendor and version.
	* Fix log rotation scripts by using the copyrotate option.
	* Fix issue that caused opening control sockets to always
	  fail on non-Linux systems, if a user or group was set.
	* Save Session-State after proxying.
	* Additional fixes for reading CoA/DM requests from detail
	  files.
	* Create dynamic clients if the dynamic clients virtual server
	  returns ok *or* updated. Emit useful messages for other codes.
	* Compile bare "authorize" statements, and issue errors saying
	  using them isn't a good idea.

FreeRADIUS 3.0.6 Wed 17 Dec 2014 16:00:00 EDT urgency=medium
	Feature improvements
	* radmin / raddebug conditional errors are printed
	  to the output, instead of being discarded.
	* raddebug will exit if condition set with -c was invalid.
	* radmin auto-reconnects if the connection to the server
	  has gone away.
	* rlm_cache now has submodule support.  See
	  raddb/mods-available/cache
	* New memcached driver for rlm_cache. See
	  raddb/mods-available/cache
	* Add support for &Attribute-Name[*] in conditions.
	  See "man unlang" for details.
	* Add &Attribute-Name[n] which gets the last instance
	  of an attribute e.g. Module-Failure-Message[n].
	* Allow for redundant string expansions.  See the
	  "instantiate" section of radiusd.conf.
	* When checking IP addresses in conditions, make the
	  right side be parsed as an IP prefix.
	* Support JIT compilation of compiled regular expressions
	  when built with libpcre.
	* Support named capture groups with "%{regex:<name>}"
	  when built with libpcre.
	* Increase regular expression capture groups from 8 to 32.
	* Emit error markers for badly formed regular expressions.
	* Allow 'm' flag to enable multiline mode in regular
	  expressions.
	* Support limited implicit attribute conversion in update
	  sections.
	* Support casting between IPv6 and IPv4 where the IPv6
	  address has the v4/v6 mapping prefix (::ffff:).

	Bug fixes
	* PEAP works again.  As does proxying EAP-MSCHAPv2
	  from inside of a PEAP tunnel.
	* "group" is allowed inside of "instantiate" sections.
	* update disconnect {} with
	  disconnect:Packet-Dst-IP-Address now works correctly.
	* Regular expression comparisons of non string attributes
	  are now disallowed in the files module.  Previously
	  they would silently fail or produce undefined behaviour.
	* Fix parsing of old regular expressions.  Closes #842
	* Fix off by one error in ascend filters.  Closes #843.
	* Handle NT-Hash in rlm_pap.  This allows passwords to
	  have backslashes in them.
	* Fix infinite loop on "Fall-Through = yes" when
	  processing SQL groups.
	* Correct the check of SQL query return code.
	* Run "Post-Auth-Type Reject" if the request was rejected
	  in post-auth
	* Write "Login OK" only if the post-auth section passed.
	* Create TLS-Cert-* certificates, even when EAP session
	  caching is disabled.
	* Finalize the "correct_escapes" with many more tests.
	* Move to the new OpenLDAP libldap API, fixes more issues
	  with binary values.
	* Fix potential memory corruption in rlm_ldap if start
	  connections were set to 0, and the server was running
	  in threaded mode. The fix is a workaround for an issue
	  in libldap and was suggested by Howard Chu.
	* Give parse errors on "%{...", without the closing brace.
	* Allow spaces in certificate passwords for build rules
	  in raddb/certs//
	* Make all regular expression evaluation binary safe.
	  Where that's not possible, emit an error if the pattern
	  or subject contains an embedded null byte.
	* Fix various issues around masking IPv6 addresses.
	* Give descriptive error if unknown attributes are used
	  in "update" sections.
	* Deal with cases where ldap_initialize isn't available
	  gracefully, and use it exclusively when it's available.

