Upgrade freeradius 3.0.21 -> 3.2.3 to address 2 CVEs (#6169)

* freeradius: upgrade 3.0.21 -> 3.2.3 to address 4 CVEs * Add license verification log * freeradius: update cgmanifest entry * Lint * Update changelog entry * Refactor spec file
2023-09-22 20:42:25 +05:30 · 2023-09-22 20:42:25 +05:30 · f2ddb0e41a
--- a/SPECS-EXTENDED/freeradius/fix-error-for-expansion-of-macro-in-thread.h.patch
+++ b/SPECS-EXTENDED/freeradius/fix-error-for-expansion-of-macro-in-thread.h.patch
@ -0,0 +1,61 @@
+From 30ce5ccd62446349d432ff65d3fe8d46872423c8 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Wed, 18 Jan 2017 14:59:39 +0800
+Subject: [PATCH] fix error for expansion of macro in thread.h
+
+The parameter declaration is missing in expansion of macro
+which cause the build error:
+| In file included from src/freeradius-devel/libradius.h:80:0,
+|                  from src/lib/log.c:26:
+| src/lib/log.c: In function '__fr_thread_local_destroy_fr_strerror_buffer':
+| src/lib/log.c:37:31: error: 'fr_strerror_buffer' undeclared (first use in this function)
+|  fr_thread_local_setup(char *, fr_strerror_buffer) /* macro */
+|                                ^
+
+Add the missing declaration in macro.
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/include/threads.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/include/threads.h b/src/include/threads.h
+index e36d81dac0..2bcb6aadcb 100644
+--- a/src/include/threads.h
+++ b/src/include/threads.h
+@@ -89,7 +89,7 @@ static _t __fr_thread_local_init_##_n(pthread_destructor_t func)\
+ #  define fr_thread_local_get(_n) _n
+ #elif defined(HAVE_PTHREAD_H)
+ #  include <pthread.h>
+-#  define fr_thread_local_setup(_t, _n) \
+#  define fr_thread_local_setup(_t, _n) static __thread _t _n;\
+ static pthread_key_t __fr_thread_local_key_##_n;\
+ static pthread_once_t __fr_thread_local_once_##_n = PTHREAD_ONCE_INIT;\
+ static pthread_destructor_t __fr_thread_local_destructor_##_n = NULL;\
+@@ -100,17 +100,17 @@ static void __fr_thread_local_destroy_##_n(UNUSED void *unused)\
+ static void __fr_thread_local_key_init_##_n(void)\
+ {\
+ 	(void) pthread_key_create(&__fr_thread_local_key_##_n, __fr_thread_local_destroy_##_n);\
+-	(void) pthread_setspecific(__fr_thread_local_key_##_n, &(_n));\
+ }\
+ static _t __fr_thread_local_init_##_n(pthread_destructor_t func)\
+ {\
+ 	__fr_thread_local_destructor_##_n = func;\
+ 	if (_n) return _n; \
+ 	(void) pthread_once(&__fr_thread_local_once_##_n, __fr_thread_local_key_init_##_n);\
+	(void) pthread_setspecific(__fr_thread_local_key_##_n, &(_n));\
+ 	return _n;\
+ }
+-#  define fr_thread_local_init(_n, _f)			__fr_thread_local_init_##_n(_f)
+-#  define fr_thread_local_set(_n, _v)			__fr_thread_local_set_##_n(_v)
+-#  define fr_thread_local_get(_n)			__fr_thread_local_get_##_n()
+#  define fr_thread_local_init(_n, _f)	__fr_thread_local_init_##_n(_f)
+#  define fr_thread_local_set(_n, _v) ((int)!((_n = _v) || 1))
+#  define fr_thread_local_get(_n) _n
+ #endif
+ #endif
+-- 
+2.25.1
+
--- a/SPECS-EXTENDED/freeradius/freeradius-Use-system-crypto-policy-by-default.patch
+++ b/SPECS-EXTENDED/freeradius/freeradius-Use-system-crypto-policy-by-default.patch
@ -4,6 +4,7 @@ Date: Wed, 8 May 2019 10:16:31 -0400
 Subject: [PATCH] Use system-provided crypto-policies by default

 Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+[antorres@redhat.com]: update patch to 3.2.1 state
 ---
 raddb/mods-available/eap        | 4 ++--
 raddb/mods-available/inner-eap  | 2 +-
@ -12,21 +13,21 @@ Signed-off-by: Alexander Scheel <ascheel@redhat.com>
 4 files changed, 6 insertions(+), 6 deletions(-)

 diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
-index 36849e10f2..b28c0f19c6 100644
+index 62152a6dfc..9f64963034 100644
 --- a/raddb/mods-available/eap
 +++ b/raddb/mods-available/eap
-@@ -368,7 +368,7 @@ eap {
- 		#
- 		#  For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
+@@ -400,7 +400,7 @@ eap {
+ 		#  TLS cipher suites.  The format is listed
+ 		#  in "man 1 ciphers".
 		#
 -		cipher_list = "DEFAULT"
 +		cipher_list = "PROFILE=SYSTEM"
 
