rpms
/
pki-core
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import pki-core-11.5.0-2.el9_4

Browse Source
i9c changed/i9c/pki-core-11.5.0-2.el9_4
MSVSphere Packaging Team 7 months ago
parent 1f7e49bb66
commit 2e72fe0078
4 changed files with 351 additions and 90 deletions
Show Stats Download Patch File Download Diff File

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/pki-11.4.2.tar.gz
SOURCES/pki-11.5.0.tar.gz

2
.pki-core.metadata
Unescape View File

@ -1 +1 @@
c996e98959bdde7fed60591d2a86e1812392ab19 SOURCES/pki-11.4.2.tar.gz
dd717a1d8e14cfd558d8772ef37f425db84debee SOURCES/pki-11.5.0.tar.gz

60
SOURCES/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
Unescape View File

@ -0,0 +1,60 @@
From 9f9ede3fe2a6ae95230411d48183dc6880ff3c52 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 11 Sep 2023 15:40:32 -0500
Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability
Previously the LDAPSecurityDomainSessionTable.sessionExists()
and getStringValue() were using user-provided session ID as
is in an LDAP filter which could be exploited to bypass token
authentication.
To fix the problem the code has been modified to escape all
special characters in the session ID before using it in the
LDAP filter.
Resolves: CVE-2023-4727
---
.../session/LDAPSecurityDomainSessionTable.java | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
index 7691a98a40..fb627b88cb 100644
--- a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
+++ b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
@@ -29,6 +29,7 @@ import com.netscape.cmscore.apps.CMSEngine;
import com.netscape.cmscore.apps.EngineConfig;
import com.netscape.cmscore.ldapconn.LDAPConfig;
import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
+import com.netscape.cmsutil.ldap.LDAPUtil;
import netscape.ldap.LDAPAttribute;
import netscape.ldap.LDAPAttributeSet;
@@ -173,7 +174,11 @@ public class LDAPSecurityDomainSessionTable
try {
String basedn = ldapConfig.getBaseDN();
String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
- String filter = "(cn=" + sessionId + ")";
+
+ // CVE-2023-4727
+ // escape session ID in LDAP search filter
+ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
String[] attrs = { "cn" };
conn = mLdapConnFactory.getConn();
@@ -254,7 +259,11 @@ public class LDAPSecurityDomainSessionTable
try {
String basedn = ldapConfig.getBaseDN();
String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
- String filter = "(cn=" + sessionId + ")";
+
+ // CVE-2023-4727
+ // escape session ID in LDAP search filter
+ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
String[] attrs = { attr };
conn = mLdapConnFactory.getConn();
--
2.42.0

377
SPECS/pki-core.spec
Unescape View File

@ -8,13 +8,13 @@ Name: pki-core
# Upstream version number:
%global major_version 11
%global minor_version 4
%global update_version 2
%global minor_version 5
%global update_version 0
# Downstream release number:
# - development/stabilization (unsupported): 0.<n> where n >= 1
# - GA/update (supported): <n> where n >= 1
%global release_number 1
%global release_number 2
# Development phase:
# - development (unsupported): alpha<n> where n >= 1
@ -28,7 +28,7 @@ Name: pki-core
Summary: %{product_name} Package
URL: https://www.dogtagpki.org
# The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2
License: GPLv2 and LGPLv2
License: GPL-2.0-only and LGPL-2.0-only
Version: %{major_version}.%{minor_version}.%{update_version}
Release: %{release_number}%{?phase:.}%{?phase}%{?timestamp:.}%{?timestamp}%{?commit_id:.}%{?commit_id}%{?dist}
@ -46,8 +46,9 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?phase:-}%{?phase}
