4 changed files with 607 additions and 644 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/pki-10.15.1.tar.gz
+SOURCES/pki-11.5.0.tar.gz
--- a/.pki-core.metadata
+++ b/.pki-core.metadata
@ -1 +1 @@
-cd9d17a0853ba94513f9622c675ea610bb209b48 SOURCES/pki-10.15.1.tar.gz
+dd717a1d8e14cfd558d8772ef37f425db84debee SOURCES/pki-11.5.0.tar.gz
--- a/SOURCES/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
+++ b/SOURCES/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
@ -0,0 +1,60 @@
 From 9f9ede3fe2a6ae95230411d48183dc6880ff3c52 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
 Date: Mon, 11 Sep 2023 15:40:32 -0500
 Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability
 Previously the LDAPSecurityDomainSessionTable.sessionExists()
 and getStringValue() were using user-provided session ID as
 is in an LDAP filter which could be exploited to bypass token
 authentication.
 To fix the problem the code has been modified to escape all
 special characters in the session ID before using it in the
 LDAP filter.
 Resolves: CVE-2023-4727
 ---
 .../session/LDAPSecurityDomainSessionTable.java     | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)
 diff --git a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
 index 7691a98a40..fb627b88cb 100644
 --- a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
 +++ b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
@@ -29,6 +29,7 @@ import com.netscape.cmscore.apps.CMSEngine;
 import com.netscape.cmscore.apps.EngineConfig;
 import com.netscape.cmscore.ldapconn.LDAPConfig;
 import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
 +import com.netscape.cmsutil.ldap.LDAPUtil;
 import netscape.ldap.LDAPAttribute;
 import netscape.ldap.LDAPAttributeSet;
@@ -173,7 +174,11 @@ public class LDAPSecurityDomainSessionTable
         try {
             String basedn = ldapConfig.getBaseDN();
             String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
 -            String filter = "(cn=" + sessionId + ")";
 +
 +            // CVE-2023-4727
 +            // escape session ID in LDAP search filter
 +            String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
 +
             String[] attrs = { "cn" };
             conn = mLdapConnFactory.getConn();
@@ -254,7 +259,11 @@ public class LDAPSecurityDomainSessionTable
         try {
             String basedn = ldapConfig.getBaseDN();
             String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
 -            String filter = "(cn=" + sessionId + ")";
 +
 +            // CVE-2023-4727
 +            // escape session ID in LDAP search filter
 +            String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
 +
             String[] attrs = { attr };
             conn = mLdapConnFactory.getConn();
 -- 
 2.42.0
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
`@ -1 +1 @@`
	`SOURCES/pki-10.15.1.tar.gz`	`SOURCES/pki-11.5.0.tar.gz`
`@ -1 +1 @@`
	`cd9d17a0853ba94513f9622c675ea610bb209b48 SOURCES/pki-10.15.1.tar.gz`	`dd717a1d8e14cfd558d8772ef37f425db84debee SOURCES/pki-11.5.0.tar.gz`