- 		#  If enabled, OpenSSL will use server cipher list
- 		#  (possibly defined by cipher_list option above)
-@@ -912,7 +912,7 @@ eap {
- 		#  Note - for OpenSSL 1.1.0 and above you may need
- 		#  to add ":@SECLEVEL=0"
+ 		#  Set this option to specify the allowed
+ 		#  TLS signature algorithms for OpenSSL 1.1.1 and above.
+@@ -1082,7 +1082,7 @@ eap {
+ 		#  "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
+ 		#  recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
 		#
 -	#	cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
 +	#	cipher_list = "PROFILE=SYSTEM"
@ -47,23 +48,23 @@ index 576eb7739e..ffa07188e2 100644
 		#  You may want to set a very small fragment size.
 		#  The TLS data here needs to go inside of the
 diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
-index 92f1d6330e..cd69b3905a 100644
+index b8d0626bbe..073b2933c2 100644
 --- a/raddb/sites-available/abfab-tls
 +++ b/raddb/sites-available/abfab-tls
-@@ -19,7 +19,7 @@ listen {
+@@ -20,7 +20,7 @@ listen {
 		dh_file = ${certdir}/dh
 		fragment_size = 8192
 		ca_path = ${cadir}
 -		cipher_list = "DEFAULT"
 +		cipher_list = "PROFILE=SYSTEM"
- 
 		cache {
 			enable = no
+ 			lifetime = 24 # hours
 diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
-index bbc761b1c5..83cd35b851 100644
+index 137fcbc6cc..a65f8a8711 100644
 --- a/raddb/sites-available/tls
 +++ b/raddb/sites-available/tls
-@@ -215,7 +215,7 @@ listen {
+@@ -292,7 +292,7 @@ listen {
 		# Set this option to specify the allowed
 		# TLS cipher suites.  The format is listed
 		# in "man 1 ciphers".
@ -72,15 +73,14 @@ index bbc761b1c5..83cd35b851 100644
 
 		# If enabled, OpenSSL will use server cipher list
 		# (possibly defined by cipher_list option above)
-@@ -517,7 +517,7 @@ home_server tls {
+@@ -676,7 +676,7 @@ home_server tls {
 		# Set this option to specify the allowed
 		# TLS cipher suites.  The format is listed
 		# in "man 1 ciphers".
 -		cipher_list = "DEFAULT"
 +		cipher_list = "PROFILE=SYSTEM"
- 	}
 
- }
+ 		#
+ 		#  Connection timeout for outgoing TLS connections.
 -- 
-2.21.0
-
+2.21.0
--- a/SPECS-EXTENDED/freeradius/freeradius-no-buildtime-cert-gen.patch
+++ b/SPECS-EXTENDED/freeradius/freeradius-no-buildtime-cert-gen.patch
@ -6,45 +6,48 @@ Subject: [PATCH] Don't generate certificates in reproducible builds
 Signed-off-by: Alexander Scheel <ascheel@redhat.com>
 ---
 Make.inc.in  | 5 +++++
- configure    | 4 ++++
+ configure    | 3 +++
 configure.ac | 3 +++
 raddb/all.mk | 4 ++++
- 4 files changed, 16 insertions(+)
+ 4 files changed, 15 insertions(+)

 diff --git a/Make.inc.in b/Make.inc.in
 index 0b2cd74de8..8c623cf95c 100644
 --- a/Make.inc.in
 +++ b/Make.inc.in
-@@ -173,3 +173,8 @@ else
- 	TESTBINDIR = ./$(BUILD_DIR)/bin
+@@ -174,6 +174,10 @@ else
 	TESTBIN    = ./$(BUILD_DIR)/bin
 endif
-+
+ 
 +#
 +#  With reproducible builds, do not generate certificates during installation
 +#
 +ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
+ 
+ #
+ #  For creating documentation via doc/all.mk
 diff --git a/configure b/configure
-index c2c599c92b..3d4403a844 100755
+index 77a1436510..74ff9a1fd4 100755
 --- a/configure
 +++ b/configure
-@@ -655,6 +655,7 @@ RUSERS
+@@ -652,6 +652,7 @@ AUTOCONF
+ ACLOCAL
+ RUSERS
 SNMPWALK
- SNMPGET
- PERL
 +ENABLE_REPRODUCIBLE_BUILDS
+ SNMPGET
 openssl_version_check_config
 WITH_DHCP
- modconfdir
-@@ -5586,6 +5587,7 @@ else
+@@ -5961,7 +5962,7 @@ else
+   openssl_version_check_config=
 fi
 