# <version tag> \
# > pki-VERSION-RELEASE.patch
# Patch: pki-VERSION-RELEASE.patch
Patch: 0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
%if 0%{?fedora} && 0%{?fedora} > 35
%if 0%{?java_arches:1}
ExclusiveArch: %{java_arches}
%else
ExcludeArch: i686
@ -59,12 +60,6 @@ ExcludeArch: i686
%global p11_kit_trust /usr/lib64/pkcs11/p11-kit-trust.so
################################################################################
# Python
################################################################################
%global python_executable /usr/bin/python3
################################################################################
# Java
################################################################################
@ -87,6 +82,8 @@ ExcludeArch: i686
%bcond_without test
# Build the package unless --without <package> is specified.
# For idm-pki do not build the following packages:
# ocsp, tks, tps, javadoc, theme, tests, debug
%bcond_without base
%bcond_without server
@ -94,18 +91,17 @@ ExcludeArch: i686
%bcond_without ca
%bcond_without est
%bcond_without kra
# Do not build the following packages for pki-core.
%bcond_with console
%bcond_with ocsp
%bcond_with tks
%bcond_with tps
%bcond_with javadoc
%bcond_with theme
%bcond_with meta
%bcond_without meta
%bcond_with tests
%bcond_with debug
%bcond_without debug
# Don't build console unless --with console is specified.
%bcond_with console
%if ! %{with debug}
%define debug_package %{nil}
@ -152,17 +148,7 @@ BuildRequires: make
BuildRequires: cmake >= 3.0.2
BuildRequires: gcc-c++
BuildRequires: zip
BuildRequires: %{java_devel}
BuildRequires: javapackages-tools
BuildRequires: apache-commons-cli
BuildRequires: apache-commons-codec
BuildRequires: apache-commons-io
BuildRequires: apache-commons-lang3 >= 3.2
BuildRequires: apache-commons-logging
BuildRequires: apache-commons-net
BuildRequires: slf4j
BuildRequires: slf4j-jdk14
BuildRequires: nspr-devel
BuildRequires: nss-devel >= 3.36.1
@ -184,21 +170,23 @@ BuildRequires: mvn(org.apache.commons:commons-lang3)
BuildRequires: mvn(commons-logging:commons-logging)
BuildRequires: mvn(commons-net:commons-net)
BuildRequires: mvn(org.slf4j:slf4j-api)
BuildRequires: mvn(org.slf4j:slf4j-jdk14)
BuildRequires: mvn(junit:junit)
BuildRequires: pki-resteasy >= 3.0.26
BuildRequires: jss = 5.4
BuildRequires: tomcatjss = 8.4
BuildRequires: ldapjdk = 5.4
%if 0%{?rhel} && ! 0%{?eln}
BuildRequires: pki-servlet-engine >= 9.0.31
%else
BuildRequires: tomcat >= 1:9.0.31
%endif
BuildRequires: mvn(xml-apis:xml-apis)
BuildRequires: mvn(xml-resolver:xml-resolver)
BuildRequires: mvn(org.junit.jupiter:junit-jupiter-api)
BuildRequires: mvn(org.jboss.resteasy:resteasy-client)
BuildRequires: mvn(org.jboss.resteasy:resteasy-jackson2-provider)
BuildRequires: mvn(org.jboss.resteasy:resteasy-jaxrs)
BuildRequires: mvn(org.jboss.resteasy:resteasy-servlet-initializer)
BuildRequires: mvn(org.apache.tomcat:tomcat-catalina) >= 9.0.62
BuildRequires: mvn(org.apache.tomcat:tomcat-servlet-api) >= 9.0.62
BuildRequires: mvn(org.apache.tomcat:tomcat-jaspic-api) >= 9.0.62
BuildRequires: mvn(org.apache.tomcat:tomcat-util-scan) >= 9.0.62
BuildRequires: mvn(org.dogtagpki.jss:jss-base) >= 5.5.0
