Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package freeradius-server for
openSUSE:Factory checked in at 2026-01-14 16:23:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/freeradius-server (Old)
and /work/SRC/openSUSE:Factory/.freeradius-server.new.1928 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "freeradius-server"
Wed Jan 14 16:23:24 2026 rev:100 rq:1327153 version:3.2.8
Changes:
--------
--- /work/SRC/openSUSE:Factory/freeradius-server/freeradius-server.changes
2024-08-22 18:13:24.502003566 +0200
+++
/work/SRC/openSUSE:Factory/.freeradius-server.new.1928/freeradius-server.changes
2026-01-14 16:23:58.239143570 +0100
@@ -1,0 +2,47 @@
+Wed Jan 7 04:28:44 UTC 2026 - William Brown <[email protected]>
+
+- Add freeradius-server-directoryName-subjectAltNames.patch
+
+-------------------------------------------------------------------
+Wed Jan 7 04:24:06 UTC 2026 - William Brown <[email protected]>
+
+- update to 3.2.8
+ Configuration changes
+ * Replace dictionary.infinera with the correct one.
+ * Update dictionary.alteon
+
+ Feature improvements
+ * Add support for automated fuzzing. This doesn't affect normal operations,
but it does allow for testing of the RADIUS decoder.
+ * Allow tagged attributes to use :V as a tag in some cases. The tag is then
read from the value which is being assigned to the attribute. This
functionality is allowed in 'update' sections, including 'update' in module
configurations. See mods-available/ldap for an example.
+ * Add kafka module. See mods-available/kafka.
+ * Allow &control:Packet-SRC-IP-Address to be used when proxying needs a
given source address.
+ * Change lower limit for reject_delay to 0.5s. Apparently some NASes will
panic and go crazy with a 1s reject_delay.
+ * Rate limit complaints when limiting new connections.
+ * Update raddb/certs/Makefile to support DER output.
+ * Elapsed statistics for packets do not include proxy timers, which helps
clarify where any issues are. The total time is still available by adding "our"
time to the "proxy" time.
+ * json module can now print dates as integers. See mods-available/json
+ * The debug output now points to the online documentation in many cases,
when there are syntax errors in the configuration.
+ * Add support for 389ds password hashes. Patch from Gerald Vogt.
+ * reject_delay does not add a delay, but instead ensures that the reject is
delayed for at least that time. This change means that reject_delay can be set
in more situations, including for proxies.
+ * Add delay_proxy_rejects. By default, proxied rejects are not delayed.
Setting this flag means that reject_delay is applied to proxied rejects, too.
+ * The proxy_rate_limit module can now be listed in the "authorize" section.
+ * Update dpsk module to be faster, and be easier to configure with
databases. See mods-available/dpsk
+
+ Bug fixes
+ * Move assertion in thread / queue code, which only affects debug builds.
Fixes #5512.
+ * Update CRL checks to avoid crash in some cases. Fixes #5515
+ * More tweaks to the TEAP code.
+ * Allow building when OpenSSL is missing PSK. Fixes #5520
+ * Move assertion so that it isn't triggered when the incoming queue is full,
and the server is blocked. Fixes #5512
+ * Fix crash when multiple certs are used along with CRL distribution points.
Fixes #5515
+ * Fix typo in rlm_cache which could cause crashes. Fixes #5522
+ * Be more forgiving about '%' in strings. Fixes #5525.
+ * Move assertion in threading code.
+ * Fixes to interaction with python interpreter
+ * Don't crash when setting client hostname in RADIUS/TLS. Fixes #5552
+ * Ignore .dpkg* and .rpm* files when loading configuration directories.
Package managers can leave these around.
+ * Complain more loudly if all of the "authorize" etc. sections have been
removed, but the server is still configured to process Access-Request packets.
+ * Use OCIStmtPrepare2 to prepare Oracle queries. Fixes #5540
+ * Allow dynamic clients with TCP listeners.
+
+-------------------------------------------------------------------
Old:
----
freeradius-server-3.2.5.tar.bz2
freeradius-server-3.2.5.tar.bz2.sig
New:
----
freeradius-server-3.2.8.tar.bz2
freeradius-server-3.2.8.tar.bz2.sig
freeradius-server-directoryName-subjectAltNames.patch
----------(New B)----------
New:
- Add freeradius-server-directoryName-subjectAltNames.patch
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ freeradius-server.spec ++++++
--- /var/tmp/diff_new_pack.A0nIRD/_old 2026-01-14 16:24:02.467320997 +0100
+++ /var/tmp/diff_new_pack.A0nIRD/_new 2026-01-14 16:24:02.471321165 +0100
@@ -1,7 +1,7 @@
#
# spec file for package freeradius-server
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2026 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%define unitname radiusd