- 
+-
 +ENABLE_REPRODUCIBLE_BUILDS=yes
 # Check whether --enable-reproducible-builds was given.
 if test "${enable_reproducible_builds+set}" = set; then :
   enableval=$enable_reproducible_builds;  case "$enableval" in
-@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
+@@ -5973,6 +5974,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
     ;;
   *)
     reproducible_builds=no
@ -52,19 +55,11 @@ index c2c599c92b..3d4403a844 100755
   esac
 
 fi
-@@ -5604,6 +5607,7 @@ fi
- 
- 
- 
-+
- CHECKRAD=checkrad
- # Extract the first word of "perl", so it can be a program name with args.
- set dummy perl; ac_word=$2
 diff --git a/configure.ac b/configure.ac
-index a7abf0025a..35b013f4af 100644
+index ce4d9b0ae5..790cbf02a0 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
+@@ -697,6 +697,7 @@ AC_SUBST([openssl_version_check_config])
 dnl #
 dnl #  extra argument: --enable-reproducible-builds
 dnl #
@ -72,7 +67,7 @@ index a7abf0025a..35b013f4af 100644
 AC_ARG_ENABLE(reproducible-builds,
 [AS_HELP_STRING([--enable-reproducible-builds],
                 [ensure the build does not change each time])],
-@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
+@@ -708,8 +709,10 @@ AC_ARG_ENABLE(reproducible-builds,
     ;;
   *)
     reproducible_builds=no
@ -81,6 +76,10 @@ index a7abf0025a..35b013f4af 100644
 )
 +AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
 
+ dnl #
+ dnl #  Enable the -fsanitize=fuzzer and link in the address sanitizer
+
+ 
 
 dnl #############################################################
 diff --git a/raddb/all.mk b/raddb/all.mk
--- a/SPECS-EXTENDED/freeradius/freeradius.signatures.json
+++ b/SPECS-EXTENDED/freeradius/freeradius.signatures.json
@ -2,8 +2,9 @@
 "Signatures": {
  "freeradius-logrotate": "d9f040861ee70def0c6fd6bad8b901503e1b48b5283cd319f72b28c6493ba29d",
  "freeradius-pam-conf": "5e7dc31dd832ee6365c32bbe8042863ef8381cb1f076dfad72caa2e86d7050d7",
-  "freeradius-server-3.0.21.tar.bz2": "c22dad43954b0cbc957564d3f8cbb942ff09853852d2c2155d54e6bd641a4e7d",
+  "freeradius-server-3.2.3.tar.bz2": "4a16aeffbfa1424e1f317fdf71d17e5523a4fd9564d87c747a60595ef93c5d1f",
  "freeradius-tmpfiles.conf": "125b30adfdee54a4ae3865e7a75ad71b91c1385190a2d3fb876cf20cfc923a08",
+  "freeradius.sysusers": "313b1c8868c014ae368861a92356818f16fabae594ba6483981097b2d815efe2",
  "radiusd.service": "300647599fcd3f96d2a8065dd49bfeab086a6353c6f97bd32edc698e3550e312"
 }
 }
--- a/SPECS-EXTENDED/freeradius/freeradius.spec
+++ b/SPECS-EXTENDED/freeradius/freeradius.spec
@ -1,52 +1,45 @@
-Vendor:         Microsoft Corporation
-Distribution:   Mariner
-Summary: High-performance and highly configurable free RADIUS server
-Name: freeradius
-Version: 3.0.21
-Release: 9%{?dist}
-License: GPLv2+ and LGPLv2+
-URL: http://www.freeradius.org/
-
+%global _default_patch_fuzz 2
 # Is elliptic curve cryptography supported?
 %global HAVE_EC_CRYPTO 1

