Log message:
freeradius: updated to 3.2.10

3.2.10
The focus of this release is stability.

Log message:
freeradius: updated to 3.2.9

3.2.9

Configuration changes

Add protocol_error = yes configuration to clients. If set, the server can return \ 
Protocol-Error responses to the client.
radclient can now suppress Message-Authenticator in Access-Request, when the \ 
input packet contains Message-Authenticator !* ANY Don't use this in production!
Set suppress_secrets = true by default.
Add connect_fail_interval to home_server configuration. If a connection fails, \ 
the server will wait this time before trying to connect again.
Add certificate_fail_interval to home_server configuration. If a connection \ 
succeeds but the home_server certificate is invalid, the server will wait this \ 
time before trying to connect again.
Add update section to home_server configuration. Status-Server packets can \ 
therefore be customized.
Add cipher_suites to tls{} configuration. See raddb/sites-available/tls. This is \ 
mainly used to set the cipher suites for TLS-PSK with TLS 1.3.

Feature improvements

Initial implementation of Protocol-Failure as per IETF draft. The functionality \ 
is disabled by default, but can be enabled via new configuration flags.
Always allow Protocol-Error packet as valid response to any packet.
Add Error-Cause attributes to CoA-NAK and Disconnect-NAK
Added filter_username_nai to policy.d/filter, mainly for use in eduroam.
Updates to VSCode default configuration.
Cleanups and add log messages for rlm_proxy_rate_limit.
Allow 389ds legacy PBKDF2_SHA256 to use arbitrary iteration count.
Amend policy insert_acct_class/acct_unique to work in environments with multiple \ 
Class attributes
Tweak sqlippool messages to make them clearer.
Print log message if the server receives a correct authenticated proxy response \ 
packet, but which has an unexpected code. e.g. received Access-Accept in \ 
response to an Accounting-Request.
New installations now set "suppress_secrets=true" by default. The \ 
server also prints messages in debug mode which explains why the secrets are \ 
being suppressed.
Allow parallel build for Debian.
Add RTBrick and other dictionaries.
Add documentation for ntlm_auth and spaces in passwords.

Bug fixes

Many minor bug fixes and cleanups.
Fixes to RadSec.
Many other fixes to socket and event handling, which enable increased scalability.
Fix issues found with EAP-MSCHAPv2, EAP-PWD, and EAP-MD5.
Fix run_dir
Disable the PCRE JIT at run time if it can't allocate executable memory.
Set selinux boolean to allow PCRE2 JIT
If you set the clock 25 years in the future, don't spam systemd.
Don't load the OpenSSL legacy provider when built with --enable-fips-workaround.
Address potential leaks when opening many RADIUS/TLS proxy sockets.
Encode multiple DHCP Option 82 as one option, instead of as multiple options.
Update the rlm_cache_redis driver to reconnect on connection failure.
Tweaks to the processing state machine to handle more corner cases / race \ 
conditions. Thanks to Paul Dekkers for testing.
Don't close the main listen socket for TCP.
Fix rlm_dspk to properly support dynamic filenames.
Don't crash in corner cases when running Post-Proxy-Type Fail.
Use correct name offsets in proxy_rate_limit.
push fallback virtual server to child thread.
Correct corner case in hash table.
Allow new proxy sockets after reaching "too many sockets", when we \ 
close an existing proxy connection.
fix consistent load balancing.
Address pthread APIs.
Install headers needed to build modules.
Initialize scope in IPv6 address lookups.
Don't load legacy provider on --enable-fips-workaround.
Hoist mutex lock in TLS sockets.
Fix occasional EAP-PWD authentication failure.
Fix memcache storing of dates.
Add more debugging information for TEAP. TEAP has limited utility, due to the \ 
incompleteness of the spec, and the severe limitations of the Windows TEAP \ 
supplicant.
Return stats for "auth+acct" home servers.

Log message:
freeradius: updated to 3.2.8

FreeRADIUS 3.2.8 Wed 20 Aug 2025 12:00:00 UTC urgency=low
Configuration changes
* Replace dictionary.infinera with the correct one.
* Update dictionary.alteon

Feature improvements
* Add support for automated fuzzing.  This doesn't affect
  normal operations, but it does allow for testing of the
  RADIUS decoder.
* Allow tagged attributes to use ":V" as a tag in some cases.
  The tag is then read from the value which is being assigned
  to the attribute.  This functionality is allowed in 'update'
  sections, including 'update' in module configurations.
  See mods-available/ldap for an example.
* Add kafka module.  See mods-available/kafka.
* Allow &control:Packet-SRC-IP-Address to be used when
  proxying needs a given source address.
* Change lower limit for reject_delay to 0.5s.  Apparently
  some NASes will panic and go crazy with a 1s reject_delay.
* Rate limit complaints when limiting new connections.
* Update raddb/certs/Makefile to support DER output.
* Elapsed statistics for packets do not include proxy timers,
  which helps clarify where any issues are.  The total time
  is still available by adding "our" time to the "proxy" time.
* Added kafka module.  See mods-available/kafka.
* json module can now print dates as integers.
  See mods-available/json
* The debug output now points to the online documentation in
  many cases, when there are syntax errors in the configuration.
* Add support for 389ds password hashes.  Patch from Gerald Vogt.
* reject_delay does not _add_ a delay, but instead ensures that
  the reject is delayed for _at least_ that time.  This change
  means that reject_delay can be set in more situations, including
  for proxies.
* Add delay_proxy_rejects.  By default, proxied rejects are not
  delayed.  Setting this flag means that reject_delay is applied
  to proxied rejects, too.
* The proxy_rate_limit module can now be listed in the
  "authorize" section.
* Update dpsk module to be faster, and be easier to configure
  with databases.  See mods-available/dpsk

Bug fixes
* Move assertion in thread / queue code, which only affects
  debug builds.
* Update CRL checks to avoid crash in some cases.
* More tweaks to the TEAP code.
* Allow building when OpenSSL is missing PSK.
* Move assertion so that it isn't triggered when the incoming
  queue is full, and the server is blocked.
* Fix crash when multiple certs are used along with
  CRL distribution points.
* Fix typo in rlm_cache which could cause crashes.
* Be more forgiving about '%' in strings.
* Move assertion in threading code.
* Fixes to interaction with python interpreter
* Don't crash when setting client hostname in RADIUS/TLS.
* Ignore ".dpkg*" and ".rpm*" files when loading configuration
  directories.  Package managers can leave these around.
* Complain more loudly if all of the "authorize" etc. sections
  have been removed, but the server is still configured to
  process Access-Request packets.
* Use OCIStmtPrepare2 to prepare Oracle queries.
* Allow dynamic clients with TCP listeners.

Log message:
*: recursive bump for icu 78.1

Log message:
*: SOEXT -> SHLIB_EXT

Log message:
*: recursive bump for icu 77 and libxml2 2.14

Log message:
revbump due to devel/talloc dependency changes

Log message:
*: recursive bump for icu 76 shlib major version bump