Name: freeradius-server
-Version: 3.2.5
+Version: 3.2.8
Release: 0
# Disable FreeTDS on SLE12. We never shipped it enabled with FreeTDS.
@@ -47,6 +47,7 @@
Patch6: freeradius-server-radclient-init-error-buffer.patch
Patch7: freeradius-server-opensslversion.patch
Patch8: freeradius-server-enable-python3.patch
+Patch9: freeradius-server-directoryName-subjectAltNames.patch
BuildRequires: apache2-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: db-devel
@@ -232,6 +233,7 @@
--with-udpfromto \
--without-rlm_eap_ikev2 \
--without-rlm_eap_tnc \
+ --without-rlm_kafka \
--with-rlm-krb5-lib-dir=%{_libdir} \
--without-rlm_opendirectory \
--without-rlm_sql_db2 \
@@ -308,6 +310,9 @@
rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/main/oracle
rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/ippool/oracle
rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/oracle
+rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/kafka
+rm %{buildroot}%{_sysconfdir}/raddb/mods-available/kafka
+rm %{buildroot}%{_sysconfdir}/raddb/mods-available/kafka_async
rm %{buildroot}%{_sysconfdir}/raddb/mods-available/python
rm %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/ippool/mongo/queries.conf
rm %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/main/mongo/queries.conf
@@ -514,6 +519,7 @@
%attr(640,root,radiusd) %config(noreplace)
%{_sysconfdir}/raddb/mods-available/pap
%attr(640,root,radiusd) %config(noreplace)
%{_sysconfdir}/raddb/mods-available/passwd
%attr(640,root,radiusd) %config(noreplace)
%{_sysconfdir}/raddb/mods-available/preprocess
+%attr(640,root,radiusd) %config(noreplace)
%{_sysconfdir}/raddb/mods-available/proxy_rate_limit
%attr(640,root,radiusd) %config(noreplace)
%{_sysconfdir}/raddb/mods-available/python3
%attr(640,root,radiusd) %config(noreplace)
%{_sysconfdir}/raddb/mods-available/radutmp
%attr(640,root,radiusd) %config(noreplace)
%{_sysconfdir}/raddb/mods-available/realm
@@ -563,6 +569,7 @@
%config(missingok) %{_sysconfdir}/raddb/mods-enabled/ntlm_auth
%config(missingok) %{_sysconfdir}/raddb/mods-enabled/pap
%config(missingok) %{_sysconfdir}/raddb/mods-enabled/passwd
+%config(missingok) %{_sysconfdir}/raddb/mods-enabled/proxy_rate_limit
%config(missingok) %{_sysconfdir}/raddb/mods-enabled/preprocess
%config(missingok) %{_sysconfdir}/raddb/mods-enabled/radutmp
%config(missingok) %{_sysconfdir}/raddb/mods-enabled/realm
@@ -650,6 +657,7 @@
%{_libdir}/freeradius/rlm_pap.so
%{_libdir}/freeradius/rlm_passwd.so
%{_libdir}/freeradius/rlm_preprocess.so
+%{_libdir}/freeradius/rlm_proxy_rate_limit.so
%{_libdir}/freeradius/rlm_radutmp.so
%{_libdir}/freeradius/rlm_realm.so
%{_libdir}/freeradius/rlm_replicate.so
++++++ freeradius-server-3.2.5.tar.bz2 -> freeradius-server-3.2.8.tar.bz2 ++++++
++++ 63518 lines of diff (skipped)
++++++ freeradius-server-directoryName-subjectAltNames.patch ++++++
>From 3ad8ceac8c065ec46f0036cb5722d78b5a249862 Mon Sep 17 00:00:00 2001
From: William <[email protected]>
Date: Wed, 7 Jan 2026 11:14:23 +1000
Subject: [PATCH] Add support for directoryName subjectAltNames
This adds support to extract and provide directoryName's from the
subjectAltName extension to modules.
