FreeRADIUS 3.0.3 Mon 12 May 2014 15:30:00 EDT urgency=medium
	Feature improvements
	* Everything now builds with no warnings from the C compiler,
	  clang static analyzer, or cppcheck.
	* rlm_ldap now supports defining the LDAP attribute name via
	  backticked expansion (i.e. shell command) in
	  RADIUS <-> LDAP mappings.
	* rlm_ldap now supports older style generic attributes.
	* dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed
	  when the server starts.  Syntax errors in the strings
	  are caught, and a descriptive error is printed.
	* Static regular expressions (e.g. /a*b/) are now parsed
	  when the server starts.  Syntax errors in the strings
	  are caught, and a descriptive error is printed.
	* dynamic expansions are cached after being parsed.  They are
	  no longer re-parsed at run-time for every request.
	* regular expressions are now parsed and cached when the server
	  starts.
	* Added the %{rest:} expansion to rlm_rest, which will send
	  a GET request to the URL passed as the format string.
	  Any body text will be written to the expansion buffer.
	* rlm_rest now available as a debian package.
	* When an 'if' condition statically evaluates to true/false,
	  unlang does more static optimization.  For examples, see
	  src/tests/keywords/if-skip
	* All modules are marked as safe for '-C', which lets the
	  dynamic expansion checks work in more situations.
	* Added 'none' and 'custom' rlm_rest body types. 'custom'
	  allows sending of arbitrary expanded text and content-type
	  headers.
	* Added "config" section to Perl.  See mods-available/perl
	* Added '%v' which expands to the server version - Patch
	  from Alan Buxey.
	* more mis-matched casts are caught in "if" conditions,
	  and descriptive errors are printed.
	* Support basic response validation in radclient. This allows
	  administrators to write local test cases for their
	  site-specific configurations.
	* Removed radconf2xml and radmin "show client config" and
	  "show home_server config".
	* Forbid running with vulnerable versions of OpenSSL.
	  See "allow_vulnerable_openssl" in the "security"
	  subsection of "radiusd.conf"
	* Catch underlying "heartbleed" problem, so that nothing bad
	  happens even when using a vulnerable version of OpenSSL.
	* Add locking API for sql_null, linelog, and detail modules,
	  which should improve performance and work around issues
	  on platforms with bad file locking.
	* Allow DHCP NAKs to be delayed, via setting
	  reply:FreeRADIUS-Response-Delay = 1
	* Allow tag and array references anywhere attributes
	  are allowed in "unlang".
	* many enhancements to radsniff, including output
	  to collectd, ipv6 support and packet loss statistics.
	* Many dictionary updates (ZTE, Brocade, Motorola).
	* rlm_yubikey now automatically splits passwords from OTP
	  strings.
	* The detail file reader is now threaded by default.
	  This should improve performance reading the files.

