import pki-core-11.5.0-2.el9_4

7 months ago · 1fffbab9e0
parent 1f24dcddd4
commit 1fffbab9e0
4 changed files with 351 additions and 90 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/pki-11.4.2.tar.gz
+SOURCES/pki-11.5.0.tar.gz
--- a/.pki-core.metadata
+++ b/.pki-core.metadata
@ -1 +1 @@
-c996e98959bdde7fed60591d2a86e1812392ab19 SOURCES/pki-11.4.2.tar.gz
+dd717a1d8e14cfd558d8772ef37f425db84debee SOURCES/pki-11.5.0.tar.gz
--- a/SOURCES/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
+++ b/SOURCES/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
@ -0,0 +1,60 @@
 From 9f9ede3fe2a6ae95230411d48183dc6880ff3c52 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
 Date: Mon, 11 Sep 2023 15:40:32 -0500
 Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability
 Previously the LDAPSecurityDomainSessionTable.sessionExists()
 and getStringValue() were using user-provided session ID as
 is in an LDAP filter which could be exploited to bypass token
 authentication.
 To fix the problem the code has been modified to escape all
 special characters in the session ID before using it in the
 LDAP filter.
 Resolves: CVE-2023-4727
 ---
 .../session/LDAPSecurityDomainSessionTable.java     | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)
 diff --git a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
 index 7691a98a40..fb627b88cb 100644
 --- a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
 +++ b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
@@ -29,6 +29,7 @@ import com.netscape.cmscore.apps.CMSEngine;
 import com.netscape.cmscore.apps.EngineConfig;
 import com.netscape.cmscore.ldapconn.LDAPConfig;
 import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
 +import com.netscape.cmsutil.ldap.LDAPUtil;
 import netscape.ldap.LDAPAttribute;
 import netscape.ldap.LDAPAttributeSet;
@@ -173,7 +174,11 @@ public class LDAPSecurityDomainSessionTable
         try {
             String basedn = ldapConfig.getBaseDN();
             String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
 -            String filter = "(cn=" + sessionId + ")";
 +
 +            // CVE-2023-4727
 +            // escape session ID in LDAP search filter
 +            String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
 +
             String[] attrs = { "cn" };
             conn = mLdapConnFactory.getConn();
@@ -254,7 +259,11 @@ public class LDAPSecurityDomainSessionTable
         try {
             String basedn = ldapConfig.getBaseDN();
             String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
 -            String filter = "(cn=" + sessionId + ")";
 +
 +            // CVE-2023-4727
 +            // escape session ID in LDAP search filter
 +            String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
 +
             String[] attrs = { attr };
             conn = mLdapConnFactory.getConn();
 -- 
 2.42.0
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@ -8,13 +8,13 @@ Name:             pki-core
 # Upstream version number:
 %global           major_version 11
-%global           minor_version 4
+%global           minor_version 5
-%global           update_version 2
+%global           update_version 0
 # Downstream release number:
 # - development/stabilization (unsupported): 0.<n> where n >= 1
 # - GA/update (supported): <n> where n >= 1
-%global           release_number 1
+%global           release_number 2
 # Development phase:
 # - development (unsupported): alpha<n> where n >= 1
@ -28,7 +28,7 @@ Name:             pki-core
 Summary:          %{product_name} Package
 URL:              https://www.dogtagpki.org
 # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2
-License:          GPLv2 and LGPLv2
+License:          GPL-2.0-only and LGPL-2.0-only
 Version:          %{major_version}.%{minor_version}.%{update_version}
 Release:          %{release_number}%{?phase:.}%{?phase}%{?timestamp:.}%{?timestamp}%{?commit_id:.}%{?commit_id}%{?dist}
@ -46,8 +46,9 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?phase:-}%{?phase}