FreeRADIUS 3.0.5 Fri 21 Nov 2014 15:30:00 EDT urgency=medium
	Feature improvements
	* Large update to Huawei dictionary.
	* Added dictionary.rfc7155
	* Regular expressions like /%{User-Name}/ are now parsed
	  and validated when the server starts.
	* All configuration items which are dynamically expanded
	  are now parsed and validated when the server starts.
	* %{expr:...} expressions can now do bit shifting and more.
	  See raddb/mods-available/expr.
	* The detail file reader can now track packets which have
	  had replies, so they are never re-transmitted.  See
	  raddb/sites-available/buffered-sql, the "track" config item.
	* CoA and Disconnect packets can now be sent to a specific
	  home server by setting control:Packet-Dst-IP-Address and
	  (optionally) control:Packet-Dst-Port.
	* Allow CoA and Disconnect packets to be read from the
	  detail file.
	* Allow LDAP to specify arbitrary attributes for dynamic
	  clients.
	* Convert all unused attributes in the control: list to config
	  pairs in dynamic clients. This allows arbitrary client
	  attributes to be set for dynamic clients too.
	* rlm_couchbase now supports bulk loading of clients on startup
	  in a similar way to rlm_ldap. Contributed by Aaron Hurt.
	* Allow one level of backslashes (finally).  See radiusd.conf,
	  "correct_escapes" setting.
	* Rename dictionary.redback to dictionary.ericsson.ab
	* Add --disable-openssl-version-check option to configure.
	  So vendors can disable the check.  Patch from
	  Nikolai Kondrashov.
	* Do context-specific indenting in debug messages.  This makes
	  the debug output easier to read.
	* Make configuration a separate RPM, just like for Debian.
	* better decoding of unknown VSAs
	* When supported by OpenSSL, allow TLS 1.1 and TLS 1.2
	  in EAP methods.
	* Allow multiple new connections to be spawned simultaneously
	  in the connection pool, to cope with spikes in traffic.
	* Document retry_delay in connection pools.
	* Allow checksimul in rlm_couchbase.
	* Use kqueue on systems which support it.  This allows for
	  better scaling when using many sockets.

	Bug fixes
	* Parse list qualifiers in generic LDAP 'valuepair_attribute'
	  attributes correctly.
	* Fix issue where prefix length would be ignored for dynamic
	  or static clients if the address matched INADDR_ANY
	  (0.0.0.0).
	* Allow null user object filter in rlm_ldap, it's valid to
	  specify a complete object DN and use the base scope.
	* Don't SEGV if a received attribute value in a JSON structure
	  is null, or a value can't be stringified.
	* Don't assert if the server returns a JSON content-type and
	  the server hasn't been built with support for JSON.
	  Closes #808.
	* Set CURLOPT_NOSIGNAL to prevent curl from handling signals
	  and causing a longjmp error when the server was running with
	  threads.
	* Allow tabs after attribute names in the "users" file.
	  Closes #796.
	* Free unknown DICT_ATTRs.  Closes #795
	* Handle unknown attributes in the conditions and "update"
	  sections.  e.g. Attr-1.2.3.4 = foo.
	* Use correct array size for MS-CHAP new password.
	* In rlm_rest, check for older versions of libraries at start
	  time, rather than when a packet comes in.
	* Don't call detach on parse error in rlm_perl.  Closes #802.
	* Integer fixes for big-endian systems.  Closes #803.
	* Don't optimize %{Packet-Src-IP-Address}.  Closes #804.
	* dhcpclient loads dictionaries correclty.  Closes #805.
	* double quotes are no longer escaped in single-quoted
	  strings.  e.g. 'foo "hello" bar'.
	* Fixes for proxying to virtual servers broke the detail file
	  reader.  Now they both work.
	* Typos and fixes from Nikolai Kondrashov.
	* Fixes to OpenSSL version checks, for cross-platform issues.
	* cppcheck fixes from Herwin Weststrate.
	* Fix build for OSX Yosemite
	* Merge DHCP sub-options.  Closes #812.
	* Fix decoding of Starent attributes.
	* When a module asks for a connection, don't return idle
	  connections.
	* LDAP connection timeouts will now retry, instead of failing.
	* Prevent race conditions between fork and wait for child.
	  Patch from James Rouzier.
	* Fix triggers for connection pools.  Patches from
	  Nikolai Kondrashov.
	* Fix SEGV when comparing non string type check items.
	* Build with newer versions of libmysqlclient.
	* make the %{escape:} and %{unescape:} xlat functions UTF8
	  safe.
	* Don't escape UTF8 chars in SQL query strings.
	* Fix issue in cached LDAP group comparisons, which caused
	  checks to sometimes fail.
	* Fix use after free issue in unlang switch evaluation.
	* Respect operators in rlm_cache when merging into the current
	  request.
	* Update Cache-Entry-Hits each time rlm_cache is called.
	* Produce WARN messages if SQL queries are empty strings.
	* Fix invalid assertion when proxying CoA requests.
	* Allow empty strings in "case" statements.  Closes #836.
	* Normalize escaping for string expansions.  i.e. don't do
	  double escaping in rare situations.
	* Normalize LDAP escaping.  LDAP servers have multiple ways
	  to escape things, so the data has to be normalized before
	  we can compare two LDAP DNs.
	* Don't go to high debug level if we're proxying inner EAP
	  as EAP.  Closes #839.
	* Fix rlm_rest state handling.  Closes #835.