	Bug fixes
	* Fix xlat expression %{attribute[n]} so that it actually
	  returns the n'th attribute instead of the first one.
	* Don't parse string on RHS of update {} when using unary
	  operators (!*).  The RHS should always be ignored.
	* Check for more optional functions in json-c so we can
	  Build with libjson0, which is the name of the json-c package
	  on debian/ubuntu.
	* Fix issue in radmin where the main dictionaries would
	  not be loaded which, depending on the configuration, may
	  have caused validation errors.
	* Fix handling of "%{reply:3GPP-*}"
	* Fix rlm_perl garbage attributes
	* Fix oracle SQL queries, which amongst other things still
	  used the old expansion format, which is no longer
	  supported/parsed.
	* Truncate long format strings and error markers instead of
	  omitting them.
	* Fix multiple attribute parsing in rlm_rest JSON.
	* Don't crash in rlm_rest if connect_uri is commented out
	  in the configuration.
	* Don't double-escape strings to / from Perl.  You may need
	  to double-check your Perl scripts if they use "\" characters.
	  See mods-available/perl for documentation.
	* Don't re-run "authorize" if a home server fails to respond.
	* Don't append "0x" to hex output of octets types, for xlat
	  expansions.  This is the same as v2, and makes it easier
	  to concatenate multiple attributes of type "octets"
	* FreeBSD fixes for execinfo linking.
	* Make some of the module configurations more consistent.
	* Fix corner cases where STDOUT wouldn't be closed in
	  daemon mode.
	* Re-enable "update coa" and originating CoA requests.
	* Prevent multiple threads writing to the sql query logs.
	* Fix zombie period calculation.  Closes #579
	* Properly parent VPs for talloc, when moving them in map2request.
	* Various fixes for talloc parent / child relationships
	* Allow rlm_counter to support VSAs.
	* Normalize return codes for many modules. "do nothing" is noop,
	  not "ok".
	* Run Post-Proxy-Type Fail.  Closes #576
	* Fix DHCP destination port for replies to relays.  Closes #591
	* Do-Not-Respond policy works again  Closes #593
	* Proxy-To-Virtual-Server works again.  Closes #596
	* Build fixes for ancient systems.  Closes #607, #608, #609.
	* %{Module-Return-Code} works again.  Closes #610.
	* Don't increment statistics for Status-Server responses.
	  Closes #612.
	* A duplicate request isn't a duplicate if the original one
	  is marked "done".  This should lower retransmissions from
	  clients.
	* Fix multiple regular expression and glob memory leaks.
	* Don't allocate any memory in fr_fault() as it can cause malloc
	  to deadlock.
	* Temporarily set dumpable flag before calling system in fr_fault()
	  else the debugger may not be able to attach.
	* Set nonblock on all TCP client sockets.
	* Fix minor buffer overrun in mschapv2 where some attribute strings
	  were not correctly \0 terminated.
	* Fix crash on authentication failure with MIT kerberos.
	* Fix code so that octal escape sequences aren't prematurely unescaped
	  in rlm_sql, radclient, preprocess, and other places. This may
	  require configuration changes, as these sequences will no longer
	  need double escaping (\\) of the backslash.
	* The connection pools no longer have one connection used twice
	  in certain rare conditions.
	* Use self pipes for internal signals.  The code was there, but was
	  unused.
	* Don't crash if there are outstanding EAP sessions and were told to
	  exit gracefully.
	* Fix typo in dictionary.rfc4072

FreeRADIUS 3.0.2 Fri 21 Mar 2014 08:30:00 EDT urgency=medium
	Feature improvements
	* secret keys and LDAP / SQL passwords are now printed as
	  '<<< secret >>>' in debugging mode.  Use -Xx to see the
	  actual passwords.
	* Print out more information about passwords in -Xx,
	  including hashes, comparisons, etc.
	* Allow cast (and implicit conversion) of integers to IPv4 addresses
	* More xlats allow attribute references.  This means they can
	  operate on binary data.  e.g. expr, base64, md5, sha1.
	* Added more tests.
	* The dictionaries are now auto-loaded.  raddb/dictionary
	  should no longer have $INCLUDE ${prefix}/share/dictionary
	* A "panic_action" can be set to have the server dump a gdb
	  log on SEGV or other fatal error.  See radiusd.conf
	* Add support for SHA-224, SHA-256, SHA-384, SHA-512 to rlm_pap.
	* Add "%{sha256:}" and "%{sha512:}" xlat functions.
	* Cache CUI in EAP session resumption.
	* templates can now have sub-sections, which will be included
	  in the section referencing the template.
	* Update more dictionaries.
	* Added more instances of the "always" module, for all return
	  codes.
	* Suppress broken NASes when proxying.  Retransmits which occur
	  more than once per second are rate-limited to once per second.
	* Allow '&' in more xlat expansions.
	* Update PostgreSQL schema and queries to record last updated
	  time, and accounting interim.
	* Optimize more "if" conditions when the server loads.  This will
	  avoid work at run time.  e.g. ("foo" == "bar") --> FALSE.
	* Allow removal of all attributes within a list with !* operator.
	* Allow list to list copies with request qualifiers (outer.).
	* Add support for ipv4 prefixes and ipv6 addresses and prefixes to
	  %{integer:}.
	* allow radmin command "set module status <module> <code>"
	  which can be used to forcibly enable/disable modules.
	* pap module now assumes Cleartext-Password if Password-With-Header
	  doesn't have a {...} header.
	* Added "unpack" module.  It can unpack binary data from horrible
	  VSA formats.  See raddb/mods-available/unpack
	* Added example IP Pool for DHCP, using sqlite.  From Matthew Newton
	  See raddb/mods-config/sql/ippool-dhcp/

