SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch

@@ -0,0 +1,39 @@
+Author: Antonio Torres <antorres@redhat.com>
+Date:   Fri Jul 2 07:12:48 2021 -0400
+Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
+
+	FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
+	explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
+	variable to 1 or else FR should exit at start.
+	
+	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
+	Signed-off-by: Antonio Torres antorres@redhat.com
+---
+ src/main/radiusd.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/main/radiusd.c b/src/main/radiusd.c
+index 9739514509..58a48895e6 100644
+--- a/src/main/radiusd.c
++++ b/src/main/radiusd.c
+@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
+ 		exit(EXIT_FAILURE);
+ 	}
+ 
++	/*
++	 *  If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
++	 */
++	char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
++	FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
++	if (fips_file != NULL) {
++		int fips_enabled = fgetc(fips_file) - '0';
++		fclose(fips_file);
++		if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
++			fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
++			exit(EXIT_FAILURE);
++		}
++	}
++
+ 	/*
+ 	 *  According to the talloc peeps, no two threads may modify any part of
+ 	 *  a ctx tree with a common root without synchronisation.

SOURCES/freeradius-Fix-resource-hard-limit-error.patch

@@ -0,0 +1,32 @@
+commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
+Author: Antonio Torres <antorres@redhat.com>
+Date:   Fri Jul 2 07:12:48 2021 -0400
+Subject: [PATCH] debug: don't set resource hard limit to zero
+
+    Setting the resource hard limit to zero is irreversible, meaning if it
+    is set to zero then there is no way to set it higher. This means
+    enabling core dump is not possible, since setting a new resource limit
+    for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
+    can disable and enable core dumps without failures.
+
+    This fix is present in both main and 3.0.x upstream branches.
+    
+    Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
+    Signed-off-by: Antonio Torres antorres@redhat.com
+---
+ src/lib/debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/debug.c b/src/lib/debug.c
+index 576bcb2a65..6330c9cb66 100644
+--- a/src/lib/debug.c
++++ b/src/lib/debug.c
+@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
+ 		struct rlimit no_core;
+ 
+ 		no_core.rlim_cur = 0;
+-		no_core.rlim_max = 0;
++		no_core.rlim_max = core_limits.rlim_max;
+ 
+ 		if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
+ 			fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));

SOURCES/freeradius-Fix-segfault-when-home_server-is-null.patch

@@ -0,0 +1,51 @@
+From e2de6fab148e800380f1929fe4ea88a38de42053 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Wed, 20 Nov 2019 13:59:54 -0500
+Subject: [PATCH] a better fix for commit 30ffd21
+
+Which still runs post-proxy-type fail if all of the home servers
+are dead
+
+[antorres@redhat.com: solved in FR 3.0.21, resolves bz#2030173]
+[antorres@redhat.com: removed first hunk of commit, already present]
+---
+ src/main/process.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/src/main/process.c b/src/main/process.c
+index c8b3af24e2..1a48517d43 100644
+--- a/src/main/process.c
++++ b/src/main/process.c
+@@ -2475,13 +2474,12 @@ static int process_proxy_reply(REQUEST *request, RADIUS_PACKET *reply)
+ 	}
+ 
+ 	old_server = request->server;
+-	rad_assert(request->home_server != NULL);
+ 
+ 	/*
+ 	 *	If the home server is virtual, just run pre_proxy from
+ 	 *	that section.
+ 	 */
+-	if (request->home_server->server) {
++	if (request->home_server && request->home_server->server) {
+ 		request->server = request->home_server->server;
+ 
+ 	} else {
+@@ -3182,13 +3180,12 @@ do_home:
+ 	}
+ 
+ 	old_server = request->server;
+-	rad_assert(request->home_server != NULL);
+ 
+ 	/*
+ 	 *	If the home server is virtual, just run pre_proxy from
+ 	 *	that section.
+ 	 */
+-	if (request->home_server->server) {
++	if (request->home_server && request->home_server->server) {
+ 		request->server = request->home_server->server;
+ 
+ 	} else {
+-- 
+2.31.1
+

