0001-Doc-Mark-RADIUS-deprecated.patch

application/x-patch

Filename: 0001-Doc-Mark-RADIUS-deprecated.patch
Type: application/x-patch
Part: 0
Message: Time to drop RADIUS support?

Patch

Same data as JSON: GET /api/v1/attachments/:id/patch the parsed metadata as JSON — format, series position, per-file stats; never the diff bytes. API reference →
Format: format-patch
Series: patch 0001
Subject: Doc: Mark RADIUS deprecated.
File+
doc/src/sgml/client-auth.sgml 9 0
From d341857e92f65eb1911721b0056428633233b275 Mon Sep 17 00:00:00 2001
From: Thomas Munro <thomas.munro@gmail.com>
Date: Fri, 23 Jan 2026 14:23:53 +1300
Subject: [PATCH 1/3] Doc: Mark RADIUS deprecated.

RADIUS support will be dropped in master.  It was never updated for
RADIUS/TLS or the MessageAuthenticator attribute that mitigates against
the Blast-RADIUS vulnerability, though PostgreSQL is thought to be
accidentally resistant because of its short timeout.  The authors
recommend avoiding RADIUS/UDP completely, and a draft RFC[1] is in the
process of formalizing that.

[1] https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/

Backpatch-through: 14
Reviewed-by:
Discussion:
---
 doc/src/sgml/client-auth.sgml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index a347ee18980..00cf882a73f 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -2110,6 +2110,15 @@ host ... ldap ldapbasedn="dc=example,dc=net"
     the user name/password pairs. Therefore the user must already
     exist in the database before RADIUS can be used for
     authentication.
+    <note>
+     <para>
+      Only the obsolete RADIUS/UDP protocol is supported.  This
+      implementation does not provide the Message-Authenticator
+      attribute, which may be required by modern RADIUS servers.
+      RADIUS/UDP should be considered insecure and deprecated, and
+      will be removed in a future release.
+     </para>
+    </note>
    </para>
 
    <para>
-- 
2.52.0