	Bug fixes
	* Fix SQL groups.
	* Fix operation of fr_strerror() with RE*() macros.
	* Don't assert if the connection we're trying to reconnect
	  is not in_use.
	* Fix %{mschap:User-Name} xlat.
	* Allow comparisons of signed integers and of ethernet addresses.
	* Fix parsing of text-based ascend binary filters.
	* Fix a few minor Coverity and clang analyzer issues.
	* Log WARNING and ERROR prefixes only once, not twice.
	* Fix attribute truncation seen in Perl and other places.
	* Use correct port when DHCP relaying.
	* Fix behaviour on FreeBSD where sending packets from an interface
	  bound to an IP address would fail when the server was built with
	  udpfromto.
	* Don't abort() when freeing home servers on exit.
	* Fix edge case in pairmove() when some attributes could be over-
	  written.
	* Do checks for individual sqlite v2 functions so rlm_sqlite builds
	  correctly with more versions of the library.
	* In heimdal kerberos, create MEMORY ccaches on a per context basis.
	  This prevents issues with the root ccache being used.
	* Fix corner case with proxying, where home server goes down.
	* Rate-limit "max_requests" complaint.  We don't want to fill the
	  logs when something goes wrong.
	* Use /dev/urandom for raddb/certs/random, if it exists.
	* Issue WARNING that old-style clients should no longer be used.
	* Auto-set secret to "radsec" for tcp+tls home servers.
	* Fix double free in home_server_add when there is a parse error
	  on startup.
	* rlm_unix checks if the dictionaries are broken, instead of crashing
	* Fix potential memory corruption when normalising salted password
	  hashes from hex, where the combined hash and salt was > 64 bytes.
	* Register sqlcounter attributes correctly, and other issues with it
	* treat 127.0.0.1/32 as being identical to 127.0.0.1
	* Don't mangle error output of SQL drivers like PostgreSQL
	* Fix usage of "tls = ${tls}".  It could previously cause problems
	  when the reference was used multiple times.
	* Fix TLS session leak for incoming sockets.
	* Try harder to clean up memory on exit when using "-mM"
	* Fix memory leak when home server is down for RadSec connections
	* rate-limit outgoing connection attempts when the home server
	  is down.  It will retry no more than once per second.
	* When parsing ipv6 address prefixes, always mask off the host
	  portion.
	* Fix rlm_counter so that it does not create two reply
	  attributes.
	* Fix issues with DHCP Sub-TLVs where the value of the first
	  Sub-TLV would appear corrupted, and subsequent TLVs would
	  not appear in debug output.
	* Initialize scope in IP address parsing
	* Prevent vendor attributes and RFC space attributes from clashing
	  in rlm_attr_filter.
	* Set source IP address for DHCP packets from DHCP-Server-IP-Address,
	  or DHCP-DHCP-Server-Identifier, if we're unable to otherwise
	  determine the source IP.
	* Fix POST attribute parsing in rlm_rest.
	* Fix JSON attribute parsing in rlm_rest.
	* Don't append trailing & to POST options in rlm_rest (minor).
	* Process HTTP 100 Continue messages correctly in rlm_rest
	* Fix generation of long > 512 byte POST payloads, where attribute
	  values on the chunk boundary may have been omitted in rlm_rest.
	* Remove duplicate escape sequence parsing in rlm_sqlippool and
	  rlm_sqlcounter which caused issues with escaping %. Escape
	  sequence parsing is now handled purely by the xlat functions.
	* Ensure %% is treated as a string literal, and so not passed to any
	  xlat escape functions for processing.
	* Correct calculation of Message-Authenticator
	  for CoA packets.  Closes #556