FreeRADIUS 3.0.4 Wed 10 Sep 2014 12:00:00 EDT urgency=medium
	Feature improvements
	* Home server "response_window" can now take fractions of a
	  second.  See proxy.conf.
	* radmin now supports "show module status", as thee counterpart
	  to "set module status"
	* Added dictionary ericsson.packet.ccore.networks, bluecoat,
	  citrix, compatible, riverbed, ruckus, and RFC 7268.
	* Add %{tag:} expansion to get the tag value of an attribute.
	* Report 'application_name' in connections to PostgreSQL servers.
	  FreeRADIUS connections will now appear as
	  'FreeRADIUS <version> - <name>' in pg_stat_activity.
	* All config item fields are now type checked at compile time
	  to prevent issues similar to #634 occuring again.
	* Modify pairparsevalue to deal with embedded NULLs better,
	  and use the binary versions of attribute values in rlm_ldap.
	* "ipaddr" will now use v6 if no v4 address is present.  You should
	  use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
	* The above applies to "listen", "home_server", and "client" sections.
	* "client" sections will allow "ipaddr = 192.192.0/24".  The old
	  "netmask" is still accepted, but the new format is preferred.
	* Allow custom HTTP headers to be set for rlm_rest requests using
	  control:REST-HTTP-Header (attributes consumed after use).
	* Extend format of %{rest:} expansion to allow HTTP method and POST
	  data to be specified
	  e.g. %{rest:POST http://example.org/api foo=bar&baz=boink}.
	* Add %{hmacsha1:&data &key} and %{hmacmd5:&data &key} expansions
	  for signing data in requests.
	* rlm_cache now consumes its control attributes to make runtime
	  configuration easier.
	* Add control:Cache-Read-Only which when set to 'yes' will make the
	  cache module merge existing cache data, but not create new entries.
	* Add %{unescape:} and %{urlunquote:} expansions to reverse escaping
	  and urlquoting.
	* Add support for aliases in rlm_ldap.
	* Add support for connection pool sharing to all modules that use
	  the connection pool (pool = <instance>).
	* "tls" sections now have a "psk_query" configuration item, for dynamic
	  queries to discover a key from a PSK identity.
	* Preliminary support for EAP channel bindings.
	* Foundational work for dynamic home servers.  They do not yet work,
	  but this is now only a matter of updating the "realm" module in
	  a future release.
	* Support &attr[*] syntax to copy all instances of an attribute when
	  used with the += operator in an update section. May be qualified with
	  a tag.
	* The logintime and expiration modules can now be listed in the
	  post-auth section.  This makes some configurations simpler.
	* Allow comparison of integer attributes of different sizes,
	  without requiring a cast.
	* rlm_sqlippool is now IPV6 capable.  Set "ipv6 = yes" to get
	  Framed-IPv6-Prefix returned.  The SQL queries have NOT been updated.
	  Please submit patches.
	* The debian build now checks for the OpenSSL package with the heartbleed
	  fix, and if found, sets: allow_vulnerable_openssl = 'CVE-2014-0160'
	* allow bootstrap from multiple files in sqlite driver.

