From 2e72fe00789de2f9861dc32402b5a7ceec4c6d4f Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 28 Jun 2024 03:30:25 +0300 Subject: [PATCH] import pki-core-11.5.0-2.el9_4 --- .gitignore | 2 +- .pki-core.metadata | 2 +- ...x-token-authentication-bypass-vulner.patch | 60 +++ SPECS/pki-core.spec | 377 ++++++++++++++---- 4 files changed, 351 insertions(+), 90 deletions(-) create mode 100644 SOURCES/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch diff --git a/.gitignore b/.gitignore index 667b9a7..c34d812 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-11.4.2.tar.gz +SOURCES/pki-11.5.0.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index aae8653..787a9b6 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -c996e98959bdde7fed60591d2a86e1812392ab19 SOURCES/pki-11.4.2.tar.gz +dd717a1d8e14cfd558d8772ef37f425db84debee SOURCES/pki-11.5.0.tar.gz diff --git a/SOURCES/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch b/SOURCES/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch new file mode 100644 index 0000000..ea7e84a --- /dev/null +++ b/SOURCES/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch @@ -0,0 +1,60 @@ +From 9f9ede3fe2a6ae95230411d48183dc6880ff3c52 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 11 Sep 2023 15:40:32 -0500 +Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability + +Previously the LDAPSecurityDomainSessionTable.sessionExists() +and getStringValue() were using user-provided session ID as +is in an LDAP filter which could be exploited to bypass token +authentication. + +To fix the problem the code has been modified to escape all +special characters in the session ID before using it in the +LDAP filter. + +Resolves: CVE-2023-4727 +--- + .../session/LDAPSecurityDomainSessionTable.java | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java +index 7691a98a40..fb627b88cb 100644 +--- a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java ++++ b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java +@@ -29,6 +29,7 @@ import com.netscape.cmscore.apps.CMSEngine; + import com.netscape.cmscore.apps.EngineConfig; + import com.netscape.cmscore.ldapconn.LDAPConfig; + import com.netscape.cmscore.ldapconn.LdapBoundConnFactory; ++import com.netscape.cmsutil.ldap.LDAPUtil; + + import netscape.ldap.LDAPAttribute; + import netscape.ldap.LDAPAttributeSet; +@@ -173,7 +174,11 @@ public class LDAPSecurityDomainSessionTable + try { + String basedn = ldapConfig.getBaseDN(); + String sessionsdn = "ou=sessions,ou=Security Domain," + basedn; +- String filter = "(cn=" + sessionId + ")"; ++ ++ // CVE-2023-4727 ++ // escape session ID in LDAP search filter ++ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")"; ++ + String[] attrs = { "cn" }; + + conn = mLdapConnFactory.getConn(); +@@ -254,7 +259,11 @@ public class LDAPSecurityDomainSessionTable + try { + String basedn = ldapConfig.getBaseDN(); + String sessionsdn = "ou=sessions,ou=Security Domain," + basedn; +- String filter = "(cn=" + sessionId + ")"; ++ ++ // CVE-2023-4727 ++ // escape session ID in LDAP search filter ++ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")"; ++ + String[] attrs = { attr }; + + conn = mLdapConnFactory.getConn(); +-- +2.42.0 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index 1a04a36..b893426 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -8,13 +8,13 @@ Name: pki-core # Upstream version number: %global major_version 11 -%global minor_version 4 -%global update_version 2 +%global minor_version 5 +%global update_version 0 # Downstream release number: # - development/stabilization (unsupported): 0. where n >= 1 # - GA/update (supported): where n >= 1 -%global release_number 1 +%global release_number 2 # Development phase: # - development (unsupported): alpha where n >= 1 @@ -28,7 +28,7 @@ Name: pki-core Summary: %{product_name} Package URL: https://www.dogtagpki.org # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2 -License: GPLv2 and LGPLv2 +License: GPL-2.0-only and LGPL-2.0-only Version: %{major_version}.