---
share/dictionary.freeradius.internal | 9 ++++++-
src/main/tls.c | 39 ++++++++++++++++++++++++++--
2 files changed, 45 insertions(+), 3 deletions(-)
diff --git a/share/dictionary.freeradius.internal
b/share/dictionary.freeradius.internal
index 6c35fe65b4..8679870be7 100644
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -599,6 +599,13 @@ ATTRIBUTE TLS-Client-Cert-Subject-Alt-Name-Uri 1935
string
ATTRIBUTE TLS-Client-Cert-X509v3-Extended-Key-Usage-OID 1936 string
ATTRIBUTE TLS-Client-Cert-Valid-Since 1937 string
ATTRIBUTE TLS-Cache-Method 1938 integer
+
+# 1960 - 1970
+ATTRIBUTE TLS-Cert-Subject-Alt-Name-Directory-Name 1960 string
+ATTRIBUTE TLS-Cert-Subject-Alt-Name-Directory-Name-Common-Name 1961
string
+ATTRIBUTE TLS-Client-Cert-Subject-Alt-Name-Directory-Name 1962 string
+ATTRIBUTE TLS-Client-Cert-Subject-Alt-Name-Directory-Name-Common-Name
1963 string
+
VALUE TLS-Cache-Method save 1
VALUE TLS-Cache-Method load 2
VALUE TLS-Cache-Method clear 3
@@ -632,7 +639,7 @@ ATTRIBUTE TLS-Cert-CRL-Distribution-Points 1960
string
ATTRIBUTE TLS-Client-Cert-CRL-Distribution-Points 1961 string
#
-# Range: 1960-2099
+# Range: 1970-2099
# Free
#
# Range: 2100-2199
diff --git a/src/main/tls.c b/src/main/tls.c
index c04f3228e4..f7e80979bf 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -2845,7 +2845,7 @@ ocsp_end:
/*
* For creating certificate attributes.
*/
-static char const *cert_attr_names[11][2] = {
+static char const *cert_attr_names[13][2] = {
{ "TLS-Client-Cert-Serial", "TLS-Cert-Serial" },
{ "TLS-Client-Cert-Expiration", "TLS-Cert-Expiration" },
{ "TLS-Client-Cert-Subject", "TLS-Cert-Subject" },
@@ -2857,6 +2857,8 @@ static char const *cert_attr_names[11][2] = {
{ "TLS-Client-Cert-Valid-Since", "TLS-Cert-Valid-Since"
},
{ "TLS-Client-Cert-Subject-Alt-Name-Uri",
"TLS-Cert-Subject-Alt-Name-Uri" },
{ "TLS-Client-Cert-CRL-Distribution-Points",
"TLS-Cert-CRL-Distribution-Points"},
+ { "TLS-Client-Cert-Subject-Alt-Name-Directory-Name",
"TLS-Cert-Subject-Alt-Name-Directory-Name" },
+ { "TLS-Client-Cert-Subject-Alt-Name-Directory-Name-Common-Name",
"TLS-Cert-Subject-Alt-Name-Directory-Name-Common-Name" },
};
#define FR_TLS_SERIAL (0)
@@ -2870,6 +2872,9 @@ static char const *cert_attr_names[11][2] = {
#define FR_TLS_VALID_SINCE (8)
#define FR_TLS_SAN_URI (9)
#define FR_TLS_CDP (10)
+#define FR_TLS_SAN_DIRNAME (11)
+#define FR_TLS_SAN_DIRNAME_CN (12)
+
/*
* Extract Certification Distribution point URL from the certificate
@@ -2899,7 +2904,6 @@ static const char *get_cdp_url(DIST_POINT *dp)
return NULL;
}
-
/*
* Before trusting a certificate, you must make sure that the
* certificate is 'valid'. There are several steps that your
@@ -2934,6 +2938,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
char common_name[1024];
char cn_str[1024];
char buf[64];
+ char dirname[1024]; /* Used for the san:dirname */
+ char dirname_common_name[1024];
X509 *client_cert;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
const STACK_OF(X509_EXTENSION) *ext_list;
@@ -3176,6 +3182,35 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
rdebug_pair(L_DBG_LVL_2, request, vp,
NULL);
break;
#endif /* GEN_URI */
+#ifdef GEN_DIRNAME
+ case GEN_DIRNAME:
+ dirname[0] = '\0';
+
+
X509_NAME_oneline(name->d.directoryName, dirname,
+ sizeof(dirname));
+ dirname[sizeof(dirname) - 1] = '\0';
+ if (!dirname[0]) {
+ RWARN("Invalid Directory Name
in Subject Alt Name");
+ break;
+ }
+
+ vp = fr_pair_make(talloc_ctx, certs,
cert_attr_names[FR_TLS_SAN_DIRNAME][lookup],
+ dirname,
T_OP_SET);
+ rdebug_pair(L_DBG_LVL_2, request, vp,
NULL);
+
+ dirname_common_name[0] = '\0';
+
X509_NAME_get_text_by_NID(name->d.directoryName,
+ NID_commonName,
dirname_common_name, sizeof(dirname_common_name));
+
dirname_common_name[sizeof(dirname_common_name) - 1] = '\0';
+
+ if (dirname_common_name[0]) {
+ vp = fr_pair_make(talloc_ctx,
certs, cert_attr_names[FR_TLS_SAN_DIRNAME_CN][lookup],
+
dirname_common_name, T_OP_SET);
+ rdebug_pair(L_DBG_LVL_2,
request, vp, NULL);
+ }
+
+ break;
+#endif /* GEN_DIRNAME */
default:
/* XXX TODO handle other SAN types */
break;
--
2.51.0