BuildRequires: mvn(org.dogtagpki.jss:jss-tomcat) >= 5.5.0
BuildRequires: mvn(org.dogtagpki.ldap-sdk:ldapjdk) >= 5.5.0
# Python build dependencies
BuildRequires: python3 >= 3.9
BuildRequires: python3 >= 3.6
BuildRequires: python3-devel
BuildRequires: python3-setuptools
BuildRequires: python3-cryptography
@ -269,26 +257,69 @@ Obsoletes: pki-console < %{version}
Obsoletes: pki-console-theme < %{version}
Obsoletes: idm-console-framework < 2.0
# Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI theme packages
Requires: %{product_id}-theme = %{version}-%{release}
%if %{with base}
Requires: %{product_id}-base = %{version}-%{release}
Requires: python3-%{product_id} = %{version}-%{release}
Requires: %{product_id}-java = %{version}-%{release}
Requires: %{product_id}-tools = %{version}-%{release}
%endif
# Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI core packages
%if %{with server}
Requires: %{product_id}-server = %{version}-%{release}
%endif
%if %{with acme}
Requires: %{product_id}-acme = %{version}-%{release}
%endif
%if %{with ca}
Requires: %{product_id}-ca = %{version}-%{release}
%endif
%if %{with est}
Requires: %{product_id}-est = %{version}-%{release}
%endif
%if %{with kra}
Requires: %{product_id}-kra = %{version}-%{release}
%endif
%if %{with ocsp}
Requires: %{product_id}-ocsp = %{version}-%{release}
%endif
%if %{with tks}
Requires: %{product_id}-tks = %{version}-%{release}
%endif
%if %{with tps}
Requires: %{product_id}-tps = %{version}-%{release}
%endif
%if %{with javadoc}
Requires: %{product_id}-javadoc = %{version}-%{release}
%endif
%if %{with console}
Requires: %{product_id}-console = %{version}-%{release}
%endif
%if %{with theme}
Requires: %{product_id}-theme = %{version}-%{release}
%if %{with console}
Requires: %{product_id}-console-theme = %{version}-%{release}
%endif
%endif
%if %{with tests}
Requires: %{product_id}-tests = %{version}-%{release}
%endif
# Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI clients -- except for s390/s390x where 'esc' is not built
# and for idm-pki.
%ifnarch s390 s390x
Requires: esc >= 1.1.1
#Requires: esc >= 1.1.1
%endif
# description for top-level package (unless there is a separate meta package)
@ -354,7 +385,7 @@ Provides: pki-base-python3 = %{version}-%{release}
%{?python_provide:%python_provide python3-pki}
Requires: %{product_id}-base = %{version}-%{release}
Requires: python3 >= 3.9
Requires: python3 >= 3.6
Requires: python3-cryptography
Requires: python3-ldap
Requires: python3-lxml
@ -386,10 +417,12 @@ Requires: mvn(commons-logging:commons-logging)
Requires: mvn(commons-net:commons-net)
Requires: mvn(org.slf4j:slf4j-api)
Requires: mvn(org.slf4j:slf4j-jdk14)
Requires: jss = 5.4
Requires: ldapjdk = 5.4
Requires: mvn(org.jboss.resteasy:resteasy-client)
Requires: mvn(org.jboss.resteasy:resteasy-jackson2-provider)
Requires: mvn(org.jboss.resteasy:resteasy-jaxrs)
Requires: mvn(org.dogtagpki.jss:jss-base) >= 5.5.0
Requires: mvn(org.dogtagpki.ldap-sdk:ldapjdk) >= 5.5.0
Requires: %{product_id}-base = %{version}-%{release}
Requires: pki-resteasy >= 3.0.26
%description -n %{product_id}-java
This package provides common and client libraries for Java.