+Summary:        High-performance and highly configurable free RADIUS server
+Name:           freeradius
+Version:        3.2.3
+Release:        1%{?dist}
+License:        GPLv2+ AND LGPLv2+
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+URL:            https://freeradius.org/
+
 %global dist_base freeradius-server-%{version}
-
-Source0: ftp://ftp.freeradius.org/pub/radius/%{dist_base}.tar.bz2
-Source100: radiusd.service
-Source102: freeradius-logrotate
-Source103: freeradius-pam-conf
-Source104: freeradius-tmpfiles.conf
-
-Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
-Patch2: freeradius-Use-system-crypto-policy-by-default.patch
-Patch3: freeradius-bootstrap-create-only.patch
-Patch4: freeradius-no-buildtime-cert-gen.patch
-Patch5: freeradius-bootstrap-make-permissions.patch
-
 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
-
-BuildRequires: autoconf
-BuildRequires: make
-BuildRequires: gcc
-BuildRequires: gdbm-devel
-BuildRequires: openssl
-BuildRequires: openssl-devel
-BuildRequires: pam-devel
-BuildRequires: zlib-devel
-BuildRequires: net-snmp-devel
-BuildRequires: net-snmp-utils
-BuildRequires: readline-devel
-BuildRequires: libpcap-devel
-BuildRequires: systemd-units
-BuildRequires: libtalloc-devel
-BuildRequires: pcre-devel
-
-%if ! 0%{?rhel}
-BuildRequires: libyubikey-devel
-BuildRequires: ykclient-devel
-%endif
-
+Source0:        ftp://ftp.freeradius.org/pub/radius/%{dist_base}.tar.bz2
+Source100:      radiusd.service
+Source102:      freeradius-logrotate
+Source103:      freeradius-pam-conf
+Source104:      freeradius-tmpfiles.conf
+Source105:      freeradius.sysusers
+Patch1:         freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
+Patch2:         freeradius-Use-system-crypto-policy-by-default.patch
+Patch3:         freeradius-bootstrap-create-only.patch
+Patch4:         freeradius-no-buildtime-cert-gen.patch
+Patch5:         freeradius-bootstrap-make-permissions.patch
+Patch6:         fix-error-for-expansion-of-macro-in-thread.h.patch
+BuildRequires:  autoconf
+BuildRequires:  gcc
+BuildRequires:  gdbm-devel
+BuildRequires:  libpcap-devel
+BuildRequires:  libtalloc-devel
+BuildRequires:  make
+BuildRequires:  net-snmp-devel
+BuildRequires:  net-snmp-utils
+BuildRequires:  openssl
+BuildRequires:  openssl-devel
+BuildRequires:  pam-devel
+BuildRequires:  pcre-devel
+BuildRequires:  readline-devel
+BuildRequires:  systemd-units
+BuildRequires:  zlib-devel
 # Require OpenSSL version we built with, or newer, to avoid startup failures
 # due to runtime OpenSSL version checks.
 Requires: openssl >= %(rpm -q --queryformat '%%{VERSION}' openssl)
@ -74,16 +67,16 @@ be centralized, and minimizes the amount of re-configuration which has to be
 done when adding or deleting new users.

 %package doc
-Summary: FreeRADIUS documentation
+Summary:        FreeRADIUS documentation

 %description doc
 All documentation supplied by the FreeRADIUS project is included
 in this package.

 %package utils
-Summary: FreeRADIUS utilities
-Requires: %{name} = %{version}-%{release}
-Requires: libpcap >= 0.9.4
+Summary:        FreeRADIUS utilities
+Requires:       %{name} = %{version}-%{release}
+Requires:       libpcap >= 0.9.4

 %description utils
 The FreeRADIUS server has a number of features found in other servers,
@ -95,99 +88,92 @@ Support for RFC and VSA Attributes Additional server configuration
 attributes Selecting a particular configuration Authentication methods

 %package devel
-Summary: FreeRADIUS development files
-Requires: %{name} = %{version}-%{release}
+Summary:        FreeRADIUS development files
+Requires:       %{name} = %{version}-%{release}

 %description devel
 Development headers and libraries for FreeRADIUS.

 %package ldap
-Summary: LDAP support for freeradius
-Requires: %{name} = %{version}-%{release}
-BuildRequires: openldap-devel
+Summary:        LDAP support for freeradius
+BuildRequires:  openldap-devel
+Requires:       %{name} = %{version}-%{release}

 %description ldap
 This plugin provides the LDAP support for the FreeRADIUS server project.

 %package krb5
-Summary: Kerberos 5 support for freeradius
-Requires: %{name} = %{version}-%{release}
-BuildRequires: krb5-devel
+Summary:        Kerberos 5 support for freeradius
+BuildRequires:  krb5-devel
+Requires:       %{name} = %{version}-%{release}

 %description krb5
 This plugin provides the Kerberos 5 support for the FreeRADIUS server project.

 %package perl
-Summary: Perl support for freeradius
-Requires: %{name} = %{version}-%{release}
-Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+Summary:        Perl support for freeradius
 %{?fedora:BuildRequires: perl-devel}
-BuildRequires: perl-devel
-BuildRequires: perl-generators
-BuildRequires: perl(ExtUtils::Embed)
+BuildRequires:  perl-devel
+BuildRequires:  perl-generators
+BuildRequires:  perl(ExtUtils::Embed)
+Requires:       %{name} = %{version}-%{release}
+Requires:       perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))

 %description perl
 This plugin provides the Perl support for the FreeRADIUS server project.

