0001-Doc-Mark-RADIUS-deprecated.patch
application/x-patch
Filename: 0001-Doc-Mark-RADIUS-deprecated.patch
Type: application/x-patch
Part: 0
Message:
Time to drop RADIUS support?
Patch
Same data as JSON:
GET /api/v1/attachments/:id/patch
the parsed metadata as JSON — format, series position, per-file stats; never the diff bytes.
API reference →
Format: format-patch
Series: patch 0001
Subject: Doc: Mark RADIUS deprecated.
| File | + | − |
|---|---|---|
| doc/src/sgml/client-auth.sgml | 9 | 0 |
From d341857e92f65eb1911721b0056428633233b275 Mon Sep 17 00:00:00 2001
From: Thomas Munro <thomas.munro@gmail.com>
Date: Fri, 23 Jan 2026 14:23:53 +1300
Subject: [PATCH 1/3] Doc: Mark RADIUS deprecated.
RADIUS support will be dropped in master. It was never updated for
RADIUS/TLS or the MessageAuthenticator attribute that mitigates against
the Blast-RADIUS vulnerability, though PostgreSQL is thought to be
accidentally resistant because of its short timeout. The authors
recommend avoiding RADIUS/UDP completely, and a draft RFC[1] is in the
process of formalizing that.
[1] https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/
Backpatch-through: 14
Reviewed-by:
Discussion:
---
doc/src/sgml/client-auth.sgml | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index a347ee18980..00cf882a73f 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -2110,6 +2110,15 @@ host ... ldap ldapbasedn="dc=example,dc=net"
the user name/password pairs. Therefore the user must already
exist in the database before RADIUS can be used for
authentication.
+ <note>
+ <para>
+ Only the obsolete RADIUS/UDP protocol is supported. This
+ implementation does not provide the Message-Authenticator
+ attribute, which may be required by modern RADIUS servers.
+ RADIUS/UDP should be considered insecure and deprecated, and
+ will be removed in a future release.
+ </para>
+ </note>
</para>
<para>
--
2.52.0