@ -441,6 +474,8 @@ Requires: openldap-clients
Requires: openssl
Requires: %{product_id}-tools = %{version}-%{release}
Requires: %{java_devel}
Requires: keyutils
Requires: policycoreutils-python-utils
@ -451,17 +486,14 @@ Requires: python3-policycoreutils
Requires: selinux-policy-targeted >= 3.13.1-159
%if 0%{?rhel} && ! 0%{?eln}
Requires: pki-servlet-engine >= 9.0.31
%else
Requires: tomcat >= 1:9.0.31
%endif
Requires: mvn(org.jboss.resteasy:resteasy-servlet-initializer)
Requires: tomcat >= 1:9.0.62
Requires: mvn(org.dogtagpki.jss:jss-tomcat) >= 5.5.0
Requires: systemd
Requires(post): systemd-units
Requires(postun): systemd-units
Requires(pre): shadow-utils
Requires: tomcatjss = 8.4
# pki-healthcheck depends on the following library
%if 0%{?rhel}
@ -734,12 +766,12 @@ This package provides %{product_name} API documentation.
Summary: %{product_name} Console Package
BuildArch: noarch
BuildRequires: idm-console-framework >= 2.0
BuildRequires: mvn(org.dogtagpki.console-framework:console-framework) >= 2.1.0
Obsoletes: pki-console < %{version}-%{release}
Provides: pki-console = %{version}-%{release}
Requires: idm-console-framework >= 2.0
Requires: mvn(org.dogtagpki.console-framework:console-framework) >= 2.1.0
Requires: %{product_id}-java = %{version}-%{release}
Requires: %{product_id}-console-theme = %{version}-%{release}
@ -763,6 +795,14 @@ Provides: pki-server-theme = %{version}-%{release}
Obsoletes: %{product_id}-server-theme < %{version}-%{release}
Provides: %{product_id}-server-theme = %{version}-%{release}
%if 0%{?fedora} > 38
BuildRequires: fontawesome4-fonts-web
Requires: fontawesome4-fonts-web
%else
BuildRequires: fontawesome-fonts-web
Requires: fontawesome-fonts-web
%endif
# Ensure we end up with a useful installation
Conflicts: pki-base < %{version}
Conflicts: pki-javadoc < %{version}
@ -822,6 +862,91 @@ This package provides test suite for %{product_name}.
%autosetup -n pki-%{version}%{?phase:-}%{?phase} -p 1
%if ! %{with base}
%pom_disable_module common base
%pom_disable_module tools base
%endif
%if ! %{with server}
%pom_disable_module tomcat base
%pom_disable_module tomcat-9.0 base
%pom_disable_module server base
%pom_disable_module server-webapp base
%endif
%if ! %{with ca}
%pom_disable_module ca base
%endif
%if ! %{with kra}
%pom_disable_module kra base
%endif
%if ! %{with ocsp}
%pom_disable_module ocsp base
%endif
%if ! %{with tks}
%pom_disable_module tks base
%endif
%if ! %{with tps}
%pom_disable_module tps base
%endif
%if ! %{with acme}
%pom_disable_module acme base
%endif
%if ! %{with est}
%pom_disable_module est base
%endif
%if ! %{with console}
%pom_disable_module console base
%endif
# flatten-maven-plugin is not available in RPM
%pom_remove_plugin org.codehaus.mojo:flatten-maven-plugin
# specify Maven artifact locations
%mvn_file org.dogtagpki.pki:pki-common pki/pki-common
%mvn_file org.dogtagpki.pki:pki-tools pki/pki-tools
%mvn_file org.dogtagpki.pki:pki-server pki/pki-server
%mvn_file org.dogtagpki.pki:pki-server-webapp pki/pki-server-webapp
%mvn_file org.dogtagpki.pki:pki-tomcat pki/pki-tomcat
%mvn_file org.dogtagpki.pki:pki-tomcat-9.0 pki/pki-tomcat-9.0
%mvn_file org.dogtagpki.pki:pki-ca pki/pki-ca
%mvn_file org.dogtagpki.pki:pki-kra pki/pki-kra
%mvn_file org.dogtagpki.pki:pki-ocsp pki/pki-ocsp
%mvn_file org.dogtagpki.pki:pki-tks pki/pki-tks
%mvn_file org.dogtagpki.pki:pki-tps pki/pki-tps
%mvn_file org.dogtagpki.pki:pki-acme pki/pki-acme
%mvn_file org.dogtagpki.pki:pki-est pki/pki-est
%if %{with console}
%mvn_file org.dogtagpki.pki:pki-console pki/pki-console
%endif
# specify Maven artifact packages
%mvn_package org.dogtagpki.pki:pki-common pki-java
%mvn_package org.dogtagpki.pki:pki-tools pki-tools
%mvn_package org.dogtagpki.pki:pki-server pki-server
%mvn_package org.dogtagpki.pki:pki-server-webapp pki-server
%mvn_package org.dogtagpki.pki:pki-tomcat pki-server
%mvn_package org.dogtagpki.pki:pki-tomcat-9.0 pki-server
%mvn_package org.dogtagpki.pki:pki-ca pki-ca
%mvn_package org.dogtagpki.pki:pki-kra pki-kra
%mvn_package org.dogtagpki.pki:pki-ocsp pki-ocsp
%mvn_package org.dogtagpki.pki:pki-tks pki-tks
%mvn_package org.dogtagpki.pki:pki-tps pki-tps
%mvn_package org.dogtagpki.pki:pki-acme pki-acme
%mvn_package org.dogtagpki.pki:pki-est pki-est
%if %{with console}
%mvn_package org.dogtagpki.pki:pki-console pki-console
%endif
################################################################################
%build
################################################################################
@ -830,6 +955,61 @@ This package provides test suite for %{product_name}.
