PacketFence 15.1 Released

New Features

Enhancements

• Upgrade to Caddy 2.11 (with bundled CoreDNS update) (#8961)
• Tweak API restart timing to wait for the API to be ready (#9053)
• Rename “Azure Active Directory”/“Azure” to “Microsoft Entra ID”/“Entra ID” in documentation (#9048)
• Update Go to 1.25.5 (#8856)
• Migrated Perl report/dynamic_report endpoint to Go — adds endpoint scaffolding and dev docs (#8843)
• pfdhcp performance optimizations — fixes race conditions, goroutine leaks, missing error checks (#8803)
• ProxySQL master/slave — multi-backend with read/write hostgroups for failover (#8931)
• Faster loading of the switch page — role list virtualization and iterative pagination (#9009)
• Optimize bulk_update for roles by reusing form and config store (#9001)
• Fingerbank settings: single bulk_update PATCH replaces per-section loop (#9034)
• Default parent role configurable via advanced.default_role_parent_id (#9011)
• Add switch_id to locationlog and locationlog_history (#8904)
• Reduce memory usage on role creation; respawn worker if memory > 1GB (#8947)
• Reduce time in cache between Fingerbank lookups when API is unavailable (#8829)
• Better UniFi controller detection using cookie-based reconnect (#8908)
• Install Inverse GPG key during upgrade script (#8825)
• Development support for Debian 12 — auto-install Node.js, prerequisite checks, idempotent setup script (#8805)
• Cloud connector UI — install commands and updated hostname/install script (#9030)
• Selective test execution in GitLab CI via the TEST_ONLY variable (#8857)
• Virtualswitch-based Venom acceptance test suites — new venom executors, CI jobs, Ansible scenarios (#8907)
• Generate switch summary as JSON for new PacketFence site CI flow (#8928)
• Documentation overhaul — PF-by-Akamai references, app.css for HTML, Instrument Sans for PDF (#8944)
• Pin clean-css-cli to skip npx confirmation when building documentation styles (#9015)
• Include Triggers parameters in admin UI (#8885)
• Use sharedutils.IsEnabled for consistency in Go services (#8892)
• Test whether a User or Machine AD account is disabled — escape LDAP username, support bitwise filter operators (#8971)
• Fingerbank data moved into the main PacketFence repo (#7994)
• Update copyright headers for the new year (#8886)
• Avoid unnecessary calls to the fingerbank api (#9046)

Bug Fixes

• Fix parent_id semantics across role create, update, and admin UI — distinguish payload-omitted vs explicit-null (#9029)
• Fix duplicate IP addresses returned from the pfdhcp pool (#9043)
• Fix CoA timeouts when deauth is tunneled via pfconnector — omit LocalAddr on the connector path so the kernel picks the correct source IP (#9049)
• EntraID source: fix device group lookup that stopped working since 15.x (#9044, #8812)
• Reject empty or unparseable CA certificate on save to prevent RADIUS EAP from silently breaking (#9042)
• Fix SSO portaltoken validation — use HttpdPortal URL and add X-Forwarded-For-PacketFence header (#8962, #8951)
• Security event purge: batch by 100 nodes and fix SQL syntax (#8740, #7293)
• Install tcpdump for Go unit tests on EL8 (#8981, #8978)
• Remove extra ports for management interface in iptables (#8946, #8945)
• Fix _unitFileExists() for Docker via systemctl show; fix log string interpolation (#8939)
• Use legacy GPG key for Samba 4.16 deployment in Vagrant (#8926, #8925)
• Fix NTLM auth API service stop in Venom — use systemctl with graceful monitor shutdown (#8912)
• Fix ProxySQL crash — calculate endBucket Go-side to avoid unsupported SQL (#8893, #8887)
• Fix log levels in Go services — configstore, pfacct, pfconnector (#8884)
• Replace %mgmtip% tag with the management interface IP in the Kafka pfconfig resource (#8882)
• VLAN filter: return true when there is no condition (#8869, #8842)
• Use the same method everywhere to find the next certificate serial number, in a transaction (#8868, #8855)
• Queue ansible configuration generation job to avoid delay (#8866)
• Move pfconnector installation to its own preseed file (#8865, #8702)
• More advanced filter to catch the DHCP packet (#8858)
• Fix pfflow job hanging when Kafka is unresponsive at startup (#8849)
• Fix portal preview in cloud — env-driven config, drop pf-apache-wrapper (#8838)
• Only manage systemd units starting with packetfence-xyz.services (#8834)
• Remove duplicate scroll handler on material page search (#8833, #8832)
• Retry Kafka connection until Kafka is up and running (#8824)
• Allow fingerbank-collector port through iptables on RADIUS interfaces (#8820)
• Fix ISO build — update to latest Debian 12, move PF repo setup to a script (#8819, #8817)
• Fix table view when reloading in the middle of a page (#8807)
• Ensure /usr/local/pf/conf/system_init_key is created in package preinst (#8571)
• Fixes for OpenAPI spec — missing $ref, ConfigInterfaceVlan (#8840)

Security Updates

• Bump github.com/coredns/coredns from 1.14.1 to 1.14.3 (#8942, #9028)
• Bump github.com/jackc/pgx/v5 from 5.8.0 to 5.9.2 (#9006, #9018)
• Bump github.com/smallstep/certificates from 0.26.1 to 0.30.0 (#8848, #8954)
• Bump google.golang.org/grpc from 1.79.1 to 1.79.3 (#8953)
• Bump github.com/buger/jsonparser from 1.1.1 to 1.1.2 (#8956)
• Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#8990)
• Bump github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 (#8989)
• Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 (#8993)
• Bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.40.0 to 1.43.0 (#8992)
• Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.40.0 to 1.43.0 (#8994)
• Bump go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp from 0.16.0 to 0.19.0 (#8991)
• Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#8927)