	Bug fixes
	* make case-insensitive regular expressions work again, and add tests
	  for them.
	* A few more talloc parenting issues
	* Fix delayed proxy reply handling.  Closes #637
	* Fix OpenSSL initialization order when using
	  RADIUS/TLS.  Fixes #646
	* Don't double-quote strings in debugging messages
	* Fix foreach / break.  Fixes #639
	* Chargeable-User-Identifier, ADSL-Agent-Circuit-Id and
	  ADSL-Agent-Remote-Id should be "octets" types in the default
	  dictionary.
	* Fix typo in mainconfig.  Fixes #634
	* More rlm_perl fixes.  Fixes #635
	* Free OpenSSL memory on clean exit.
	* Fix <attr>[0] !* ANY - Was removing all instances of <attr>
	* Fix case where multiple attributes were returned from RHS of
	  mapping, as with rlm_ldap. Fixes #652
	* Fix corner case in cursor where using fr_cursor_next_by_da
	  after calling fr_cursor_remove may of resulted in a read of
	  uninitialised memory.
	* Don't SEGV if all connections to a database server go away.
	  Fixes #651.
	* Fix issue where <attr> -= <value> was not removing tagged
	  instances of <attr> equal to <value> (only untagged).
	* Fix issue where tag values were not being set on attributes
	  created with unlang/ldap update blocks.
	* Create rlm_sqlcounter attributes as integer64 types instead
	  of integer types, so large counter values can be specified.
	* Fix issue where specifying a dynamic client IP addresss using
	  FreeRADIUS-Client-IPv6-Prefix or FreeRADIUS-Client-IP-Prefix
	  may have caused a validation error.
	* Don't print two "&" for messages about attribute or list
	  references in debug output.
	* Fix urlquote and escape to encode Unicode characters correctly.
	* Fix redundant-load-balance blocks to try other modules in
	  the group if one fails.
	* Fix issue with rlm_pap password normalisation where
	  'known good' password strings stored in octets type attributes,
	  would be sometimes misnormalised as base64.
	* Don't stop processing DHCP options if we find a 0x00 padding
	  option.
	* Fix issue where modifying the value of an attribute created
	  from a template with a literal value, may have resulted in the
	  template literal being freed.
	* Fix parenting issues in tls code which may have resulted in
	  memory corruption and crashes.
	* Fix issue in radsniff where writing to PCAP files and using
	  -R response filters, where the requests would still be written
	  to the PCAP for non matching responses.
	* Define __APPLE_USE_RFC_2292 so that the server builds with IPv6
	  support on OSX.
	* Fix LDAP group lookups for named rlm_ldap instances.
	  Note that attribute references should be used when
	  checking LDAP-Group attributes. e.g. if (&LDAP-Group == 'foo').
	* Delayed attribute references can now be used in unlang
	  existence checks.  i.e. if (&Attribute-Name) { ... }
	* Fix issues in EAP-PWD.  CVE-2014-4731, CVE-2014-4732, and
	  CVE-2014-4733.  There is no external authentication bypass.
	* Fix a number of uses of the talloc parent/child reference.
	* Release connection used for reading bulk clients in rlm_ldap.
	* rlm_rest is now fail-safe if it's used without any configuration
	* Pull in build fixes for FreeBSD from ports.
	* Fix error in sqlite postauth query
	* Evaluate argument to "switch" statements once, instead of for each
	  "case" statement.
	* Define sig_t on systems without it.  Closes #765.
	* Fix boundary issue with rlm_rest.  Closes #768
	* Optimize "%{Attribute-Name}" in comparisons only if the dictionary
	  types match.
	* Don't do chmod() in rad_mkdir() if the directory already exists.
	  We might not have permission to change it.
	* Use getpwnam_r() and getgrnam_r() on systems which support it.
	  Closes #775.
	* Clients loaded from SQL are now tied to the "listen" section
	  of a virtual server, instead of being global.
	* Check for -lpcre.  The system might have pcre.h without -lpcre.
	* When proxying to a virtual server, use the proxy_reply instead
	  of ignoring it.
	* Fixed typos in DHCP SQL IPPool.
	* Fix crash when passing multiple arguments to Perl xlat.

FreeRADIUS 3.0.3 Mon 12 May 2014 15:30:00 EDT urgency=medium
	Feature improvements
	* Everything now builds with no warnings from the C compiler,
	  clang static analyzer, or cppcheck.
	* rlm_ldap now supports defining the LDAP attribute name via
	  backticked expansion (i.e. shell command) in
	  RADIUS <-> LDAP mappings.
	* rlm_ldap now supports older style generic attributes.
	* dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed
	  when the server starts.  Syntax errors in the strings
	  are caught, and a descriptive error is printed.
	* Static regular expressions (e.g. /a*b/) are now parsed
	  when the server starts.  Syntax errors in the strings
	  are caught, and a descriptive error is printed.
	* dynamic expansions are cached after being parsed.  They are
	  no longer re-parsed at run-time for every request.
	* regular expressions are now parsed and cached when the server
	  starts.
	* Added the %{rest:} expansion to rlm_rest, which will send
	  a GET request to the URL passed as the format string.
	  Any body text will be written to the expansion buffer.
	* rlm_rest now available as a debian package.
	* When an 'if' condition statically evaluates to true/false,
	  unlang does more static optimization.  For examples, see
	  src/tests/keywords/if-skip
	* All modules are marked as safe for '-C', which lets the
	  dynamic expansion checks work in more situations.
	* Added 'none' and 'custom' rlm_rest body types. 'custom'
	  allows sending of arbitrary expanded text and content-type
	  headers.
	* Added "config" section to Perl.  See mods-available/perl
	* Added '%v' which expands to the server version - Patch
	  from Alan Buxey.
	* more mis-matched casts are caught in "if" conditions,
	  and descriptive errors are printed.
	* Support basic response validation in radclient. This allows
	  administrators to write local test cases for their
	  site-specific configurations.
	* Removed radconf2xml and radmin "show client config" and
	  "show home_server config".
	* Forbid running with vulnerable versions of OpenSSL.
	  See "allow_vulnerable_openssl" in the "security"
	  subsection of "radiusd.conf"
	* Catch underlying "heartbleed" problem, so that nothing bad
	  happens even when using a vulnerable version of OpenSSL.
	* Add locking API for sql_null, linelog, and detail modules,
	  which should improve performance and work around issues
	  on platforms with bad file locking.
	* Allow DHCP NAKs to be delayed, via setting
	  reply:FreeRADIUS-Response-Delay = 1
	* Allow tag and array references anywhere attributes
	  are allowed in "unlang".
	* many enhancements to radsniff, including output
	  to collectd, ipv6 support and packet loss statistics.
	* Many dictionary updates (ZTE, Brocade, Motorola).
	* rlm_yubikey now automatically splits passwords from OTP
	  strings.
	* The detail file reader is now threaded by default.
	  This should improve performance reading the files.