# (see /usr/lib/rpm/macros.d/macros.cmake)
%set_build_flags
export JAVA_HOME=%{java_home}
# build Java binaries and run unit tests with Maven
%mvn_build %{!?with_test:-f} -j
# create links to Maven-built JAR files for CMake
mkdir -p %{_vpath_builddir}/dist
pushd %{_vpath_builddir}/dist
%if %{with base}
ln -sf ../../base/common/target/pki-common.jar
ln -sf ../../base/tools/target/pki-tools.jar
%endif
%if %{with server}
ln -sf ../../base/tomcat/target/pki-tomcat.jar
ln -sf ../../base/tomcat-9.0/target/pki-tomcat-9.0.jar
ln -sf ../../base/server/target/pki-server.jar
ln -sf ../../base/server-webapp/target/pki-server-webapp.jar
%endif
%if %{with ca}
ln -sf ../../base/ca/target/pki-ca.jar
%endif
%if %{with kra}
ln -sf ../../base/kra/target/pki-kra.jar
%endif
%if %{with ocsp}
ln -sf ../../base/ocsp/target/pki-ocsp.jar
%endif
%if %{with tks}
ln -sf ../../base/tks/target/pki-tks.jar
%endif
%if %{with tps}
ln -sf ../../base/tps/target/pki-tps.jar
%endif
%if %{with acme}
ln -sf ../../base/acme/target/pki-acme.jar
%endif
%if %{with est}
ln -sf ../../base/est/target/pki-est.jar
%endif
%if %{with console}
ln -sf ../../base/console/target/pki-console.jar
%endif
popd
# Remove all symbol table and relocation information from the executable.
C_FLAGS="-s"
@ -865,6 +1045,7 @@ pkgs=base\
%{?with_tests:,tests}\
%{?with_debug:,debug}
# build PKI console, Javadoc, and native binaries with CMake
./build.sh \
%{?_verbose:-v} \
--product-name="%{product_name}" \
@ -885,15 +1066,20 @@ pkgs=base\
--unit-dir=%{_unitdir} \
--python=%{python3} \
--python-dir=%{python3_sitelib} \
--without-java \
--with-pkgs=$pkgs \
%{?with_console:--with-console} \
%{!?with_test:--without-test} \
--without-test \
dist
################################################################################
%install
################################################################################
# install Java binaries
%mvn_install
# install PKI console, Javadoc, and native binaries
./build.sh \
%{?_verbose:-v} \
--work-dir=%{_vpath_builddir} \
@ -952,16 +1138,36 @@ then
systemctl daemon-reload
fi
# Update the fapolicy rules for each PKI server instance
for instance in $(ls /var/lib/pki)
do
target="/etc/fapolicyd/rules.d/61-pki-$instance.rules"
sed -e "s/\[WORK_DIR\]/\/var\/lib\/pki\/$instance\/work/g" \
/usr/share/pki/server/etc/fapolicy.rules \
> $target
chown root:fapolicyd $target
chmod 644 $target
done
# Restart fapolicy daemon if it's active
status=$(systemctl is-active fapolicyd)
if [ "$status" = "active" ]
then
systemctl restart fapolicyd
fi
# with server
%endif
%if %{with meta}
%if "%{name}" != "%{product_id}"
################################################################################
%files -n %{product_id}
%files -n %{product_id} -f .mfiles
################################################################################
%else
%files
%files -f .mfiles
%endif
%doc %{_datadir}/doc/pki/README
@ -997,15 +1203,13 @@ fi
%{_mandir}/man8/pki-upgrade.8.gz
################################################################################
%files -n %{product_id}-java