 %package -n python3-freeradius
-Summary: Python 3 support for freeradius
-Requires: %{name} = %{version}-%{release}
-BuildRequires: python3-devel
+Summary:        Python 3 support for freeradius
 %{?python_provide:%python_provide python3-freeradius}
+BuildRequires:  python3-devel
+Requires:       %{name} = %{version}-%{release}

 %description -n python3-freeradius
 This plugin provides the Python 3 support for the FreeRADIUS server project.

 %package mysql
-Summary: MySQL support for freeradius
-Requires: %{name} = %{version}-%{release}
-BuildRequires: mariadb-connector-c-devel
+Summary:        MySQL support for freeradius
+BuildRequires:  mariadb-connector-c-devel
+Requires:       %{name} = %{version}-%{release}

 %description mysql
 This plugin provides the MySQL support for the FreeRADIUS server project.

 %package postgresql
-Summary: Postgresql support for freeradius
-Requires: %{name} = %{version}-%{release}
-BuildRequires: libpq-devel
+Summary:        Postgresql support for freeradius
+BuildRequires:  libpq-devel
+Requires:       %{name} = %{version}-%{release}

 %description postgresql
 This plugin provides the postgresql support for the FreeRADIUS server project.

 %package sqlite
-Summary: SQLite support for freeradius
-Requires: %{name} = %{version}-%{release}
-BuildRequires: sqlite-devel
+Summary:        SQLite support for freeradius
+BuildRequires:  sqlite-devel
+Requires:       %{name} = %{version}-%{release}

 %description sqlite
 This plugin provides the SQLite support for the FreeRADIUS server project.

 %package unixODBC
-Summary: Unix ODBC support for freeradius
-Requires: %{name} = %{version}-%{release}
-BuildRequires: unixODBC-devel
+Summary:        Unix ODBC support for freeradius
+BuildRequires:  unixODBC-devel
+Requires:       %{name} = %{version}-%{release}

 %description unixODBC
 This plugin provides the unixODBC support for the FreeRADIUS server project.

 %package rest
-Summary: REST support for freeradius
-Requires: %{name} = %{version}-%{release}
-BuildRequires: libcurl-devel
-BuildRequires: json-c-devel
+Summary:        REST support for freeradius
+BuildRequires:  json-c-devel
+BuildRequires:  libcurl-devel
+Requires:       %{name} = %{version}-%{release}

 %description rest
 This plugin provides the REST support for the FreeRADIUS server project.

 %prep
-%setup -q -n %{dist_base}
-# Note: We explicitly do not make patch backup files because 'make install'
-# mistakenly includes the backup files, especially problematic for raddb config files.
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
+%autosetup -p1 -n %{dist_base}

 %build
 # Force compile/link options, extra security for network facing daemon
@ -254,6 +240,7 @@ mkdir -p %{buildroot}%{_localstatedir}/run/
 install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
 install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf
+install -p -D -m 0644 %{SOURCE105} %{buildroot}%{_sysusersdir}/freeradius.conf

 # install SNMP MIB files
 mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
@ -328,24 +315,16 @@ EOF

 # Make sure our user/group is present prior to any package or subpackage installation
 %pre
-getent group  radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd > /dev/null 2>&1
-getent passwd radiusd >/dev/null || /usr/sbin/useradd  -r -g radiusd -u 95 -c "radiusd user" -d %{_localstatedir}/lib/radiusd -s /usr/sbin/nologin radiusd > /dev/null 2>&1
-exit 0
+%sysusers_create_compat %{SOURCE105}

 %preun
 %systemd_preun radiusd.service

 %postun
 %systemd_postun_with_restart radiusd.service
-if [ $1 -eq 0 ]; then           # uninstall
-  getent passwd radiusd >/dev/null && /usr/sbin/userdel  radiusd > /dev/null 2>&1
-  getent group  radiusd >/dev/null && /usr/sbin/groupdel radiusd > /dev/null 2>&1
-fi
-exit 0

 /bin/systemctl try-restart radiusd.service >/dev/null 2>&1 || :