SOURCES/freeradius-Fix-unterminated-strings-in-SQL-queries.patch

@@ -0,0 +1,41 @@
+From 3fd832baf898fe6d6f974cd2d36d1c5206bc2209 Mon Sep 17 00:00:00 2001
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 12 Nov 2021 16:23:05 +0100
+Subject: [PATCH] Fix unterminated strings in SQL queries
+
+Resolves: bz#2021247
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ raddb/mods-config/sql/ippool/mysql/queries.conf  | 2 +-
+ raddb/mods-config/sql/ippool/sqlite/queries.conf | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/raddb/mods-config/sql/ippool/mysql/queries.conf b/raddb/mods-config/sql/ippool/mysql/queries.conf
+index 2dfc6574dd..444812a047 100644
+--- a/raddb/mods-config/sql/ippool/mysql/queries.conf
++++ b/raddb/mods-config/sql/ippool/mysql/queries.conf
+@@ -114,7 +114,7 @@ allocate_update = "\
+ 		nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \
+ 		callingstationid = '%{Calling-Station-Id}', \
+ 		username = '%{User-Name}', expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \
+-	WHERE framedipaddress = '%I'
++	WHERE framedipaddress = '%I'"
+ 
+ #
+ #  Use a stored procedure to find AND allocate the address. Read and customise
+diff --git a/raddb/mods-config/sql/ippool/sqlite/queries.conf b/raddb/mods-config/sql/ippool/sqlite/queries.conf
+index 31a5df3659..e92466108b 100644
+--- a/raddb/mods-config/sql/ippool/sqlite/queries.conf
++++ b/raddb/mods-config/sql/ippool/sqlite/queries.conf
+@@ -89,7 +89,7 @@ allocate_update = "\
+ 		callingstationid = '%{Calling-Station-Id}', \
+ 		username = '%{User-Name}', \
+ 		expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \
+-	WHERE framedipaddress = '%I'
++	WHERE framedipaddress = '%I'"
+ 
+ #
+ #  This series of queries frees an IP number when an accounting START record arrives
+-- 
+2.31.1
+

SOURCES/freeradius-bootstrap-run-only-once.patch

@@ -0,0 +1,72 @@
+Author: Antonio Torres <antorres@redhat.com>
+Date:   Wed Jul 20 2021
+Subject: [PATCH] ensure bootstrap script is run only once
+
+	The bootstrap script should only run once. By checking if there are
+	certificates in the directory, we can exit early if certificates were
+	already generated.
+
+	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
+	Signed-off-by: Antonio Torres antorres@redhat.com
+---
+ raddb/certs/README    | 16 ++++++----------
+ raddb/certs/bootstrap | 18 ++++++++++++------
+ 2 files changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/raddb/certs/README b/raddb/certs/README
+index 6288921da1..32413964dd 100644
+--- a/raddb/certs/README
++++ b/raddb/certs/README
+@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
+ your users, and to issue client certificates for EAP-TLS.
+ 
+   If FreeRADIUS was configured to use OpenSSL, then simply starting
+-the server in root in debugging mode should also create test
+-certificates, i.e.:
++the server in root mode should also create test certificates.
+ 
+-$ radiusd -X
+-
+-  That will cause the EAP-TLS module to run the "bootstrap" script in
+-this directory.  The script will be executed only once, the first time
+-the server has been installed on a particular machine.  This bootstrap
+-script SHOULD be run on installation of any pre-built binary package
+-for your OS.  In any case, the script will ensure that it is not run
+-twice, and that it does not over-write any existing certificates.
++  The start of FreeRADIUS will cause to run the "bootstrap" script.
++The script will be executed during every start of FreeRADIUS via systemd but
++the script will ensure that it does not overwrite any existing certificates.
++Ideally, the bootstrap script file should be deleted after new testing certificates
++have been generated.
+ 
+   If you already have CA and server certificates, rename (or delete)
+ this directory, and create a new "certs" directory containing your
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 0f719aafd4..92254dc936 100755
+--- a/raddb/certs/bootstrap
++++ b/raddb/certs/bootstrap
+@@ -1,12 +1,18 @@
+ #!/bin/sh
+ #
+-#  This is a wrapper script to create default certificates when the
+-#  server first starts in debugging mode.  Once the certificates have been
+-#  created, this file should be deleted.
++# Bootstrap script should be run only once. If there are already certificates
++# generated, skip the execution.
++#
++cd `dirname $0`
++if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
++  exit 0
++fi
++
+ #
+-#  Ideally, this program should be run as part of the installation of any
+-#  binary package.  The installation should also ensure that the permissions
+-#  and owners are correct for the files generated by this script.
++#  This is a wrapper script to create default certificates when the
++#  server starts via systemd. It should also ensure that the
++#  permissions and owners are correct for the generated files. Once
++# the certificates have been created, this file should be deleted.
+ #
+ #  $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
+ #

SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch

@@ -0,0 +1,47 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 09 Dec 2022
+Subject: Fix crash on invalid abinary data
+
+A malicious RADIUS client or home server can send a malformed abinary
+attribute which can cause the server to crash.
+
+Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+diff --git a/src/lib/filters.c b/src/lib/filters.c
+index 4868cd385d9f..3f3b63daeef3 100644
+--- a/src/lib/filters.c
++++ b/src/lib/filters.c
+@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
+ 			}
+ 		}
+ 	} else if (filter->type == RAD_FILTER_GENERIC) {
+-		int count;
++		size_t count, masklen;
++
++		masklen = ntohs(filter->u.generic.len);
++		if (masklen >= sizeof(filter->u.generic.mask)) {
++			*p = '\0';
++			return;
++		}
+ 
+ 		i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
+ 		p += i;
+ 
+ 		/* show the mask */
+-		for (count = 0; count < ntohs(filter->u.generic.len); count++) {
++		for (count = 0; count < masklen; count++) {
+ 			i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
+ 			p += i;
+ 			outlen -= i;
+@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
+ 		outlen--;
+ 
+ 		/* show the value */
+-		for (count = 0; count < ntohs(filter->u.generic.len); count++) {
++		for (count = 0; count < masklen; count++) {
+ 			i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
+ 			p += i;
+ 			outlen -= i;

SOURCES/freeradius-fix-crash-unknown-eap-sim.patch

@@ -0,0 +1,115 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 09 Dec 2022
+Subject: Fix crash on unknown option in EAP-SIM
+
+When an EAP-SIM supplicant sends an unknown SIM option, the server will try to
+look that option up in the internal dictionaries. This lookup will fail, but the
+SIM code will not check for that failure. Instead, it will dereference a NULL
+pointer, and cause the server to crash.
+
+Backport of:
+https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
+https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151704
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
+index cf1e8a7dd92..e438a844eab 100644
+--- a/src/modules/rlm_eap/libeap/eapsimlib.c
++++ b/src/modules/rlm_eap/libeap/eapsimlib.c
+@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
+ 	newvp->vp_length = 1;
+ 	fr_pair_add(&(r->vps), newvp);
+ 
++	/*
++	 *	EAP-SIM has a 1 octet of subtype, and 2 octets
++	 *	reserved.
++	 */
+ 	attr     += 3;
+ 	attrlen  -= 3;
+ 
+-	/* now, loop processing each attribute that we find */
+-	while(attrlen > 0) {
++	/*
++	 *	Loop over each attribute.  The format is:
++	 *
++	 *	1 octet of type
++	 *	1 octet of length (value 1..255)
++	 *	((4 * length) - 2) octets of data.
++	 */
++	while (attrlen > 0) {
+ 		uint8_t *p;
+ 
+-		if(attrlen < 2) {
++		if (attrlen < 2) {
+ 			fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
+ 			return 0;
+ 		}
+ 
++		if (!attr[1]) {
++			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", attr[0],
++					   es_attribute_count);
++			return 0;
++		}
++
+ 		eapsim_attribute = attr[0];
+ 		eapsim_len = attr[1] * 4;
+ 
++		/*
++		 *	The length includes the 2-byte header.
++		 */
+ 		if (eapsim_len > attrlen) {
+ 			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
+ 					   eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
+ 			return 0;
+ 		}
+ 
+-		if(eapsim_len > MAX_STRING_LEN) {
+-			eapsim_len = MAX_STRING_LEN;
+-		}
+-		if (eapsim_len < 2) {
+-			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
+-					   es_attribute_count);
+-			return 0;
+-		}
++		newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
++		if (!newvp) {
++			/*
++			 *	RFC 4186 Section 8.1 says 0..127 are
++			 *	"non-skippable".  If one such
++			 *	attribute is found and we don't
++			 *	understand it, the server has to send:
++			 *
++			 *	EAP-Request/SIM/Notification packet with an
++			 *	(AT_NOTIFICATION code, which implies general failure ("General
++			 *	failure after authentication" (0), or "General failure" (16384),
++			 *	depending on the phase of the exchange), which terminates the
++			 *	authentication exchange.
++			 */
++			if (eapsim_attribute <= 127) {
++				fr_strerror_printf("Unknown mandatory attribute %d, failing",
++						   eapsim_attribute);
++				return 0;
++			}
+ 
+-		newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
+-		newvp->vp_length = eapsim_len-2;
+-		newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
+-		memcpy(p, &attr[2], eapsim_len-2);
+-		fr_pair_add(&(r->vps), newvp);
+-		newvp = NULL;
++		} else {
++			/*
++			 *	It's known, ccount for header, and
++			 *	copy the value over.
++			 */
++			newvp->vp_length = eapsim_len - 2;
++
++			newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
++			memcpy(p, &attr[2], newvp->vp_length);
++			fr_pair_add(&(r->vps), newvp);
++		}
+ 
+ 		/* advance pointers, decrement length */
+ 		attr += eapsim_len;