%{minor_version}.%{update_version} Release: %{release_number}%{?phase:.}%{?phase}%{?timestamp:.}%{?timestamp}%{?commit_id:.}%{?commit_id}%{?dist} @@ -46,8 +46,9 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?phase:-}%{?phase} # \ # > pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch +Patch: 0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch -%if 0%{?fedora} && 0%{?fedora} > 35 +%if 0%{?java_arches:1} ExclusiveArch: %{java_arches} %else ExcludeArch: i686 @@ -59,12 +60,6 @@ ExcludeArch: i686 %global p11_kit_trust /usr/lib64/pkcs11/p11-kit-trust.so -################################################################################ -# Python -################################################################################ - -%global python_executable /usr/bin/python3 - ################################################################################ # Java ################################################################################ @@ -87,6 +82,8 @@ ExcludeArch: i686 %bcond_without test # Build the package unless --without is specified. +# For idm-pki do not build the following packages: +# ocsp, tks, tps, javadoc, theme, tests, debug %bcond_without base %bcond_without server @@ -94,18 +91,17 @@ ExcludeArch: i686 %bcond_without ca %bcond_without est %bcond_without kra - -# Do not build the following packages for pki-core. - -%bcond_with console %bcond_with ocsp %bcond_with tks %bcond_with tps %bcond_with javadoc %bcond_with theme -%bcond_with meta +%bcond_without meta %bcond_with tests -%bcond_with debug +%bcond_without debug + +# Don't build console unless --with console is specified. +%bcond_with console %if ! %{with debug} %define debug_package %{nil} @@ -152,17 +148,7 @@ BuildRequires: make BuildRequires: cmake >= 3.0.2 BuildRequires: gcc-c++ BuildRequires: zip -BuildRequires: %{java_devel} -BuildRequires: javapackages-tools -BuildRequires: apache-commons-cli -BuildRequires: apache-commons-codec -BuildRequires: apache-commons-io -BuildRequires: apache-commons-lang3 >= 3.2 -BuildRequires: apache-commons-logging -BuildRequires: apache-commons-net -BuildRequires: slf4j -BuildRequires: slf4j-jdk14 BuildRequires: nspr-devel BuildRequires: nss-devel >= 3.36.1 @@ -184,21 +170,23 @@ BuildRequires: mvn(org.apache.commons:commons-lang3) BuildRequires: mvn(commons-logging:commons-logging) BuildRequires: mvn(commons-net:commons-net) BuildRequires: mvn(org.slf4j:slf4j-api) -BuildRequires: mvn(org.slf4j:slf4j-jdk14) -BuildRequires: mvn(junit:junit) -BuildRequires: pki-resteasy >= 3.0.26 -BuildRequires: jss = 5.4 -BuildRequires: tomcatjss = 8.4 -BuildRequires: ldapjdk = 5.4 - -%if 0%{?rhel} && ! 