 #     <version tag> \
 #     > pki-VERSION-RELEASE.patch
 # Patch: pki-VERSION-RELEASE.patch
 Patch: 0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
-%if 0%{?fedora} && 0%{?fedora} > 35
+%if 0%{?java_arches:1}
 ExclusiveArch: %{java_arches}
 %else
 ExcludeArch: i686
@ -59,12 +60,6 @@ ExcludeArch: i686
 %global p11_kit_trust /usr/lib64/pkcs11/p11-kit-trust.so
 ################################################################################
 # Python
 ################################################################################
 %global python_executable /usr/bin/python3
 ################################################################################
 # Java
 ################################################################################
@ -87,6 +82,8 @@ ExcludeArch: i686
 %bcond_without test
 # Build the package unless --without <package> is specified.
 # For idm-pki do not build the following packages:
 # ocsp, tks, tps, javadoc, theme, tests, debug
 %bcond_without base
 %bcond_without server
@ -94,18 +91,17 @@ ExcludeArch: i686
 %bcond_without ca
 %bcond_without est
 %bcond_without kra
 # Do not build the following packages for pki-core.
 %bcond_with console
 %bcond_with ocsp
 %bcond_with tks
 %bcond_with tps
 %bcond_with javadoc
 %bcond_with theme
-%bcond_with meta
+%bcond_without meta
 %bcond_with tests
-%bcond_with debug
+%bcond_without debug
 # Don't build console unless --with console is specified.
 %bcond_with console
 %if ! %{with debug}
 %define debug_package %{nil}
@ -152,17 +148,7 @@ BuildRequires:    make
 BuildRequires:    cmake >= 3.0.2
 BuildRequires:    gcc-c++
 BuildRequires:    zip
 BuildRequires:    %{java_devel}
 BuildRequires:    javapackages-tools
 BuildRequires:    apache-commons-cli
 BuildRequires:    apache-commons-codec
 BuildRequires:    apache-commons-io
 BuildRequires:    apache-commons-lang3 >= 3.2
 BuildRequires:    apache-commons-logging
 BuildRequires:    apache-commons-net
 BuildRequires:    slf4j
 BuildRequires:    slf4j-jdk14
 BuildRequires:    nspr-devel
 BuildRequires:    nss-devel >= 3.36.1
@ -184,21 +170,23 @@ BuildRequires:    mvn(org.apache.commons:commons-lang3)
 BuildRequires:    mvn(commons-logging:commons-logging)
 BuildRequires:    mvn(commons-net:commons-net)
 BuildRequires:    mvn(org.slf4j:slf4j-api)
-BuildRequires:    mvn(org.slf4j:slf4j-jdk14)
+BuildRequires:    mvn(xml-apis:xml-apis)
-BuildRequires:    mvn(junit:junit)
+BuildRequires:    mvn(xml-resolver:xml-resolver)
-BuildRequires:    pki-resteasy >= 3.0.26
+BuildRequires:    mvn(org.junit.jupiter:junit-jupiter-api)
-BuildRequires:    jss = 5.4
+BuildRequires:    mvn(org.jboss.resteasy:resteasy-client)
-BuildRequires:    tomcatjss = 8.4
+BuildRequires:    mvn(org.jboss.resteasy:resteasy-jackson2-provider)
-BuildRequires:    ldapjdk = 5.4
+BuildRequires:    mvn(org.jboss.resteasy:resteasy-jaxrs)
-
+BuildRequires:    mvn(org.jboss.resteasy:resteasy-servlet-initializer)
-%if 0%{?rhel} && ! 0%{?eln}
+BuildRequires:    mvn(org.apache.tomcat:tomcat-catalina) >= 9.0.62
-BuildRequires:    pki-servlet-engine >= 9.0.31
+BuildRequires:    mvn(org.apache.tomcat:tomcat-servlet-api) >= 9.0.62
-%else
+BuildRequires:    mvn(org.apache.tomcat:tomcat-jaspic-api) >= 9.0.62
-BuildRequires:    tomcat >= 1:9.0.31
+BuildRequires:    mvn(org.apache.tomcat:tomcat-util-scan) >= 9.0.62
-%endif
+BuildRequires:    mvn(org.dogtagpki.jss:jss-base) >= 5.5.0
 BuildRequires:    mvn(org.dogtagpki.jss:jss-tomcat) >= 5.5.0
 BuildRequires:    mvn(org.dogtagpki.ldap-sdk:ldapjdk) >= 5.5.0