	Bug fixes
	* Fix xlat expression %{attribute[n]} so that it actually
	  returns the n'th attribute instead of the first one.
	* Don't parse string on RHS of update {} when using unary
	  operators (!*).  The RHS should always be ignored.
	* Check for more optional functions in json-c so we can
	  Build with libjson0, which is the name of the json-c package
	  on debian/ubuntu.
	* Fix issue in radmin where the main dictionaries would
	  not be loaded which, depending on the configuration, may
	  have caused validation errors.
	* Fix handling of "%{reply:3GPP-*}"
	* Fix rlm_perl garbage attributes
	* Fix oracle SQL queries, which amongst other things still
	  used the old expansion format, which is no longer
	  supported/parsed.
	* Truncate long format strings and error markers instead of
	  omitting them.
	* Fix multiple attribute parsing in rlm_rest JSON.
	* Don't crash in rlm_rest if connect_uri is commented out
	  in the configuration.
	* Don't double-escape strings to / from Perl.  You may need
	  to double-check your Perl scripts if they use "\" characters.
	  See mods-available/perl for documentation.
	* Don't re-run "authorize" if a home server fails to respond.
	* Don't append "0x" to hex output of octets types, for xlat
	  expansions.  This is the same as v2, and makes it easier
	  to concatenate multiple attributes of type "octets"
	* FreeBSD fixes for execinfo linking.
	* Make some of the module configurations more consistent.
	* Fix corner cases where STDOUT wouldn't be closed in
	  daemon mode.
	* Re-enable "update coa" and originating CoA requests.
	* Prevent multiple threads writing to the sql query logs.
	* Fix zombie period calculation.  Closes #579
	* Properly parent VPs for talloc, when moving them in map2request.
	* Various fixes for talloc parent / child relationships
	* Allow rlm_counter to support VSAs.
	* Normalize return codes for many modules. "do nothing" is noop,
	  not "ok".
	* Run Post-Proxy-Type Fail.  Closes #576
	* Fix DHCP destination port for replies to relays.  Closes #591
	* Do-Not-Respond policy works again  Closes #593
	* Proxy-To-Virtual-Server works again.  Closes #596
	* Build fixes for ancient systems.  Closes #607, #608, #609.
	* %{Module-Return-Code} works again.  Closes #610.
	* Don't increment statistics for Status-Server responses.
	  Closes #612.
	* A duplicate request isn't a duplicate if the original one
	  is marked "done".  This should lower retransmissions from
	  clients.
	* Fix multiple regular expression and glob memory leaks.
	* Don't allocate any memory in fr_fault() as it can cause malloc
	  to deadlock.
	* Temporarily set dumpable flag before calling system in fr_fault()
	  else the debugger may not be able to attach.
	* Set nonblock on all TCP client sockets.
	* Fix minor buffer overrun in mschapv2 where some attribute strings
	  were not correctly \0 terminated.
	* Fix crash on authentication failure with MIT kerberos.
	* Fix code so that octal escape sequences aren't prematurely unescaped
	  in rlm_sql, radclient, preprocess, and other places. This may
	  require configuration changes, as these sequences will no longer
	  need double escaping (\\) of the backslash.
	* The connection pools no longer have one connection used twice
	  in certain rare conditions.
	* Use self pipes for internal signals.  The code was there, but was
	  unused.
	* Don't crash if there are outstanding EAP sessions and were told to
	  exit gracefully.
	* Fix typo in dictionary.rfc4072