0%{?eln} -BuildRequires: pki-servlet-engine >= 9.0.31 -%else -BuildRequires: tomcat >= 1:9.0.31 -%endif +BuildRequires: mvn(xml-apis:xml-apis) +BuildRequires: mvn(xml-resolver:xml-resolver) +BuildRequires: mvn(org.junit.jupiter:junit-jupiter-api) +BuildRequires: mvn(org.jboss.resteasy:resteasy-client) +BuildRequires: mvn(org.jboss.resteasy:resteasy-jackson2-provider) +BuildRequires: mvn(org.jboss.resteasy:resteasy-jaxrs) +BuildRequires: mvn(org.jboss.resteasy:resteasy-servlet-initializer) +BuildRequires: mvn(org.apache.tomcat:tomcat-catalina) >= 9.0.62 +BuildRequires: mvn(org.apache.tomcat:tomcat-servlet-api) >= 9.0.62 +BuildRequires: mvn(org.apache.tomcat:tomcat-jaspic-api) >= 9.0.62 +BuildRequires: mvn(org.apache.tomcat:tomcat-util-scan) >= 9.0.62 +BuildRequires: mvn(org.dogtagpki.jss:jss-base) >= 5.5.0 +BuildRequires: mvn(org.dogtagpki.jss:jss-tomcat) >= 5.5.0 +BuildRequires: mvn(org.dogtagpki.ldap-sdk:ldapjdk) >= 5.5.0 # Python build dependencies -BuildRequires: python3 >= 3.9 +BuildRequires: python3 >= 3.6 BuildRequires: python3-devel BuildRequires: python3-setuptools BuildRequires: python3-cryptography @@ -269,26 +257,69 @@ Obsoletes: pki-console < %{version} Obsoletes: pki-console-theme < %{version} Obsoletes: idm-console-framework < 2.0 -# Make certain that this 'meta' package requires the latest version(s) -# of ALL PKI theme packages -Requires: %{product_id}-theme = %{version}-%{release} +%if %{with base} +Requires: %{product_id}-base = %{version}-%{release} +Requires: python3-%{product_id} = %{version}-%{release} +Requires: %{product_id}-java = %{version}-%{release} +Requires: %{product_id}-tools = %{version}-%{release} +%endif -# Make certain that this 'meta' package requires the latest version(s) -# of ALL PKI core packages +%if %{with server} +Requires: %{product_id}-server = %{version}-%{release} +%endif + +%if %{with acme} Requires: %{product_id}-acme = %{version}-%{release} +%endif + +%if %{with ca} Requires: %{product_id}-ca = %{version}-%{release} +%endif + +%if %{with est} Requires: %{product_id}-est = %{version}-%{release} +%endif + +%if %{with kra} Requires: %{product_id}-kra = %{version}-%{release} +%endif + +%if %{with ocsp} Requires: %{product_id}-ocsp = %{version}-%{release} +%endif + +%if %{with tks} Requires: %{product_id}-tks = %{version}-%{release} +%endif + +%if %{with tps} Requires: %{product_id}-tps = %{version}-%{release} +%endif +%if %{with javadoc} Requires: %{product_id}-javadoc = %{version}-%{release} +%endif + +%if %{with console} +Requires: %{product_id}-console = %{version}-%{release} +%endif + +%if %{with theme} +Requires: %{product_id}-theme = %{version}-%{release} +%if %{with console} +Requires: %{product_id}-console-theme = %{version}-%{release} +%endif +%endif + +%if %{with tests} +Requires: %{product_id}-tests = %{version}-%{release} +%endif # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI clients -- except for s390/s390x where 'esc' is not built +# and for idm-pki. %ifnarch s390 s390x -Requires: esc >= 1.1.1 +#Requires: esc >= 1.1.1 %endif # description for top-level package (unless there is a separate meta package) @@ -354,7 +385,7 @@ Provides: pki-base-python3 = %{version}-%{release} %{?python_provide:%python_provide python3-pki} Requires: %{product_id}-base = %{version}-%{release} -Requires: python3 >= 3.9 +Requires: python3 >= 3.6 Requires: python3-cryptography Requires: python3-ldap Requires: python3-lxml @@ -386,10 +417,12 @@ Requires: mvn(commons-logging:commons-logging) Requires: mvn(commons-net:commons-net) Requires: mvn(org.slf4j:slf4j-api) Requires: mvn(org.slf4j:slf4j-jdk14) -Requires: jss = 5.4 -Requires: ldapjdk = 5.4 +Requires: mvn(org.jboss.resteasy:resteasy-client) +Requires: mvn(org.jboss.resteasy:resteasy-jackson2-provider) +Requires: mvn(org.jboss.resteasy:resteasy-jaxrs) +Requires: mvn(org.dogtagpki.jss:jss-base) >= 5.5.0 +Requires: mvn(org.dogtagpki.ldap-sdk:ldapjdk) >= 5.5.0 Requires: %{product_id}-base = %{version}-%{release} -Requires: pki-resteasy >= 3.0.26 %description -n %{product_id}-java This package provides common and client libraries for Java. @@ -441,6 +474,8 @@ Requires: openldap-clients Requires: openssl Requires: %{product_id}-tools = %{version}-%{release} +Requires: %{java_devel} + Requires: keyutils Requires: policycoreutils-python-utils @@ -451,17 +486,14 @@ Requires: python3-policycoreutils Requires: selinux-policy-targeted >= 3.13.1-159 -%if 0%{?rhel} && ! 