 # Python build dependencies
-BuildRequires:    python3 >= 3.9
+BuildRequires:    python3 >= 3.6
 BuildRequires:    python3-devel
 BuildRequires:    python3-setuptools
 BuildRequires:    python3-cryptography
@ -269,26 +257,69 @@ Obsoletes:        pki-console < %{version}
 Obsoletes:        pki-console-theme < %{version}
 Obsoletes:        idm-console-framework < 2.0
-# Make certain that this 'meta' package requires the latest version(s)
+%if %{with base}
-# of ALL PKI theme packages
+Requires:         %{product_id}-base = %{version}-%{release}
-Requires:         %{product_id}-theme = %{version}-%{release}
+Requires:         python3-%{product_id} = %{version}-%{release}
 Requires:         %{product_id}-java = %{version}-%{release}
 Requires:         %{product_id}-tools = %{version}-%{release}
 %endif
-# Make certain that this 'meta' package requires the latest version(s)
+%if %{with server}
-# of ALL PKI core packages
+Requires:         %{product_id}-server = %{version}-%{release}
 %endif
 %if %{with acme}
 Requires:         %{product_id}-acme = %{version}-%{release}
 %endif
 %if %{with ca}
 Requires:         %{product_id}-ca = %{version}-%{release}
 %endif
 %if %{with est}
 Requires:         %{product_id}-est = %{version}-%{release}
 %endif
 %if %{with kra}
 Requires:         %{product_id}-kra = %{version}-%{release}
 %endif
 %if %{with ocsp}
 Requires:         %{product_id}-ocsp = %{version}-%{release}
 %endif
 %if %{with tks}
 Requires:         %{product_id}-tks = %{version}-%{release}
 %endif
 %if %{with tps}
 Requires:         %{product_id}-tps = %{version}-%{release}
 %endif
 %if %{with javadoc}
 Requires:         %{product_id}-javadoc = %{version}-%{release}
 %endif
 %if %{with console}
 Requires:         %{product_id}-console = %{version}-%{release}
 %endif
 %if %{with theme}
 Requires:         %{product_id}-theme = %{version}-%{release}
 %if %{with console}
 Requires:         %{product_id}-console-theme = %{version}-%{release}
 %endif
 %endif
 %if %{with tests}
 Requires:         %{product_id}-tests = %{version}-%{release}
 %endif
 # Make certain that this 'meta' package requires the latest version(s)
 # of ALL PKI clients -- except for s390/s390x where 'esc' is not built
 # and for idm-pki.
 %ifnarch s390 s390x
-Requires:         esc >= 1.1.1
+#Requires:         esc >= 1.1.1
 %endif
 # description for top-level package (unless there is a separate meta package)
@ -354,7 +385,7 @@ Provides:         pki-base-python3 = %{version}-%{release}
 %{?python_provide:%python_provide python3-pki}
 Requires:         %{product_id}-base = %{version}-%{release}
-Requires:         python3 >= 3.9
+Requires:         python3 >= 3.6
 Requires:         python3-cryptography
 Requires:         python3-ldap
 Requires:         python3-lxml
@ -386,10 +417,12 @@ Requires:         mvn(commons-logging:commons-logging)
 Requires:         mvn(commons-net:commons-net)
 Requires:         mvn(org.slf4j:slf4j-api)
 Requires:         mvn(org.slf4j:slf4j-jdk14)
-Requires:         jss = 5.4
+Requires:         mvn(org.jboss.resteasy:resteasy-client)
-Requires:         ldapjdk = 5.4
+Requires:         mvn(org.jboss.resteasy:resteasy-jackson2-provider)
 Requires:         mvn(org.jboss.resteasy:resteasy-jaxrs)
 Requires:         mvn(org.dogtagpki.jss:jss-base) >= 5.5.0
 Requires:         mvn(org.dogtagpki.ldap-sdk:ldapjdk) >= 5.5.0
 Requires:         %{product_id}-base = %{version}-%{release}
 Requires:         pki-resteasy >= 3.0.26
 %description -n   %{product_id}-java
 This package provides common and client libraries for Java.