FreeRADIUS 3.0.1 Mon 13 Jan 2014 14:30:00 EDT urgency=medium
	Feature improvements
	* Add "timeout" to exec, and "ntlm_auth_timeout" to mschap.
	  So that run-away child processes are caught earlier.
	* Allow TLS clients to use "proto = tls", in which case
	  TLS is required.  The shared secret is then set to "radsec".
	* More documentation in the tls virtual server.
	* Add "date" module for date formatting.
	  See raddb/mods-available/date.
	* Added unit test suite for internal server functionality
	* When loading "update" sections, check if the RHS is a literal
	  value.  If so, syntax check it immediately.
	* Update LDAP module documentation and functionality.
	  The generic attribute can now update lists.
	* Updated dictionary.extreme.
	* Update sqlippool to do clears as a separate transaction,
	  and at most once per second.  This should help MySQL.
	* Respect control:Response-Packet-Type for all types of
	  requests.
	* Add support for SSL encryption to the MySQL driver.
	* Allow arbitrary connection parameters to be used with the
	  PostgreSQL driver.
	* Changes to the OpenLDAP schema to fully expose functionality
	  of the new LDAP module.
	* Update debian packaging to include a freeradius-config
	  package. This package may be provided as a site local
	  package to avoid fighting with the preinstalled config
	  files.

	Bug fixes
	* Use correct field for ARP setting in DHCP.
	* Fix crash on debug condition (#454).
	* Fix a number of minor issues caught by the clang
	  analyzer.
	* Set WARNING messages to yellow instead of normal text.
	* Correct debug colorise logic.  Patch from Phil Mayers.
	* Encode attributes of type "ethernet".  No one uses them,
	  but it makes sense.
	* Work around regex initialization issues.
	* Fix build when linking against OpenSSL.
	* Print IDs as positive numbers, which helps for large DHCP
	  XIDs.
	* Fix issue with sql_ippool.
	* sqlcounter now uses 64-bit counters, to deal with 4G overflow.
	* Fix issues with DHCP subsystem.
	* Don't build / install disabled modules, or their config
	  files.
	* Fix build for OSX Mavericks, which hid the header files
	  in a magical place.
	* Fix LEAP buffer issue.  You should still avoid LEAP.
	* Mark "unknown" WiMAX attributes as being WiMAX.
	* Fix typo in packet decoder for fragmented extended attrs
	* RPM spec fixes.
	* Fix rlm_perl build issues when not using threads.
	* Enable %{Response-Packet-Type} again.
	* Update configuration file parser to handle "bool"
	  consistently.
	* Update declarations of global boolean variables to use
	  "bool" consistently. This fixes an issue where some
	  modules were instantiated in "config check" mode and
	  did not work correctly.
	* Make more messages debug instead of info, to avoid
	  polluting the logs with messages that can't be fixed.
	* Set operator in internal unlang code to suppress spurious
	  warning messages.
	* Fix debian packaging.
	* Added "status" to Debian init script.
	* Fix "update outer.request" to update the outer request.
	* Don't print TLS debugging messages when not in debug mode.
	* Correctly manage counters for "limit" sections of TCP / TLS
	  "listen" sockets.
	* Fix libldap debug output.
	* Fix rlm_ldap tls functionality.
	* Initialise OpenSSL globals early to avoid issues with the
	  PostgreSQL library.
	* Fix typo in sqlcounter expansion code.  Fixes #463
	* Overwrite previous instances of SQL-User-Name when adding
	  it to the request.
	* Work around bugs in both MIT and heimdal versions of
	  krb5_copy_context(), which caused segfaults in
	  multithreaded mode.
	* Provide meaningful error messages if Heimdal krb5 is used.
	* Fix attribute supression in rlm_detail.
	* Exit with error code if child fails to complete server
	  initialisation after forking.  This allows init scripts to
	  correctly report whether the server started ok.