FreeRADIUS 3.0.2 Fri 21 Mar 2014 08:30:00 EDT urgency=medium
	Feature improvements
	* secret keys and LDAP / SQL passwords are now printed as
	  '<<< secret >>>' in debugging mode.  Use -Xx to see the
	  actual passwords.
	* Print out more information about passwords in -Xx,
	  including hashes, comparisons, etc.
	* Allow cast (and implicit conversion) of integers to IPv4 addresses
	* More xlats allow attribute references.  This means they can
	  operate on binary data.  e.g. expr, base64, md5, sha1.
	* Added more tests.
	* The dictionaries are now auto-loaded.  raddb/dictionary
	  should no longer have $INCLUDE ${prefix}/share/dictionary
	* A "panic_action" can be set to have the server dump a gdb
	  log on SEGV or other fatal error.  See radiusd.conf
	* Add support for SHA-224, SHA-256, SHA-384, SHA-512 to rlm_pap.
	* Add "%{sha256:}" and "%{sha512:}" xlat functions.
	* Cache CUI in EAP session resumption.
	* templates can now have sub-sections, which will be included
	  in the section referencing the template.
	* Update more dictionaries.
	* Added more instances of the "always" module, for all return
	  codes.
	* Suppress broken NASes when proxying.  Retransmits which occur
	  more than once per second are rate-limited to once per second.
	* Allow '&' in more xlat expansions.
	* Update PostgreSQL schema and queries to record last updated
	  time, and accounting interim.
	* Optimize more "if" conditions when the server loads.  This will
	  avoid work at run time.  e.g. ("foo" == "bar") --> FALSE.
	* Allow removal of all attributes within a list with !* operator.
	* Allow list to list copies with request qualifiers (outer.).
	* Add support for ipv4 prefixes and ipv6 addresses and prefixes to
	  %{integer:}.
	* allow radmin command "set module status <module> <code>"
	  which can be used to forcibly enable/disable modules.
	* pap module now assumes Cleartext-Password if Password-With-Header
	  doesn't have a {...} header.
	* Added "unpack" module.  It can unpack binary data from horrible
	  VSA formats.  See raddb/mods-available/unpack
	* Added example IP Pool for DHCP, using sqlite.  From Matthew Newton
	  See raddb/mods-config/sql/ippool-dhcp/

	Bug fixes
	* Fix SQL groups.
	* Fix operation of fr_strerror() with RE*() macros.
	* Don't assert if the connection we're trying to reconnect
	  is not in_use.
	* Fix %{mschap:User-Name} xlat.
	* Allow comparisons of signed integers and of ethernet addresses.
	* Fix parsing of text-based ascend binary filters.
	* Fix a few minor Coverity and clang analyzer issues.
	* Log WARNING and ERROR prefixes only once, not twice.
	* Fix attribute truncation seen in Perl and other places.
	* Use correct port when DHCP relaying.
	* Fix behaviour on FreeBSD where sending packets from an interface
	  bound to an IP address would fail when the server was built with
	  udpfromto.
	* Don't abort() when freeing home servers on exit.
	* Fix edge case in pairmove() when some attributes could be over-
	  written.
	* Do checks for individual sqlite v2 functions so rlm_sqlite builds
	  correctly with more versions of the library.
	* In heimdal kerberos, create MEMORY ccaches on a per context basis.
	  This prevents issues with the root ccache being used.
	* Fix corner case with proxying, where home server goes down.
	* Rate-limit "max_requests" complaint.  We don't want to fill the
	  logs when something goes wrong.
	* Use /dev/urandom for raddb/certs/random, if it exists.
	* Issue WARNING that old-style clients should no longer be used.
	* Auto-set secret to "radsec" for tcp+tls home servers.
	* Fix double free in home_server_add when there is a parse error
	  on startup.
	* rlm_unix checks if the dictionaries are broken, instead of crashing
	* Fix potential memory corruption when normalising salted password
	  hashes from hex, where the combined hash and salt was > 64 bytes.
	* Register sqlcounter attributes correctly, and other issues with it
	* treat 127.0.0.1/32 as being identical to 127.0.0.1
	* Don't mangle error output of SQL drivers like PostgreSQL
	* Fix usage of "tls = ${tls}".  It could previously cause problems
	  when the reference was used multiple times.
	* Fix TLS session leak for incoming sockets.
	* Try harder to clean up memory on exit when using "-mM"
	* Fix memory leak when home server is down for RadSec connections
	* rate-limit outgoing connection attempts when the home server
	  is down.  It will retry no more than once per second.
	* When parsing ipv6 address prefixes, always mask off the host
	  portion.
	* Fix rlm_counter so that it does not create two reply
	  attributes.
	* Fix issues with DHCP Sub-TLVs where the value of the first
	  Sub-TLV would appear corrupted, and subsequent TLVs would
	  not appear in debug output.
	* Initialize scope in IP address parsing
	* Prevent vendor attributes and RFC space attributes from clashing
	  in rlm_attr_filter.
	* Set source IP address for DHCP packets from DHCP-Server-IP-Address,
	  or DHCP-DHCP-Server-Identifier, if we're unable to otherwise
	  determine the source IP.
	* Fix POST attribute parsing in rlm_rest.
	* Fix JSON attribute parsing in rlm_rest.
	* Don't append trailing & to POST options in rlm_rest (minor).
	* Process HTTP 100 Continue messages correctly in rlm_rest
	* Fix generation of long > 512 byte POST payloads, where attribute
	  values on the chunk boundary may have been omitted in rlm_rest.
	* Remove duplicate escape sequence parsing in rlm_sqlippool and
	  rlm_sqlcounter which caused issues with escaping %. Escape
	  sequence parsing is now handled purely by the xlat functions.
	* Ensure %% is treated as a string literal, and so not passed to any
	  xlat escape functions for processing.
	* Correct calculation of Message-Authenticator
	  for CoA packets.  Closes #556