@ -441,6 +474,8 @@ Requires:         openldap-clients
 Requires:         openssl
 Requires:         %{product_id}-tools = %{version}-%{release}
 Requires:         %{java_devel}
 Requires:         keyutils
 Requires:         policycoreutils-python-utils
@ -451,17 +486,14 @@ Requires:         python3-policycoreutils
 Requires:         selinux-policy-targeted >= 3.13.1-159
-%if 0%{?rhel} && ! 0%{?eln}
+Requires:         mvn(org.jboss.resteasy:resteasy-servlet-initializer)
-Requires:         pki-servlet-engine >= 9.0.31
+Requires:         tomcat >= 1:9.0.62
-%else
+Requires:         mvn(org.dogtagpki.jss:jss-tomcat) >= 5.5.0
 Requires:         tomcat >= 1:9.0.31
 %endif
 Requires:         systemd
 Requires(post):   systemd-units
 Requires(postun): systemd-units
 Requires(pre):    shadow-utils
 Requires:         tomcatjss = 8.4
 # pki-healthcheck depends on the following library
 %if 0%{?rhel}
@ -734,12 +766,12 @@ This package provides %{product_name} API documentation.
 Summary:          %{product_name} Console Package
 BuildArch:        noarch
-BuildRequires:    idm-console-framework >= 2.0
+BuildRequires:    mvn(org.dogtagpki.console-framework:console-framework) >= 2.1.0
 Obsoletes:        pki-console < %{version}-%{release}
 Provides:         pki-console = %{version}-%{release}
-Requires:         idm-console-framework >= 2.0
+Requires:         mvn(org.dogtagpki.console-framework:console-framework) >= 2.1.0
 Requires:         %{product_id}-java = %{version}-%{release}
 Requires:         %{product_id}-console-theme = %{version}-%{release}
@ -763,6 +795,14 @@ Provides:         pki-server-theme = %{version}-%{release}
 Obsoletes:        %{product_id}-server-theme < %{version}-%{release}
 Provides:         %{product_id}-server-theme = %{version}-%{release}
 %if 0%{?fedora} > 38
 BuildRequires:    fontawesome4-fonts-web
 Requires:         fontawesome4-fonts-web
 %else
 BuildRequires:    fontawesome-fonts-web
 Requires:         fontawesome-fonts-web
 %endif
 # Ensure we end up with a useful installation
 Conflicts:        pki-base < %{version}
 Conflicts:        pki-javadoc < %{version}
@ -822,6 +862,91 @@ This package provides test suite for %{product_name}.
 %autosetup -n pki-%{version}%{?phase:-}%{?phase} -p 1
 %if ! %{with base}
 %pom_disable_module common base
 %pom_disable_module tools base
 %endif
 %if ! %{with server}
 %pom_disable_module tomcat base
 %pom_disable_module tomcat-9.0 base
 %pom_disable_module server base
 %pom_disable_module server-webapp base
 %endif
 %if ! %{with ca}
 %pom_disable_module ca base
 %endif
 %if ! %{with kra}
 %pom_disable_module kra base
 %endif
 %if ! %{with ocsp}
 %pom_disable_module ocsp base
 %endif
 %if ! %{with tks}
 %pom_disable_module tks base
 %endif
 %if ! %{with tps}
 %pom_disable_module tps base
 %endif
 %if ! %{with acme}
 %pom_disable_module acme base
 %endif
 %if ! %{with est}
 %pom_disable_module est base
 %endif
 %if ! %{with console}
 %pom_disable_module console base
 %endif
 # flatten-maven-plugin is not available in RPM
 %pom_remove_plugin org.codehaus.mojo:flatten-maven-plugin
 # specify Maven artifact locations
 %mvn_file org.dogtagpki.pki:pki-common            pki/pki-common
 %mvn_file org.dogtagpki.pki:pki-tools             pki/pki-tools
 %mvn_file org.dogtagpki.pki:pki-server            pki/pki-server
 %mvn_file org.dogtagpki.pki:pki-server-webapp     pki/pki-server-webapp
 %mvn_file org.dogtagpki.pki:pki-tomcat            pki/pki-tomcat
 %mvn_file org.dogtagpki.pki:pki-tomcat-9.0        pki/pki-tomcat-9.0
 %mvn_file org.dogtagpki.pki:pki-ca                pki/pki-ca
 %mvn_file org.dogtagpki.pki:pki-kra               pki/pki-kra
 %mvn_file org.dogtagpki.pki:pki-ocsp              pki/pki-ocsp
 %mvn_file org.dogtagpki.pki:pki-tks               pki/pki-tks
 %mvn_file org.dogtagpki.pki:pki-tps               pki/pki-tps
 %mvn_file org.dogtagpki.pki:pki-acme              pki/pki-acme
 %mvn_file org.dogtagpki.pki:pki-est               pki/pki-est
 %if %{with console}
 %mvn_file org.dogtagpki.pki:pki-console           pki/pki-console
 %endif
 # specify Maven artifact packages
 %mvn_package org.dogtagpki.pki:pki-common         pki-java
 %mvn_package org.dogtagpki.pki:pki-tools          pki-tools
 %mvn_package org.dogtagpki.pki:pki-server         pki-server
 %mvn_package org.dogtagpki.pki:pki-server-webapp  pki-server
 %mvn_package org.dogtagpki.pki:pki-tomcat         pki-server
 %mvn_package org.dogtagpki.pki:pki-tomcat-9.0     pki-server
 %mvn_package org.dogtagpki.pki:pki-ca             pki-ca
 %mvn_package org.dogtagpki.pki:pki-kra            pki-kra
 %mvn_package org.dogtagpki.pki:pki-ocsp           pki-ocsp
 %mvn_package org.dogtagpki.pki:pki-tks            pki-tks
 %mvn_package org.dogtagpki.pki:pki-tps            pki-tps
 %mvn_package org.dogtagpki.pki:pki-acme           pki-acme
 %mvn_package org.dogtagpki.pki:pki-est            pki-est
 %if %{with console}
 %mvn_package org.dogtagpki.pki:pki-console        pki-console
 %endif
 ################################################################################
 %build
 ################################################################################
@ -830,6 +955,61 @@ This package provides test suite for %{product_name}.