-
 %files

 # doc
@ -359,6 +338,7 @@ exit 0
 %config(noreplace) %{_sysconfdir}/logrotate.d/radiusd
 %{_unitdir}/radiusd.service
 %{_tmpfilesdir}/radiusd.conf
+%{_sysusersdir}/freeradius.conf
 %dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd
 %dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp
 %dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd
@ -391,7 +371,7 @@ exit 0
 %dir %attr(770,root,radiusd) /etc/raddb/certs
 %config(noreplace) /etc/raddb/certs/Makefile
 %config(noreplace) /etc/raddb/certs/passwords.mk
-/etc/raddb/certs/README
+/etc/raddb/certs/README.md
 %config(noreplace) /etc/raddb/certs/xpextensions
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
 %attr(750,root,radiusd) /etc/raddb/certs/bootstrap
@ -405,6 +385,7 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/files/*
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/preprocess
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/preprocess/*
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/realm/freeradius-naptr-to-home-server.sh

 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter
@ -416,6 +397,8 @@ exit 0
 # sites-available
 %dir %attr(750,root,radiusd) /etc/raddb/sites-available
 /etc/raddb/sites-available/README
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/aws-nlb
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/resource-check
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/control-socket
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/decoupled-accounting
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/robust-proxy-accounting
@ -437,8 +420,11 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/copy-acct-to-home-server
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/buffered-sql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/tls
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/totp
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/channel_bindings
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/challenge
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/google-ldap-auth
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/tls-cache

 # sites-enabled
 # symlink: /etc/raddb/sites-enabled/xxx -> ../sites-available/xxx
@ -452,7 +438,7 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/always
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/attr_filter
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache
-%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache_eap
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache_auth
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/chap
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/counter
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cui
@ -461,6 +447,9 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/detail.example.com
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/detail.log
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_files
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_passwd
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_sql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_sqlippool
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/digest
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dynamic_clients
@ -474,6 +463,8 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/idn
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/inner-eap
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ippool
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/json
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ldap_google
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/linelog
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/logintime
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/mac2ip
@ -481,7 +472,6 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/mschap
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ntlm_auth
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/opendirectory
-%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/otp
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pam
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pap
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/passwd
@ -498,9 +488,11 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/soh
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sometimes
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sql_map
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlcounter
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlippool
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sradutmp
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/totp
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unix
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unpack
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8
@ -512,7 +504,6 @@ exit 0
 %dir %attr(750,root,radiusd) /etc/raddb/mods-enabled
 %config(missingok) /etc/raddb/mods-enabled/always
 %config(missingok) /etc/raddb/mods-enabled/attr_filter
-%config(missingok) /etc/raddb/mods-enabled/cache_eap
 %config(missingok) /etc/raddb/mods-enabled/chap
 %config(missingok) /etc/raddb/mods-enabled/date
 %config(missingok) /etc/raddb/mods-enabled/detail
@ -537,6 +528,7 @@ exit 0
 %config(missingok) /etc/raddb/mods-enabled/replicate
 %config(missingok) /etc/raddb/mods-enabled/soh
 %config(missingok) /etc/raddb/mods-enabled/sradutmp
+%config(missingok) /etc/raddb/mods-enabled/totp
 %config(missingok) /etc/raddb/mods-enabled/unix
 %config(missingok) /etc/raddb/mods-enabled/unpack
 %config(missingok) /etc/raddb/mods-enabled/utf8
@ -585,7 +577,6 @@ exit 0
 %{_libdir}/freeradius/rlm_cache_rbtree.so
 %{_libdir}/freeradius/rlm_chap.so
 %{_libdir}/freeradius/rlm_counter.so
-%{_libdir}/freeradius/rlm_cram.so
 %{_libdir}/freeradius/rlm_date.so
 %{_libdir}/freeradius/rlm_detail.so
 %{_libdir}/freeradius/rlm_dhcp.so
@ -594,7 +585,6 @@ exit 0
 %{_libdir}/freeradius/rlm_eap.so
 %{_libdir}/freeradius/rlm_eap_fast.so
 %{_libdir}/freeradius/rlm_eap_gtc.so
-%{_libdir}/freeradius/rlm_eap_leap.so
 %{_libdir}/freeradius/rlm_eap_md5.so
 %{_libdir}/freeradius/rlm_eap_mschapv2.so
 %{_libdir}/freeradius/rlm_eap_peap.so
@ -609,10 +599,10 @@ exit 0
 %{_libdir}/freeradius/rlm_expr.so
 %{_libdir}/freeradius/rlm_files.so
 %{_libdir}/freeradius/rlm_ippool.so
+%{_libdir}/freeradius/rlm_json.so
 %{_libdir}/freeradius/rlm_linelog.so
 %{_libdir}/freeradius/rlm_logintime.so
 %{_libdir}/freeradius/rlm_mschap.so
-%{_libdir}/freeradius/rlm_otp.so
 %{_libdir}/freeradius/rlm_pam.so
 %{_libdir}/freeradius/rlm_pap.so
 %{_libdir}/freeradius/rlm_passwd.so
@ -625,7 +615,9 @@ exit 0
 %{_libdir}/freeradius/rlm_sql.so
 %{_libdir}/freeradius/rlm_sqlcounter.so
 %{_libdir}/freeradius/rlm_sqlippool.so
+%{_libdir}/freeradius/rlm_sql_map.so
 %{_libdir}/freeradius/rlm_sql_null.so
+%{_libdir}/freeradius/rlm_totp.so
 %{_libdir}/freeradius/rlm_unix.so
 %{_libdir}/freeradius/rlm_unpack.so
 %{_libdir}/freeradius/rlm_utf8.so
@ -633,31 +625,33 @@ exit 0
 %{_libdir}/freeradius/rlm_yubikey.so