SOURCES/freeradius-fix-info-leakage-eap-pwd.patch

@@ -0,0 +1,76 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 09 Dec 2022
+Subject: Fix information leakage in EAP-PWD
+
+The EAP-PWD function compute_password_element() leaks information about the 
+password which allows an attacker to substantially reduce the size of an 
+offline dictionary attack.
+
+Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+index d94851c3aa..9f86b62114 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API	/* OpenSSL API has been deprecated by Apple */
+ #include <freeradius-devel/radiusd.h>
+ #include <freeradius-devel/modules.h>
+ 
++static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
++
+ /* The random function H(x) = HMAC-SHA256(0^32, x) */
+ static void H_Init(HMAC_CTX *ctx)
+ {
+@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
+ 			      uint32_t *token)
+ {
+ 	BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
+-	HMAC_CTX *ctx = NULL;
++	EVP_MD_CTX *hmac_ctx;
++	EVP_PKEY *hmac_pkey;
+ 	uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
+ 	int nid, is_odd, primebitlen, primebytelen, ret = 0;
+ 
+-	ctx = HMAC_CTX_new();
+-	if (ctx == NULL) {
+-		DEBUG("failed allocating HMAC context");
+-		goto fail;
+-	}
++	MEM(hmac_ctx = EVP_MD_CTX_new());
++	MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
+ 
+ 	switch (grp_num) { /* from IANA registry for IKE D-H groups */
+ 	case 19:
+@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
+ 		 *    pwd-seed = H(token | peer-id | server-id | password |
+ 		 *		   counter)
+ 		 */
+-		H_Init(ctx);
+-		H_Update(ctx, (uint8_t *)token, sizeof(*token));
+-		H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
+-		H_Update(ctx, (uint8_t const *)id_server, id_server_len);
+-		H_Update(ctx, (uint8_t const *)password, password_len);
+-		H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
+-		H_Final(ctx, pwe_digest);
++		EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
++		EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
++		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
++		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
++		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
++		EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
+ 
+ 		BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
+ 		if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
+@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
+ 	BN_clear_free(x_candidate);
+ 	BN_clear_free(rnd);
+ 	talloc_free(prfbuf);
+-	HMAC_CTX_free(ctx);
++	EVP_MD_CTX_free(hmac_ctx);
++	EVP_PKEY_free(hmac_pkey);
+ 
+ 	return ret;
+ }

SOURCES/freeradius-man-Fix-some-typos.patch

@@ -0,0 +1,93 @@
+From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
+From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
+Date: Fri, 14 Sep 2018 11:53:28 +0300
+Subject: [PATCH] man: Fix some typos
+
+---
+ man/man1/radzap.1   | 4 ++--
+ man/man5/unlang.5   | 6 +++---
+ man/man8/radcrypt.8 | 2 +-
+ man/man8/radiusd.8  | 4 ++--
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
+index a2d529d064..03b9a43a54 100644
+--- a/man/man1/radzap.1
++++ b/man/man1/radzap.1
+@@ -1,4 +1,4 @@
+-.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
++.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
+ .SH NAME
+ radzap - remove rogue entries from the active sessions database
+ .SH SYNOPSIS
+@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
+ .RB [ \-x ]
+ \fIserver[:port] secret\fP
+ .SH DESCRIPTION
+-The FreeRadius server can be configured to maintain an active session
++The FreeRADIUS server can be configured to maintain an active session
+ database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
+ use this database. Sometimes that database can get out of sync, and
+ then it might contain rogue entries. \fBradzap\fP can clean up this
+diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
+index 40db5fa6e7..5f765f1787 100644
+--- a/man/man5/unlang.5
++++ b/man/man5/unlang.5
+@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
+ of Version 3, the <list> can be omitted, in which case "request" is
+ assumed.
+ 
+-The "control" list is the list of attributes maintainted internally by
++The "control" list is the list of attributes maintained internally by
+ the server that controls how the server processes the request.  Any
+ attribute that does not go in a packet on the network will generally
+ be placed in the "control" list.
+@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
+ quotes, or back-quoted).  Also evaluates to true if 'foo' is a
+ non-zero number.  Note that the language is poorly typed, so the
+ string "0000" can be interpreted as a numerical zero.  This issue can
+-be avoided by comparings strings to an empty string, rather than by
++be avoided by comparing strings to an empty string, rather than by
+ evaluating the string by itself.
+ 
+ If the word 'foo' is not a quoted string, then it can be taken as a
+@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
+ .IP ok
+ Instructs the server that the request was processed properly.  This
+ keyword can be used to over-ride earlier failures, if the local
+-administrator determines that the faiures are not catastrophic.
++administrator determines that the failures are not catastrophic.
+ .IP reject
+ Causes the request to be immediately rejected
+ .SH MODULE RETURN CODES
+diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
+index 08336c66f2..2917f60c46 100644
+--- a/man/man8/radcrypt.8
++++ b/man/man8/radcrypt.8
+@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
+ Ignored if performing a password check.
+ .IP "\-c --check"
+ Perform a validation check on a password hash to verify if it matches
+-the plantext password.
++the plaintext password.
+ 
+ .SH EXAMPLES
+ .nf
+diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
+index 98aef5e1be..2ef5ccf789 100644
+--- a/man/man8/radiusd.8
++++ b/man/man8/radiusd.8
+@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
+ used in the other configuration files.  You don't have to modify it.
+ It includes other dictionary files in the same directory.
+ .IP hints
+-Defines certain hints to the radius server based on the users's loginname
++Defines certain hints to the radius server based on the users' loginname
+ or other attributes sent by the access server. It also provides for
+ mapping user names (such as Pusername -> username). This provides the
+ functionality that the \fILivingston 2.0\fP server has as "Prefix" and
+-"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
++"Suffix" support in the \fIusers\fP file, but is more general. Of course
+ the Livingston way of doing things is also supported, and you can even use
+ both at the same time (within certain limits).
+ .IP huntgroups