0%{?eln} -Requires: pki-servlet-engine >= 9.0.31 -%else -Requires: tomcat >= 1:9.0.31 -%endif +Requires: mvn(org.jboss.resteasy:resteasy-servlet-initializer) +Requires: tomcat >= 1:9.0.62 +Requires: mvn(org.dogtagpki.jss:jss-tomcat) >= 5.5.0 Requires: systemd Requires(post): systemd-units Requires(postun): systemd-units Requires(pre): shadow-utils -Requires: tomcatjss = 8.4 # pki-healthcheck depends on the following library %if 0%{?rhel} @@ -734,12 +766,12 @@ This package provides %{product_name} API documentation. Summary: %{product_name} Console Package BuildArch: noarch -BuildRequires: idm-console-framework >= 2.0 +BuildRequires: mvn(org.dogtagpki.console-framework:console-framework) >= 2.1.0 Obsoletes: pki-console < %{version}-%{release} Provides: pki-console = %{version}-%{release} -Requires: idm-console-framework >= 2.0 +Requires: mvn(org.dogtagpki.console-framework:console-framework) >= 2.1.0 Requires: %{product_id}-java = %{version}-%{release} Requires: %{product_id}-console-theme = %{version}-%{release} @@ -763,6 +795,14 @@ Provides: pki-server-theme = %{version}-%{release} Obsoletes: %{product_id}-server-theme < %{version}-%{release} Provides: %{product_id}-server-theme = %{version}-%{release} +%if 0%{?fedora} > 38 +BuildRequires: fontawesome4-fonts-web +Requires: fontawesome4-fonts-web +%else +BuildRequires: fontawesome-fonts-web +Requires: fontawesome-fonts-web +%endif + # Ensure we end up with a useful installation Conflicts: pki-base < %{version} Conflicts: pki-javadoc < %{version} @@ -822,6 +862,91 @@ This package provides test suite for %{product_name}. %autosetup -n pki-%{version}%{?phase:-}%{?phase} -p 1 +%if ! %{with base} +%pom_disable_module common base +%pom_disable_module tools base +%endif + +%if ! %{with server} +%pom_disable_module tomcat base +%pom_disable_module tomcat-9.0 base +%pom_disable_module server base +%pom_disable_module server-webapp base +%endif + +%if ! %{with ca} +%pom_disable_module ca base +%endif + +%if ! %{with kra} +%pom_disable_module kra base +%endif + +%if ! %{with ocsp} +%pom_disable_module ocsp base +%endif + +%if ! %{with tks} +%pom_disable_module tks base +%endif + +%if ! %{with tps} +%pom_disable_module tps base +%endif + +%if ! %{with acme} +%pom_disable_module acme base +%endif + +%if ! %{with est} +%pom_disable_module est base +%endif + +%if ! %{with console} +%pom_disable_module console base +%endif + +# flatten-maven-plugin is not available in RPM +%pom_remove_plugin org.codehaus.mojo:flatten-maven-plugin + +# specify Maven artifact locations +%mvn_file org.dogtagpki.pki:pki-common pki/pki-common +%mvn_file org.dogtagpki.pki:pki-tools pki/pki-tools +%mvn_file org.dogtagpki.pki:pki-server pki/pki-server +%mvn_file org.dogtagpki.pki:pki-server-webapp pki/pki-server-webapp +%mvn_file org.dogtagpki.pki:pki-tomcat pki/pki-tomcat +%mvn_file org.dogtagpki.pki:pki-tomcat-9.0 pki/pki-tomcat-9.0 +%mvn_file org.dogtagpki.pki:pki-ca pki/pki-ca +%mvn_file org.dogtagpki.pki:pki-kra pki/pki-kra +%mvn_file org.dogtagpki.pki:pki-ocsp pki/pki-ocsp +%mvn_file org.dogtagpki.pki:pki-tks pki/pki-tks +%mvn_file org.dogtagpki.pki:pki-tps pki/pki-tps +%mvn_file org.dogtagpki.pki:pki-acme pki/pki-acme +%mvn_file org.dogtagpki.pki:pki-est pki/pki-est + +%if %{with console} +%mvn_file org.dogtagpki.pki:pki-console pki/pki-console +%endif + +# specify Maven artifact packages +%mvn_package org.dogtagpki.pki:pki-common pki-java +%mvn_package org.dogtagpki.pki:pki-tools pki-tools +%mvn_package org.dogtagpki.pki:pki-server pki-server +%mvn_package org.dogtagpki.pki:pki-server-webapp pki-server +%mvn_package org.dogtagpki.pki:pki-tomcat pki-server +%mvn_package org.dogtagpki.pki:pki-tomcat-9.0 pki-server +%mvn_package org.dogtagpki.pki:pki-ca pki-ca +%mvn_package org.dogtagpki.pki:pki-kra pki-kra +%mvn_package org.dogtagpki.pki:pki-ocsp pki-ocsp +%mvn_package org.dogtagpki.pki:pki-tks pki-tks +%mvn_package org.dogtagpki.pki:pki-tps pki-tps +%mvn_package org.dogtagpki.pki:pki-acme pki-acme +%mvn_package org.dogtagpki.pki:pki-est pki-est + +%if %{with console} +%mvn_package org.dogtagpki.pki:pki-console pki-console +%endif + ################################################################################ %build ################################################################################ @@ -830,6 +955,61 @@ This package provides test suite for %{product_name}. # (see /usr/lib/rpm/macros.d/macros.cmake) %set_build_flags +export JAVA_HOME=%{java_home} + +# build Java binaries and run unit tests with Maven +%mvn_build %{!?with_test:-f} -j + +# create links to Maven-built JAR files for CMake +mkdir -p %{_vpath_builddir}/dist +pushd %{_vpath_builddir}/dist + +%if %{with base} +ln -sf ../../base/common/target/pki-common.jar +ln -sf ../../base/tools/target/pki-tools.jar +%endif + +%if %{with server} +ln -sf ../../base/tomcat/target/pki-tomcat.jar +ln -sf ../../base/tomcat-9.0/target/pki-tomcat-9.0.jar +ln -sf ../../base/server/target/pki-server.jar +ln -sf ../../base/server-webapp/target/pki-server-webapp.jar +%endif + +%if %{with ca} +ln -sf ../../base/ca/target/pki-ca.jar +%endif + +%if %{with kra} +ln -sf ../../base/kra/target/pki-kra.jar +%endif + +%if %{with ocsp} +ln -sf ../../base/ocsp/target/pki-ocsp.jar +%endif + +%if %{with tks} +ln -sf ../../base/tks/target/pki-tks.jar +%endif + +%if %{with tps} +ln -sf ../../base/tps/target/pki-tps.jar +%endif + +%if %{with acme} +ln -sf ../../base/acme/target/pki-acme.jar +%endif + +%if %{with est} +ln -sf ../../base/est/target/pki-est.jar +%endif + +%if %{with console} +ln -sf ../../base/console/target/pki-console.jar +%endif + +popd + # Remove all symbol table and relocation information from the executable. C_FLAGS="-s" @@ -865,6 +1045,7 @@ pkgs=base\ %{?with_tests:,tests}\ %{?with_debug:,debug} +# build PKI console, Javadoc, and native binaries with CMake ./build.sh \ %{?_verbose:-v} \ --product-name="%{product_name}" \ @@ -885,15 +1066,20 @@ pkgs=base\ --unit-dir=%{_unitdir} \ --python=%{python3} \ --python-dir=%{python3_sitelib} \ + --without-java \ --with-pkgs=$pkgs \ %{?with_console:--with-console} \ - %{!?with_test:--without-test} \ + --without-test \ dist ################################################################################ %install ################################################################################ +# install Java binaries +%mvn_install + +# install PKI console, Javadoc, and native binaries ./build.sh \ %{?