 # (see /usr/lib/rpm/macros.d/macros.cmake)
 %set_build_flags
 export JAVA_HOME=%{java_home}
 # build Java binaries and run unit tests with Maven
 %mvn_build %{!?with_test:-f} -j
 # create links to Maven-built JAR files for CMake
 mkdir -p %{_vpath_builddir}/dist
 pushd %{_vpath_builddir}/dist
 %if %{with base}
 ln -sf ../../base/common/target/pki-common.jar
 ln -sf ../../base/tools/target/pki-tools.jar
 %endif
 %if %{with server}
 ln -sf ../../base/tomcat/target/pki-tomcat.jar
 ln -sf ../../base/tomcat-9.0/target/pki-tomcat-9.0.jar
 ln -sf ../../base/server/target/pki-server.jar
 ln -sf ../../base/server-webapp/target/pki-server-webapp.jar
 %endif
 %if %{with ca}
 ln -sf ../../base/ca/target/pki-ca.jar
 %endif
 %if %{with kra}
 ln -sf ../../base/kra/target/pki-kra.jar
 %endif
 %if %{with ocsp}
 ln -sf ../../base/ocsp/target/pki-ocsp.jar
 %endif
 %if %{with tks}
 ln -sf ../../base/tks/target/pki-tks.jar
 %endif
 %if %{with tps}
 ln -sf ../../base/tps/target/pki-tps.jar
 %endif
 %if %{with acme}
 ln -sf ../../base/acme/target/pki-acme.jar
 %endif
 %if %{with est}
 ln -sf ../../base/est/target/pki-est.jar
 %endif
 %if %{with console}
 ln -sf ../../base/console/target/pki-console.jar
 %endif
 popd
 # Remove all symbol table and relocation information from the executable.
 C_FLAGS="-s"
@ -865,6 +1045,7 @@ pkgs=base\
 %{?with_tests:,tests}\
 %{?with_debug:,debug}
 # build PKI console, Javadoc, and native binaries with CMake
 ./build.sh \
    %{?_verbose:-v} \
    --product-name="%{product_name}" \
@ -885,15 +1066,20 @@ pkgs=base\
    --unit-dir=%{_unitdir} \
    --python=%{python3} \
    --python-dir=%{python3_sitelib} \
    --without-java \
    --with-pkgs=$pkgs \
    %{?with_console:--with-console} \
-    %{!?with_test:--without-test} \
+    --without-test \
    dist
 ################################################################################
 %install
 ################################################################################
 # install Java binaries
 %mvn_install
 # install PKI console, Javadoc, and native binaries
 ./build.sh \
    %{?_verbose:-v} \
    --work-dir=%{_vpath_builddir} \
@ -952,16 +1138,36 @@ then
    systemctl daemon-reload
 fi
 # Update the fapolicy rules for each PKI server instance
 for instance in $(ls /var/lib/pki)
 do
    target="/etc/fapolicyd/rules.d/61-pki-$instance.rules"
    sed -e "s/\[WORK_DIR\]/\/var\/lib\/pki\/$instance\/work/g" \
        /usr/share/pki/server/etc/fapolicy.rules \
        > $target
    chown root:fapolicyd $target
    chmod 644 $target
 done
 # Restart fapolicy daemon if it's active
 status=$(systemctl is-active fapolicyd)
 if [ "$status" = "active" ]
 then
    systemctl restart fapolicyd
 fi
 # with server
 %endif
 %if %{with meta}
 %if "%{name}" != "%{product_id}"
 ################################################################################
-%files -n %{product_id}
+%files -n %{product_id} -f .mfiles
 ################################################################################
 %else
-%files
+%files -f .mfiles
 %endif
 %doc %{_datadir}/doc/pki/README
@ -997,15 +1203,13 @@ fi
 %{_mandir}/man8/pki-upgrade.8.gz
 ################################################################################
-%files -n %{product_id}-java