FreeRADIUS 3.0.0 Mon  7 Oct 2013 15:48:14 EDT urgency=medium
	Feature improvements
	* Documentation for upgrading from 2.x is in raddb/README.rst
	  Please follow it.  It will make the upgrade easier.
	* Moved configuration entries in radiusd.conf to make more sense.
	* Added the "integer64" and "ipv4prefix" data types.
	* Added RADIUS over TLS (i.e. RadSec). See raddb/sites-available/tls
	* Updated internal API to support new attributes and formats
	* Added code to send SNMP Traps.  See raddb/trigger.conf.
	* Added preliminary support for Apple's Grand Central Dispatch
	* Added provisions for raddb/dictionary.local, for local changes.
	  See raddb/dictionary for more details.
	* Added packet/s tracking. See max_pps in the "listen" section.
	* The %{} expansions and "unlang" conditions are now parsed at server
	  start. Descriptive errors are produced for syntax and format errors.
	* Casting is now supported for "unlang" comparisons.  See "man unlang"
	  e.g. <ipaddr>127.0.0.1 == Framed-IP-Address.
	* Direct comparison of attribute references is now supported.
	  e.g. &Foo == &Bar.  This avoids stringification of the attributes.
	* Direct assignment of attributes is now supported.
	  e.g. Foo := &Bar.  It also works for "octets" data types.
	* Comparisons of IPv4 and IPv6 prefixes are now supported.
	  The "<" operator means "within the prefix" for comparisons.
	* New sha1 xlat expansion (thanks to Alan Buxey)
	* Colourised log messages when logging to stdout.  Look for yellow
	  warnings and red errors.  Doing this will save you a LOT of grief.
	* If the PCRE library is available, use it (insted of the POSIX
	  functions) to process regular expressions (thanks to Phil Mayers).
	* -xv now displays all the features the server was built with, and
	  the versions of the core libraries (libtalloc, libssl).

	Module Changes
	* Moved raddb/modules/ to raddb/mods-available/, and raddb/mods-enabled/,
	  following the examples of other projects.
	* Additional files for each module are now in raddb/mods-config/.
	  See raddb/mods-config/README.rst for documentation.
	* Moved "users" to raddb/mods-config/files/authorize
	* Moved "hints" and "huntgroups" to raddb/mods-config/preprocess/
	* Moved eap.conf to mods-available/eap
	* Moved sql.conf to mods-available/sql
	* Moved TLS configuration for EAP into a common subsection.
	  See raddb/mods-available/eap, "tls-config" section.
	* Added for MS-CHAP Change Password from Phil Mayers.
	  See raddb/mods-available/mschap, "passchange" subsection.
	* Added EAP-PWD implementation from Dan Harkins
	* Added connection pools for modules. This unifies connection
	  management which was previously different for different modules.
	* SQL now uses the connection pool.  See mods-available/sql
	* SQL now supports arbitrary Acct-Status-Types.
	  These changes are not compatible with 2.x.
	* SQL now has full support for SQLite.  See raddb/sql/main/sqlite/
	* SQLite supports auto-creation of new databases on server startup for
	  bootstrapping purposes.
	* LDAP now uses the connection pool.  The LDAP module has been
	  completely re-written for performance and simplicity.
	* LDAP now caches groups.  This makes multiple group checks MUCH
	  faster.
	* Removed all limitations on 253 octet attributes.  RFC 6929 allows
	  for attributes up to 4K in length.
	* New rlm_idn module providing an expansion for performing IDNA encoding
	of internationalized domain names.  Thanks to 'skids'.
	* New rlm_yubikey module to validate yubikey OTP tokens.
	  See raddb/modules/yubikey

	Bug fixes
	* All known bug fixes from 2.2.x are included.
	* Removed "addport" functionality.
	* Removed many unused or duplicate modules.  See raddb/README.rst.

	Internal / API changes:
	* All traces of the old build system have been removed.
	  The new build system is faster and simpler.
	* clang is fully supported.
	* We now use "talloc" for memory management.  A number of new
	  features required this change.  Thanks to the Samba people!
	* Many internal APIs have been updated to use talloc.
	* New API for iterating over VALUE_PAIRs.  This is in preparation
	  for attributes, in version 3.1.
	* No new code should directly modify any field of a VALUE_PAIR.
	* VALUE_PAIRs contain pointers to DICT_ATTR instead of containing
	  attribute and vendor fields.  This will allow nested attributes.
	* Some protocol specific code has been moved out into proto_* modules.
	  More will come in subsequent versions.  See proto_dhcp and proto_vmps.
	* Standardised internal logging macros.  radlog() should not be used.
	  See src/include/log.h
	* Use OpenSSL hashing functions when available.
	* The server now builds with no warnings on most platforms.
	* New RADIUS encoder/decoder, to support new formats.
	* Added RFC 6929 "extended attributes", via the new encoder/decoder.
	* Added full WiMAX support, via the new encoder/decoder.  The old
	  code could not handle some unusual corner cases.