FreeRADIUS 3.0.1 Mon 13 Jan 2014 14:30:00 EDT urgency=medium
	Feature improvements
	* Add "timeout" to exec, and "ntlm_auth_timeout" to mschap.
	  So that run-away child processes are caught earlier.
	* Allow TLS clients to use "proto = tls", in which case
	  TLS is required.  The shared secret is then set to "radsec".
	* More documentation in the tls virtual server.
	* Add "date" module for date formatting.
	  See raddb/mods-available/date.
	* Added unit test suite for internal server functionality
	* When loading "update" sections, check if the RHS is a literal
	  value.  If so, syntax check it immediately.
	* Update LDAP module documentation and functionality.
	  The generic attribute can now update lists.
	* Updated dictionary.extreme.
	* Update sqlippool to do clears as a separate transaction,
	  and at most once per second.  This should help MySQL.
	* Respect control:Response-Packet-Type for all types of
	  requests.
	* Add support for SSL encryption to the MySQL driver.
	* Allow arbitrary connection parameters to be used with the
	  PostgreSQL driver.
	* Changes to the OpenLDAP schema to fully expose functionality
	  of the new LDAP module.
	* Update debian packaging to include a freeradius-config
	  package. This package may be provided as a site local
	  package to avoid fighting with the preinstalled config
	  files.

	Bug fixes
	* Use correct field for ARP setting in DHCP.
	* Fix crash on debug condition (#454).
	* Fix a number of minor issues caught by the clang
	  analyzer.
	* Set WARNING messages to yellow instead of normal text.
	* Correct debug colorise logic.  Patch from Phil Mayers.
	* Encode attributes of type "ethernet".  No one uses them,
	  but it makes sense.
	* Work around regex initialization issues.
	* Fix build when linking against OpenSSL.
	* Print IDs as positive numbers, which helps for large DHCP
	  XIDs.
	* Fix issue with sql_ippool.
	* sqlcounter now uses 64-bit counters, to deal with 4G overflow.
	* Fix issues with DHCP subsystem.
	* Don't build / install disabled modules, or their config
	  files.
	* Fix build for OSX Mavericks, which hid the header files
	  in a magical place.
	* Fix LEAP buffer issue.  You should still avoid LEAP.
	* Mark "unknown" WiMAX attributes as being WiMAX.
	* Fix typo in packet decoder for fragmented extended attrs
	* RPM spec fixes.
	* Fix rlm_perl build issues when not using threads.
	* Enable %{Response-Packet-Type} again.
	* Update configuration file parser to handle "bool"
	  consistently.
	* Update declarations of global boolean variables to use
	  "bool" consistently. This fixes an issue where some
	  modules were instantiated in "config check" mode and
	  did not work correctly.
	* Make more messages debug instead of info, to avoid
	  polluting the logs with messages that can't be fixed.
	* Set operator in internal unlang code to suppress spurious
	  warning messages.
	* Fix debian packaging.
	* Added "status" to Debian init script.
	* Fix "update outer.request" to update the outer request.
	* Don't print TLS debugging messages when not in debug mode.
	* Correctly manage counters for "limit" sections of TCP / TLS
	  "listen" sockets.
	* Fix libldap debug output.
	* Fix rlm_ldap tls functionality.
	* Initialise OpenSSL globals early to avoid issues with the
	  PostgreSQL library.
	* Fix typo in sqlcounter expansion code.  Fixes #463
	* Overwrite previous instances of SQL-User-Name when adding
	  it to the request.
	* Work around bugs in both MIT and heimdal versions of
	  krb5_copy_context(), which caused segfaults in
	  multithreaded mode.
	* Provide meaningful error messages if Heimdal krb5 is used.
	* Fix attribute supression in rlm_detail.
	* Exit with error code if child fails to complete server
	  initialisation after forking.  This allows init scripts to
	  correctly report whether the server started ok.