%files -n %{product_id}-java -f .mfiles-pki-java
################################################################################
%license base/common/LICENSE
%license base/common/LICENSE.LESSER
%{_datadir}/pki/examples/java/
%{_datadir}/pki/lib/*.jar
%dir %{_javadir}/pki
%{_javadir}/pki/pki-common.jar
################################################################################
%files -n python3-%{product_id}
@ -1019,7 +1223,7 @@ fi
%{python3_sitelib}/pki
################################################################################
%files -n %{product_id}-tools
%files -n %{product_id}-tools -f .mfiles-pki-tools
################################################################################
%license base/tools/LICENSE
@ -1042,7 +1246,6 @@ fi
%{_bindir}/CMCRevoke
%{_bindir}/CMCSharedToken
%{_bindir}/CRMFPopClient
%{_bindir}/DRMTool
%{_bindir}/ExtJoiner
%{_bindir}/GenExtKeyUsage
%{_bindir}/GenIssuerAltNameExt
@ -1056,10 +1259,8 @@ fi
%{_bindir}/PrettyPrintCert
%{_bindir}/PrettyPrintCrl
%{_bindir}/TokenInfo
%{_javadir}/pki/pki-tools.jar
%{_datadir}/pki/tools/
%{_datadir}/pki/lib/p11-kit-trust.so
%{_libdir}/tps/libtps.so
%{_mandir}/man1/AtoB.1.gz
%{_mandir}/man1/AuditVerify.1.gz
%{_mandir}/man1/BtoA.1.gz
@ -1067,7 +1268,6 @@ fi
%{_mandir}/man1/CMCRequest.1.gz
%{_mandir}/man1/CMCSharedToken.1.gz
%{_mandir}/man1/CMCResponse.1.gz
%{_mandir}/man1/DRMTool.1.gz
%{_mandir}/man1/KRATool.1.gz
%{_mandir}/man1/PrettyPrintCert.1.gz
%{_mandir}/man1/PrettyPrintCrl.1.gz
@ -1097,7 +1297,7 @@ fi
%if %{with server}
################################################################################
%files -n %{product_id}-server
%files -n %{product_id}-server -f .mfiles-pki-server
################################################################################
%license base/common/THIRD_PARTY_LICENSES
@ -1126,8 +1326,6 @@ fi
%dir %{_sysconfdir}/systemd/system/pki-tomcatd-nuxwdog.target.wants
%attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog@.service
%attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog.target
%{_javadir}/pki/pki-server.jar
%{_javadir}/pki/pki-tomcat.jar
%dir %{_sharedstatedir}/pki
%{_mandir}/man1/pkidaemon.1.gz
%{_mandir}/man5/pki_default.cfg.5.gz
@ -1158,10 +1356,9 @@ fi
%if %{with acme}
################################################################################
%files -n %{product_id}-acme
%files -n %{product_id}-acme -f .mfiles-pki-acme
################################################################################
%{_javadir}/pki/pki-acme.jar
%{_datadir}/pki/acme/
# with acme
@ -1169,11 +1366,10 @@ fi
%if %{with ca}
################################################################################
%files -n %{product_id}-ca
%files -n %{product_id}-ca -f .mfiles-pki-ca
################################################################################
%license base/ca/LICENSE
%{_javadir}/pki/pki-ca.jar
%{_datadir}/pki/ca/
# with ca
@ -1181,10 +1377,9 @@ fi
%if %{with est}
################################################################################
%files -n %{product_id}-est
%files -n %{product_id}-est -f .mfiles-pki-est
