import freeradius-3.0.21-26.el9

This commit is contained in:
CentOS Sources 2022-03-01 05:26:10 -05:00 committed by Stepan Oksanichenko
parent 4e81757a03
commit 62cba018de
4 changed files with 10940 additions and 2 deletions

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,31 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 28 Jan 2022
Subject: Use infinite timeout when using LDAP+start-TLS
This will ensure that the TLS connection to the LDAP server will complete
before starting FreeRADIUS, as it forces libldap to use a blocking socket during
the process. Infinite timeout is the OpenLDAP default.
Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
src/modules/rlm_ldap/ldap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
index cf7a84e069..841bf888a1 100644
--- a/src/modules/rlm_ldap/ldap.c
+++ b/src/modules/rlm_ldap/ldap.c
@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
}
#ifdef LDAP_OPT_NETWORK_TIMEOUT
- if (inst->net_timeout) {
+ bool using_tls = inst->start_tls ||
+ inst->port == 636 ||
+ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
+ if (inst->net_timeout && !using_tls) {
memset(&tv, 0, sizeof(tv));
tv.tv_sec = inst->net_timeout;

View File

@ -1 +1,2 @@
D /run/radiusd 0710 radiusd radiusd -
D /run/radiusd/tmp 0700 radiusd radiusd -

View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
Version: 3.0.21
Release: 21%{?dist}
Release: 26%{?dist}
License: GPLv2+ and LGPLv2+
URL: http://www.freeradius.org/
@ -26,6 +26,8 @@ Patch3: freeradius-bootstrap-create-only.patch
Patch4: freeradius-no-buildtime-cert-gen.patch
Patch5: freeradius-bootstrap-make-permissions.patch
Patch6: freeradius-Fix-resource-hard-limit-error.patch
Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
Patch8: freeradius-Backport-OpenSSL3-fixes.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -53,7 +55,7 @@ BuildRequires: ykclient-devel
# Require OpenSSL version we built with, or newer, to avoid startup failures
# due to runtime OpenSSL version checks.
Requires: openssl >= %(rpm -q --queryformat '%%{EPOCH}:%%{VERSION}' openssl)
Requires: openssl >= %(rpm -q --queryformat '%%{VERSION}' openssl)
Requires(pre): shadow-utils glibc-common
Requires(post): systemd-sysv
Requires(post): systemd-units
@ -209,6 +211,8 @@ This plugin provides the REST support for the FreeRADIUS server project.
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build
# Force compile/link options, extra security for network facing daemon
@ -851,6 +855,28 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog
* Mon Jan 31 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-26
- Move remaining files from /var/run to /run
Related: rhbz#2047972
* Fri Jan 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-25
- Revert "Allow to connect to partially open LDAP handle"
- Use infinite timeout (openldap default) when using LDAP+start-TLS
- Update openssl dependency to not check epoch (was causing detection issues)
Related: rhbz#1992551
* Thu Jan 13 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-24
- Avoid segfault when trying to use MD4 without legacy provider
Related: rhbz#1978216
* Wed Jan 12 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-23
- Backport OpenSSL3 fixes
Related: rhbz#1978216
* Wed Oct 13 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-22
- Allow to connect to partially open LDAP handle
Related: rhbz#1992551
* Mon Sep 27 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-21
- Move FR's systemd unit PID file from /var/run to /run
Related: rhbz#2006368