 # main man pages
-%doc %{_mandir}/man5/clients.conf.5.gz
-%doc %{_mandir}/man5/dictionary.5.gz
-%doc %{_mandir}/man5/radiusd.conf.5.gz
-%doc %{_mandir}/man5/radrelay.conf.5.gz
-%doc %{_mandir}/man5/rlm_always.5.gz
-%doc %{_mandir}/man5/rlm_attr_filter.5.gz
-%doc %{_mandir}/man5/rlm_chap.5.gz
-%doc %{_mandir}/man5/rlm_counter.5.gz
-%doc %{_mandir}/man5/rlm_detail.5.gz
-%doc %{_mandir}/man5/rlm_digest.5.gz
-%doc %{_mandir}/man5/rlm_expr.5.gz
-%doc %{_mandir}/man5/rlm_files.5.gz
-%doc %{_mandir}/man5/rlm_idn.5.gz
-%doc %{_mandir}/man5/rlm_mschap.5.gz
-%doc %{_mandir}/man5/rlm_pap.5.gz
-%doc %{_mandir}/man5/rlm_passwd.5.gz
-%doc %{_mandir}/man5/rlm_realm.5.gz
-%doc %{_mandir}/man5/rlm_sql.5.gz
-%doc %{_mandir}/man5/rlm_unix.5.gz
-%doc %{_mandir}/man5/unlang.5.gz
-%doc %{_mandir}/man5/users.5.gz
-%doc %{_mandir}/man8/raddebug.8.gz
-%doc %{_mandir}/man8/radiusd.8.gz
-%doc %{_mandir}/man8/radmin.8.gz
-%doc %{_mandir}/man8/radrelay.8.gz
+%{_mandir}/man5/clients.conf.5.gz
+%{_mandir}/man5/dictionary.5.gz
+%{_mandir}/man5/radiusd.conf.5.gz
+%{_mandir}/man5/radrelay.conf.5.gz
+%{_mandir}/man5/rlm_always.5.gz
+%{_mandir}/man5/rlm_attr_filter.5.gz
+%{_mandir}/man5/rlm_chap.5.gz
+%{_mandir}/man5/rlm_counter.5.gz
+%{_mandir}/man5/rlm_detail.5.gz
+%{_mandir}/man5/rlm_digest.5.gz
+%{_mandir}/man5/rlm_expr.5.gz
+%{_mandir}/man5/rlm_files.5.gz
+%{_mandir}/man5/rlm_idn.5.gz
+%{_mandir}/man5/rlm_mschap.5.gz
+%{_mandir}/man5/rlm_pap.5.gz
+%{_mandir}/man5/rlm_passwd.5.gz
+%{_mandir}/man5/rlm_realm.5.gz
+%{_mandir}/man5/rlm_sql.5.gz
+%{_mandir}/man5/rlm_unbound.5.gz
+%{_mandir}/man5/rlm_unix.5.gz
+%{_mandir}/man5/unlang.5.gz
+%{_mandir}/man5/users.5.gz
+%{_mandir}/man8/raddebug.8.gz
+%{_mandir}/man8/radiusd.8.gz
+%{_mandir}/man8/radmin.8.gz
+%{_mandir}/man8/radrelay.8.gz
+%{_mandir}/man8/rlm_sqlippool_tool.8.gz

 # MIB files
 %{_datadir}/snmp/mibs/*RADIUS*.mib
@ -666,7 +660,6 @@ exit 0

 %doc %{docdir}/

-
 %files utils
 /usr/bin/*

@ -711,6 +704,7 @@ exit 0
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/weeklycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf

@ -718,14 +712,49 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/queries.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/schema.sql

+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql/queries.conf
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql/schema.sql
+
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/queries.conf
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/schema.sql
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/setup.sql
+
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle/queries.conf
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle/schema.sql
+
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/queries.conf
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/schema.sql
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/setup.sql
+
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite/queries.conf
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite/schema.sql
+
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure-no-skip-locked.sql