_verbose:-v} \ --work-dir=%{_vpath_builddir} \ @@ -952,16 +1138,36 @@ then systemctl daemon-reload fi +# Update the fapolicy rules for each PKI server instance +for instance in $(ls /var/lib/pki) +do + target="/etc/fapolicyd/rules.d/61-pki-$instance.rules" + + sed -e "s/\[WORK_DIR\]/\/var\/lib\/pki\/$instance\/work/g" \ + /usr/share/pki/server/etc/fapolicy.rules \ + > $target + + chown root:fapolicyd $target + chmod 644 $target +done + +# Restart fapolicy daemon if it's active +status=$(systemctl is-active fapolicyd) +if [ "$status" = "active" ] +then + systemctl restart fapolicyd +fi + # with server %endif %if %{with meta} %if "%{name}" != "%{product_id}" ################################################################################ -%files -n %{product_id} +%files -n %{product_id} -f .mfiles ################################################################################ %else -%files +%files -f .mfiles %endif %doc %{_datadir}/doc/pki/README @@ -997,15 +1203,13 @@ fi %{_mandir}/man8/pki-upgrade.8.gz ################################################################################ -%files -n %{product_id}-java +%files -n %{product_id}-java -f .mfiles-pki-java ################################################################################ %license base/common/LICENSE %license base/common/LICENSE.LESSER %{_datadir}/pki/examples/java/ %{_datadir}/pki/lib/*.jar -%dir %{_javadir}/pki -%{_javadir}/pki/pki-common.jar ################################################################################ %files -n python3-%{product_id} @@ -1019,7 +1223,7 @@ fi %{python3_sitelib}/pki ################################################################################ -%files -n %{product_id}-tools +%files -n %{product_id}-tools -f .mfiles-pki-tools ################################################################################ %license base/tools/LICENSE @@ -1042,7 +1246,6 @@ fi %{_bindir}/CMCRevoke %{_bindir}/CMCSharedToken %{_bindir}/CRMFPopClient -%{_bindir}/DRMTool %{_bindir}/ExtJoiner %{_bindir}/GenExtKeyUsage %{_bindir}/GenIssuerAltNameExt @@ -1056,10 +1259,8 @@ fi %{_bindir}/PrettyPrintCert %{_bindir}/PrettyPrintCrl %{_bindir}/TokenInfo -%{_javadir}/pki/pki-tools.jar %{_datadir}/pki/tools/ %{_datadir}/pki/lib/p11-kit-trust.so -%{_libdir}/tps/libtps.so %{_mandir}/man1/AtoB.1.gz %{_mandir}/man1/AuditVerify.1.gz %{_mandir}/man1/BtoA.1.gz @@ -1067,7 +1268,6 @@ fi %{_mandir}/man1/CMCRequest.1.gz %{_mandir}/man1/CMCSharedToken.1.gz %{_mandir}/man1/CMCResponse.1.gz -%{_mandir}/man1/DRMTool.1.gz %{_mandir}/man1/KRATool.1.gz %{_mandir}/man1/PrettyPrintCert.1.gz %{_mandir}/man1/PrettyPrintCrl.1.gz @@ -1097,7 +1297,7 @@ fi %if %{with server} ################################################################################ -%files -n %{product_id}-server +%files -n %{product_id}-server -f .mfiles-pki-server ################################################################################ %license base/common/THIRD_PARTY_LICENSES @@ -1126,8 +1326,6 @@ fi %dir %{_sysconfdir}/systemd/system/pki-tomcatd-nuxwdog.target.wants %attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog@.service %attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog.target -%{_javadir}/pki/pki-server.jar -%{_javadir}/pki/pki-tomcat.jar %dir %{_sharedstatedir}/pki %{_mandir}/man1/pkidaemon.1.gz %{_mandir}/man5/pki_default.cfg.5.gz @@ -1158,10 +1356,9 @@ fi %if %{with acme} ################################################################################ -%files -n %{product_id}-acme +%files -n %{product_id}-acme -f .mfiles-pki-acme ################################################################################ -%{_javadir}/pki/pki-acme.jar %{_datadir}/pki/acme/ # with acme @@ -1169,11 +1366,10 @@ fi %if %{with ca} ################################################################################ -%files -n %{product_id}-ca +%files -n %{product_id}-ca -f .mfiles-pki-ca ################################################################################ %license base/ca/LICENSE -%{_javadir}/pki/pki-ca.jar %{_datadir}/pki/ca/ # with ca @@ -1181,10 +1377,9 @@ fi %if %{with est} ################################################################################ -%files -n %{product_id}-est +%files -n %{product_id}-est -f .mfiles-pki-est ################################################################################ -%{_javadir}/pki/pki-est.jar %{_datadir}/pki/est/ # with est @@ -1192,11 +1387,10 @@ fi %if %{with kra} ################################################################################ -%files -n %{product_id}-kra +%files -n %{product_id}-kra -f .mfiles-pki-kra ################################################################################ %license base/kra/LICENSE -%{_javadir}/pki/pki-kra.jar %{_datadir}/pki/kra/ # with kra @@ -1204,11 +1398,10 @@ fi %if %{with ocsp} ################################################################################ -%files -n %{product_id}-ocsp +%files -n %{product_id}-ocsp -f .mfiles-pki-ocsp ################################################################################ %license base/ocsp/LICENSE -%{_javadir}/pki/pki-ocsp.jar %{_datadir}/pki/ocsp/ # with ocsp @@ -1216,11 +1409,10 @@ fi %if %{with tks} ################################################################################ -%files -n %{product_id}-tks +%files -n %{product_id}-tks -f .mfiles-pki-tks ################################################################################ %license base/tks/LICENSE -%{_javadir}/pki/pki-tks.jar %{_datadir}/pki/tks/ # with tks @@ -1228,11 +1420,10 @@ fi %if %{with tps} ################################################################################ -%files -n %{product_id}-tps +%files -n %{product_id}-tps -f .mfiles-pki-tps ################################################################################ %license base/tps/LICENSE -%{_javadir}/pki/pki-tps.jar %{_datadir}/pki/tps/ %{_mandir}/man5/pki-tps-connector.5.gz %{_mandir}/man5/pki-tps-profile.5.gz @@ -1252,12 +1443,11 @@ fi %if %{with console} ################################################################################ -%files -n %{product_id}-console +%files -n %{product_id}-console -f .mfiles-pki-console ################################################################################ %license base/console/LICENSE %{_bindir}/pkiconsole -%{_javadir}/pki/pki-console.jar # with console %endif @@ -1269,6 +1459,8 @@ fi %license themes/%{theme}/common-ui/LICENSE %dir %{_datadir}/pki + +%if %{with server} %{_datadir}/pki/CS_SERVER_VERSION %{_datadir}/pki/common-ui/ %{_datadir}/pki/server/webapps/pki/ca @@ -1281,6 +1473,9 @@ fi %{_datadir}/pki/server/webapps/pki/pki.properties %{_datadir}/pki/server/webapps/pki/tks +# with server +%endif + %if %{with console} ################################################################################ %files -n %{product_id}-console-theme @@ -1307,6 +1502,12 @@ fi ################################################################################ %changelog +* Thu Mar 28 2024 Red Hat PKI Team - 11.5.0-2 +- RHEL-9916 CVE-2023-4727 pki-core: dogtag ca: token authentication bypass vulnerability + +* Wed Feb 21 2024 Red Hat PKI Team - 11.5.0-1 +- Rebase to PKI 11.5.0 + * Mon Jun 05 2023 Red Hat PKI Team - 11.4.2-1 - Rebase to PKI 11.4.2