################################################################################
%{_javadir}/pki/pki-est.jar
%{_datadir}/pki/est/
# with est
@ -1192,11 +1387,10 @@ fi
%if %{with kra}
################################################################################
%files -n %{product_id}-kra
%files -n %{product_id}-kra -f .mfiles-pki-kra
################################################################################
%license base/kra/LICENSE
%{_javadir}/pki/pki-kra.jar
%{_datadir}/pki/kra/
# with kra
@ -1204,11 +1398,10 @@ fi
%if %{with ocsp}
################################################################################
%files -n %{product_id}-ocsp
%files -n %{product_id}-ocsp -f .mfiles-pki-ocsp
################################################################################
%license base/ocsp/LICENSE
%{_javadir}/pki/pki-ocsp.jar
%{_datadir}/pki/ocsp/
# with ocsp
@ -1216,11 +1409,10 @@ fi
%if %{with tks}
################################################################################
%files -n %{product_id}-tks
%files -n %{product_id}-tks -f .mfiles-pki-tks
################################################################################
%license base/tks/LICENSE
%{_javadir}/pki/pki-tks.jar
%{_datadir}/pki/tks/
# with tks
@ -1228,11 +1420,10 @@ fi
%if %{with tps}
################################################################################
%files -n %{product_id}-tps
%files -n %{product_id}-tps -f .mfiles-pki-tps
################################################################################
%license base/tps/LICENSE
%{_javadir}/pki/pki-tps.jar
%{_datadir}/pki/tps/
%{_mandir}/man5/pki-tps-connector.5.gz
%{_mandir}/man5/pki-tps-profile.5.gz
@ -1252,12 +1443,11 @@ fi
%if %{with console}
################################################################################
%files -n %{product_id}-console
%files -n %{product_id}-console -f .mfiles-pki-console
################################################################################
%license base/console/LICENSE
%{_bindir}/pkiconsole
%{_javadir}/pki/pki-console.jar
# with console
%endif
@ -1269,6 +1459,8 @@ fi
%license themes/%{theme}/common-ui/LICENSE
%dir %{_datadir}/pki
%if %{with server}
%{_datadir}/pki/CS_SERVER_VERSION
%{_datadir}/pki/common-ui/
%{_datadir}/pki/server/webapps/pki/ca
@ -1281,6 +1473,9 @@ fi
%{_datadir}/pki/server/webapps/pki/pki.properties
%{_datadir}/pki/server/webapps/pki/tks
# with server
%endif
%if %{with console}
################################################################################
%files -n %{product_id}-console-theme
@ -1307,6 +1502,12 @@ fi
################################################################################
%changelog
* Thu Mar 28 2024 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.5.0-2
- RHEL-9916 CVE-2023-4727 pki-core: dogtag ca: token authentication bypass vulnerability
* Wed Feb 21 2024 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.5.0-1
- Rebase to PKI 11.5.0
* Mon Jun 05 2023 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.4.2-1
- Rebase to PKI 11.4.2

Write Preview
Loading…
Cancel
Save