+%files -n %{product_id}-java -f .mfiles-pki-java
 ################################################################################
 %license base/common/LICENSE
 %license base/common/LICENSE.LESSER
 %{_datadir}/pki/examples/java/
 %{_datadir}/pki/lib/*.jar
 %dir %{_javadir}/pki
 %{_javadir}/pki/pki-common.jar
 ################################################################################
 %files -n python3-%{product_id}
@ -1019,7 +1223,7 @@ fi
 %{python3_sitelib}/pki
 ################################################################################
-%files -n %{product_id}-tools
+%files -n %{product_id}-tools -f .mfiles-pki-tools
 ################################################################################
 %license base/tools/LICENSE
@ -1042,7 +1246,6 @@ fi
 %{_bindir}/CMCRevoke
 %{_bindir}/CMCSharedToken
 %{_bindir}/CRMFPopClient
 %{_bindir}/DRMTool
 %{_bindir}/ExtJoiner
 %{_bindir}/GenExtKeyUsage
 %{_bindir}/GenIssuerAltNameExt
@ -1056,10 +1259,8 @@ fi
 %{_bindir}/PrettyPrintCert
 %{_bindir}/PrettyPrintCrl
 %{_bindir}/TokenInfo
 %{_javadir}/pki/pki-tools.jar
 %{_datadir}/pki/tools/
 %{_datadir}/pki/lib/p11-kit-trust.so
 %{_libdir}/tps/libtps.so
 %{_mandir}/man1/AtoB.1.gz
 %{_mandir}/man1/AuditVerify.1.gz
 %{_mandir}/man1/BtoA.1.gz
@ -1067,7 +1268,6 @@ fi
 %{_mandir}/man1/CMCRequest.1.gz
 %{_mandir}/man1/CMCSharedToken.1.gz
 %{_mandir}/man1/CMCResponse.1.gz
 %{_mandir}/man1/DRMTool.1.gz
 %{_mandir}/man1/KRATool.1.gz
 %{_mandir}/man1/PrettyPrintCert.1.gz
 %{_mandir}/man1/PrettyPrintCrl.1.gz
@ -1097,7 +1297,7 @@ fi
 %if %{with server}
 ################################################################################
-%files -n %{product_id}-server
+%files -n %{product_id}-server -f .mfiles-pki-server
 ################################################################################
 %license base/common/THIRD_PARTY_LICENSES
@ -1126,8 +1326,6 @@ fi
 %dir %{_sysconfdir}/systemd/system/pki-tomcatd-nuxwdog.target.wants
 %attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog@.service
 %attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog.target
 %{_javadir}/pki/pki-server.jar
 %{_javadir}/pki/pki-tomcat.jar
 %dir %{_sharedstatedir}/pki
 %{_mandir}/man1/pkidaemon.1.gz
 %{_mandir}/man5/pki_default.cfg.5.gz
@ -1158,10 +1356,9 @@ fi
 %if %{with acme}
 ################################################################################
-%files -n %{product_id}-acme
+%files -n %{product_id}-acme -f .mfiles-pki-acme
 ################################################################################
 %{_javadir}/pki/pki-acme.jar
 %{_datadir}/pki/acme/
 # with acme
@ -1169,11 +1366,10 @@ fi
 %if %{with ca}
 ################################################################################
-%files -n %{product_id}-ca
+%files -n %{product_id}-ca -f .mfiles-pki-ca
 ################################################################################
 %license base/ca/LICENSE
 %{_javadir}/pki/pki-ca.jar
 %{_datadir}/pki/ca/
 # with ca
@ -1181,10 +1377,9 @@ fi
 %if %{with est}
 ################################################################################
-%files -n %{product_id}-est
+%files -n %{product_id}-est -f .mfiles-pki-est
 ################################################################################