SOURCES/radiusd.service

@@ -6,7 +6,7 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv
 Type=forking
 PIDFile=/var/run/radiusd/radiusd.pid
 ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
-ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap
+ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
 ExecStartPre=/usr/sbin/radiusd -C
 ExecStart=/usr/sbin/radiusd -d /etc/raddb
 ExecReload=/usr/sbin/radiusd -C

SPECS/freeradius.spec

@@ -9,7 +9,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.20
-Release: 3%{?dist}
+Release: 14%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@@ -38,6 +38,15 @@ Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
 Patch6: freeradius-bootstrap-make-permissions.patch
 Patch7: freeradius-no-dh-param-load-FIPS.patch
 Patch8: freeradius-bootstrap-fixed-dhparam.patch
+Patch9: freeradius-man-Fix-some-typos.patch
+Patch10: freeradius-Fix-resource-hard-limit-error.patch
+Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
+Patch12: freeradius-bootstrap-run-only-once.patch
+Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch
+Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch
+Patch15: freeradius-fix-crash-on-invalid-abinary-data.patch
+Patch16: freeradius-fix-crash-unknown-eap-sim.patch
+Patch17: freeradius-fix-info-leakage-eap-pwd.patch
 
 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
 
@@ -234,6 +243,15 @@ This plugin provides the REST support for the FreeRADIUS server project.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
 
 # Add fixed dhparam file to the source to ensure `make tests` can run.
 cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
@@ -884,6 +902,53 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
 
 %changelog
+* Fri Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-14
+- Fix defect found by Covscan
+  Resolves: #2151704
+
+* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-13
+- Fix multiple CVEs
+- Add rpminspect configuration
+  Resolves: #2151702
+  Resolves: #2151704
+  Resolves: #2151706
+
+* Thu Dec 9 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-12
+- Fix segfault when home_server is null
+  Resolves: bz#2030173
+
+* Thu Nov 18 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-11
+- Fix unterminated strings in SQL queries
+  Resolves: bz#2021247
+
+* Fri Nov 12 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-10
+- Rebuild to pick up latest json-c
+  Resolves: bz#2021818
+
+* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-9
+- radiusd.service: don't fail if bootstrap script is not present
+  Resolves: bz#1954521
+
+* Fri Jul 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-8
+- Extend info about boostrap script in README and comments
+  Resolves: bz#1954521
+
+* Wed Jul 21 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-7
+- Ensure bootstrap script is run only once
+  Resolves: bz#1954521
+
+* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-6
+- Exit if host in FIPS mode and MD5 usage not explicitly allowed
+  Resolves: bz#1958979
+
+* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-5
+- Fix coredump not being able to be enabled
+  Resolves: bz#1977572
+
+* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-4
+- Fix some manpage typos
+  Resolves: bz#1843807
+
 * Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
 - Require make for proper bootstrap execution, removes post script
   Resolves: bz#1672285