 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/procedure.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/procedure-no-skip-locked.sql
+
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mssql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/procedure.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/queries.conf
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/schema.sql
+
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/procedure.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/queries.conf
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/schema.sql

 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/setup.sql
@ -749,6 +778,7 @@ exit 0
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/postgresql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/dailycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/weeklycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf

@ -777,6 +807,7 @@ exit 0
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/sqlite
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/dailycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/noresetcounter.conf

@ -795,8 +826,9 @@ exit 0
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/sqlite
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/queries.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/schema.sql
-%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-refresh.sh
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-schema.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-close-after-reload.pl
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-new-data-usage-period.sh

 %{_libdir}/freeradius/rlm_sql_sqlite.so

@ -812,6 +844,14 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest

 %changelog
+* Tue Sep 05 2023 Archana Choudhary <archana1@microsoft.com> - 3.2.3-1
+- Upgrade to 3.2.3
+- Address CVE-2022-41860, CVE-2022-41861
+- Update Patch2 & Patch4
+- Add Patch6 to address build error
+- Add Source105 for user management during installation
+- License verified
+
 * Fri Apr 30 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 3.0.21-9
 - Making binaries paths compatible with CBL-Mariner's paths.

@ -1291,7 +1331,6 @@ exit 0
    config test on restart.
  * Added cache config item to rlm_krb5. When set to "no" ticket
    caching is disabled which may increase performance.
-
  Bug fixes
  * Fix CVE-2012-3547.  All users of 2.1.10, 2.1.11, 2.1.12,
    and 802.1X should upgrade immediately.
@ -1411,7 +1450,6 @@ exit 0
    radclient continues to be more flexible.
  * Updated Oracle schema and queries
  * Added SecurID module.  See src/modules/rlm_securid/README
-
  Bug fixes
  * Fix memory leak in rlm_detail
  * Fix "failed to insert event"
@ -1485,7 +1523,6 @@ exit 0
    "foo", "authorize" method.
  * Produce errors in more situations when the configuration files
    have invalid syntax.
-
  Bug fixes
  * Ignore pre/post-proxy sections if proxying is disabled
  * Add configure checks for pcap_fopen*.
@ -1631,7 +1668,6 @@ exit 0
    in sql{} section.
  * Added %%{tolower: ...string ... }, which returns the lowercase
    version of the string.  Also added %%{toupper: ... } for uppercase.
-
  Bug fixes
  * Fix endless loop when there are multiple sub-options for
    DHCP option 82.
@ -1748,7 +1784,6 @@ exit 0
  * Added documentation for CoA.  See raddb/sites-available/coa
  * Add sub-option support for Option 82.  See dictionary.dhcp
  * Add "server" field to default SQL NAS table, and documented it.
-
  Bug fixes
  * Reset "received ping" counter for Status-Server checks.  In some
    corner cases it was not getting reset.
@ -1834,7 +1869,6 @@ exit 0
  * Allow accounting packets to be written to a detail file, even
    if they were read from a different detail file.
  * Added OpenSSL license exception (src/LICENSE.openssl)
-
  Bug fixes
  * DHCP sockets can now set the broadcast flag before binding to a
    socket.  You need to set "broadcast = yes" in the DHCP listener.
@ -2086,7 +2120,6 @@ exit 0
    * Remove macro that was causing build issues on some platforms.
    * Fixed issues with dead home servers.  Bug noted by Chris Moules.
    * Fixed "access after free" with some dynamic clients.
-
 - fix packaging bug, some directories missing execute permission
  /etc/raddb/dictionary now readable by all.

--- a/SPECS-EXTENDED/freeradius/freeradius.sysusers
+++ b/SPECS-EXTENDED/freeradius/freeradius.sysusers
@ -0,0 +1,3 @@
+#Type Name     ID  GECOS           Home directory        Shell
+u     radiusd  95  "radiusd user"  /var/lib/radiusd      /sbin/nologin
+g     radiusd  95  -               -                     -
--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -3920,8 +3920,8 @@
        "type": "other",
        "other": {
          "name": "freeradius",
-          "version": "3.0.21",
-          "downloadUrl": "ftp://ftp.freeradius.org/pub/radius/freeradius-server-3.0.21.tar.bz2"
+          "version": "3.2.3",
+          "downloadUrl": "ftp://ftp.freeradius.org/pub/radius/freeradius-server-3.2.3.tar.bz2"
        }
      }
    },
@ -30887,4 +30887,4 @@
    }
  ],
  "Version": 1
-}
+}