FreeRADIUS 3.0.0 Mon  7 Oct 2013 15:48:14 EDT urgency=medium
	Feature improvements
	* Documentation for upgrading from 2.x is in raddb/README.rst
	  Please follow it.  It will make the upgrade easier.
	* Moved configuration entries in radiusd.conf to make more sense.
	* Added the "integer64" and "ipv4prefix" data types.
	* Added RADIUS over TLS (i.e. RadSec). See raddb/sites-available/tls
	* Updated internal API to support new attributes and formats
	* Added code to send SNMP Traps.  See raddb/trigger.conf.
	* Added preliminary support for Apple's Grand Central Dispatch
	* Added provisions for raddb/dictionary.local, for local changes.
	  See raddb/dictionary for more details.
	* Added packet/s tracking. See max_pps in the "listen" section.
	* The %{} expansions and "unlang" conditions are now parsed at server
	  start. Descriptive errors are produced for syntax and format errors.
	* Casting is now supported for "unlang" comparisons.  See "man unlang"
	  e.g. <ipaddr>127.0.0.1 == Framed-IP-Address.
	* Direct comparison of attribute references is now supported.
	  e.g. &Foo == &Bar.  This avoids stringification of the attributes.
	* Direct assignment of attributes is now supported.
	  e.g. Foo := &Bar.  It also works for "octets" data types.
	* Comparisons of IPv4 and IPv6 prefixes are now supported.
	  The "<" operator means "within the prefix" for comparisons.
	* New sha1 xlat expansion (thanks to Alan Buxey)
	* Colourised log messages when logging to stdout.  Look for yellow
	  warnings and red errors.  Doing this will save you a LOT of grief.
	* If the PCRE library is available, use it (insted of the POSIX
	  functions) to process regular expressions (thanks to Phil Mayers).
	* -xv now displays all the features the server was built with, and
	  the versions of the core libraries (libtalloc, libssl).

	Module Changes
	* Moved raddb/modules/ to raddb/mods-available/, and raddb/mods-enabled/,
	  following the examples of other projects.
	* Additional files for each module are now in raddb/mods-config/.
	  See raddb/mods-config/README.rst for documentation.
	* Moved "users" to raddb/mods-config/files/authorize
	* Moved "hints" and "huntgroups" to raddb/mods-config/preprocess/
	* Moved eap.conf to mods-available/eap
	* Moved sql.conf to mods-available/sql
	* Moved TLS configuration for EAP into a common subsection.
	  See raddb/mods-available/eap, "tls-config" section.
	* Added for MS-CHAP Change Password from Phil Mayers.
	  See raddb/mods-available/mschap, "passchange" subsection.
	* Added EAP-PWD implementation from Dan Harkins
	* Added connection pools for modules. This unifies connection
	  management which was previously different for different modules.
 	* SQL now uses the connection pool.  See mods-available/sql
	* SQL now supports arbitrary Acct-Status-Types.
	  These changes are not compatible with 2.x.
	* SQL now has full support for SQLite.  See raddb/sql/main/sqlite/
	* SQLite supports auto-creation of new databases on server startup for
	  bootstrapping purposes.
	* LDAP now uses the connection pool.  The LDAP module has been
	  completely re-written for performance and simplicity.
	* LDAP now caches groups.  This makes multiple group checks MUCH
	  faster.
	* Removed all limitations on 253 octet attributes.  RFC 6929 allows
	  for attributes up to 4K in length.
	* New rlm_idn module providing an expansion for performing IDNA encoding
	of internationalized domain names.  Thanks to 'skids'.
	* New rlm_yubikey module to validate yubikey OTP tokens.
	  See raddb/modules/yubikey

	Bug fixes
	* All known bug fixes from 2.2.x are included.
	* Removed "addport" functionality.
	* Removed many unused or duplicate modules.  See raddb/README.rst.

	Internal / API changes:
	* All traces of the old build system have been removed.
	  The new build system is faster and simpler.
	* clang is fully supported.
	* We now use "talloc" for memory management.  A number of new
	  features required this change.  Thanks to the Samba people!
	* Many internal APIs have been updated to use talloc.
	* New API for iterating over VALUE_PAIRs.  This is in preparation
	  for attributes, in version 3.1.
	* No new code should directly modify any field of a VALUE_PAIR.
	* VALUE_PAIRs contain pointers to DICT_ATTR instead of containing
	  attribute and vendor fields.  This will allow nested attributes.
	* Some protocol specific code has been moved out into proto_* modules.
	  More will come in subsequent versions.  See proto_dhcp and proto_vmps.
	* Standardised internal logging macros.  radlog() should not be used.
	  See src/include/log.h
	* Use OpenSSL hashing functions when available.
	* The server now builds with no warnings on most platforms.
	* New RADIUS encoder/decoder, to support new formats.
	* Added RFC 6929 "extended attributes", via the new encoder/decoder.
	* Added full WiMAX support, via the new encoder/decoder.  The old
	  code could not handle some unusual corner cases.