 %{_javadir}/pki/pki-est.jar
 %{_datadir}/pki/est/
 # with est
@ -1192,11 +1387,10 @@ fi
 %if %{with kra}
 ################################################################################
-%files -n %{product_id}-kra
+%files -n %{product_id}-kra -f .mfiles-pki-kra
 ################################################################################
 %license base/kra/LICENSE
 %{_javadir}/pki/pki-kra.jar
 %{_datadir}/pki/kra/
 # with kra
@ -1204,11 +1398,10 @@ fi
 %if %{with ocsp}
 ################################################################################
-%files -n %{product_id}-ocsp
+%files -n %{product_id}-ocsp -f .mfiles-pki-ocsp
 ################################################################################
 %license base/ocsp/LICENSE
 %{_javadir}/pki/pki-ocsp.jar
 %{_datadir}/pki/ocsp/
 # with ocsp
@ -1216,11 +1409,10 @@ fi
 %if %{with tks}
 ################################################################################
-%files -n %{product_id}-tks
+%files -n %{product_id}-tks -f .mfiles-pki-tks
 ################################################################################
 %license base/tks/LICENSE
 %{_javadir}/pki/pki-tks.jar
 %{_datadir}/pki/tks/
 # with tks
@ -1228,11 +1420,10 @@ fi
 %if %{with tps}
 ################################################################################
-%files -n %{product_id}-tps
+%files -n %{product_id}-tps -f .mfiles-pki-tps
 ################################################################################
 %license base/tps/LICENSE
 %{_javadir}/pki/pki-tps.jar
 %{_datadir}/pki/tps/
 %{_mandir}/man5/pki-tps-connector.5.gz
 %{_mandir}/man5/pki-tps-profile.5.gz
@ -1252,12 +1443,11 @@ fi
 %if %{with console}
 ################################################################################
-%files -n %{product_id}-console
+%files -n %{product_id}-console -f .mfiles-pki-console
 ################################################################################
 %license base/console/LICENSE
 %{_bindir}/pkiconsole
 %{_javadir}/pki/pki-console.jar
 # with console
 %endif
@ -1269,6 +1459,8 @@ fi
 %license themes/%{theme}/common-ui/LICENSE
 %dir %{_datadir}/pki
 %if %{with server}
 %{_datadir}/pki/CS_SERVER_VERSION
 %{_datadir}/pki/common-ui/
 %{_datadir}/pki/server/webapps/pki/ca
@ -1281,6 +1473,9 @@ fi
 %{_datadir}/pki/server/webapps/pki/pki.properties
 %{_datadir}/pki/server/webapps/pki/tks
 # with server
 %endif
 %if %{with console}
 ################################################################################
 %files -n %{product_id}-console-theme
@ -1307,6 +1502,12 @@ fi
 ################################################################################
 %changelog
 * Thu Mar 28 2024 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.5.0-2
 - RHEL-9916 CVE-2023-4727 pki-core: dogtag ca: token authentication bypass vulnerability
 * Wed Feb 21 2024 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.5.0-1
 - Rebase to PKI 11.5.0
 * Mon Jun 05 2023 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.4.2-1
 - Rebase to PKI 11.4.2
`@ -1 +1 @@`
	`SOURCES/pki-11.4.2.tar.gz`	`SOURCES/pki-11.5.0.tar.gz`
`@ -1 +1 @@`
	`c996e98959bdde7fed60591d2a86e1812392ab19 SOURCES/pki-11.4.2.tar.gz`	`dd717a1d8e14cfd558d8772ef37f425db84debee SOURCES/pki-11.5.0.tar.gz`