4 changed files with 40 additions and 70 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/pki-11.5.0.tar.gz
+SOURCES/pki-11.5.1.tar.gz
--- a/.pki-core.metadata
+++ b/.pki-core.metadata
@ -1 +1 @@
-dd717a1d8e14cfd558d8772ef37f425db84debee SOURCES/pki-11.5.0.tar.gz
+d7c0b18bd25d9ae00121f58544ea5dc840b18a8d SOURCES/pki-11.5.1.tar.gz
--- a/SOURCES/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
+++ b/SOURCES/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
@ -1,60 +0,0 @@
-From 9f9ede3fe2a6ae95230411d48183dc6880ff3c52 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Mon, 11 Sep 2023 15:40:32 -0500
-Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability
-
-Previously the LDAPSecurityDomainSessionTable.sessionExists()
-and getStringValue() were using user-provided session ID as
-is in an LDAP filter which could be exploited to bypass token
-authentication.
-
-To fix the problem the code has been modified to escape all
-special characters in the session ID before using it in the
-LDAP filter.
-
-Resolves: CVE-2023-4727
---
- .../session/LDAPSecurityDomainSessionTable.java     | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
-index 7691a98a40..fb627b88cb 100644
--- a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
-+++ b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
-@@ -29,6 +29,7 @@ import com.netscape.cmscore.apps.CMSEngine;
- import com.netscape.cmscore.apps.EngineConfig;
- import com.netscape.cmscore.ldapconn.LDAPConfig;
- import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
-+import com.netscape.cmsutil.ldap.LDAPUtil;
- 
- import netscape.ldap.LDAPAttribute;
- import netscape.ldap.LDAPAttributeSet;
-@@ -173,7 +174,11 @@ public class LDAPSecurityDomainSessionTable
-         try {
-             String basedn = ldapConfig.getBaseDN();
-             String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
-            String filter = "(cn=" + sessionId + ")";
-+
-+            // CVE-2023-4727
-+            // escape session ID in LDAP search filter
-+            String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
-+
-             String[] attrs = { "cn" };
- 
-             conn = mLdapConnFactory.getConn();
-@@ -254,7 +259,11 @@ public class LDAPSecurityDomainSessionTable
-         try {
-             String basedn = ldapConfig.getBaseDN();
-             String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
-            String filter = "(cn=" + sessionId + ")";
-+
-+            // CVE-2023-4727
-+            // escape session ID in LDAP search filter
-+            String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
-+
-             String[] attrs = { attr };
- 
-             conn = mLdapConnFactory.getConn();
-- 
-2.42.0
-
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@ -9,12 +9,12 @@ Name:             pki-core
 # Upstream version number:
 %global           major_version 11
 %global           minor_version 5
-%global           update_version 0
+%global           update_version 1

 # Downstream release number:
 # - development/stabilization (unsupported): 0.<n> where n >= 1
 # - GA/update (supported): <n> where n >= 1
-%global           release_number 2
+%global           release_number 1

 # Development phase:
 # - development (unsupported): alpha<n> where n >= 1
@ -46,7 +46,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?phase:-}%{?phase}
 #     <version tag> \
 #     > pki-VERSION-RELEASE.patch
 # Patch: pki-VERSION-RELEASE.patch
-Patch: 0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch

 %if 0%{?java_arches:1}
 ExclusiveArch: %{java_arches}
@ -64,9 +63,27 @@ ExcludeArch: i686
 # Java
 ################################################################################

-%global java_devel java-17-openjdk-devel
-%global java_headless java-17-openjdk-headless
-%global java_home %{_jvmdir}/jre-17-openjdk
+%if 0%{?rhel}
+
+%define java_devel java-17-openjdk-devel
+%define java_headless java-17-openjdk-headless
+%define java_home %{_jvmdir}/jre-17-openjdk
+
+%else
+
+# Use Java 21 on Fedora 40+, otherwise use Java 17.
+%global java_devel java-devel >= 1:17
+%global java_headless java-headless >= 1:17
+
+# Don't use find since it might not work well with local builds.
+#   find {_jvmdir} -maxdepth 1 | grep "jre-[0-9]\+$"
+%global java_home %(
+   source /usr/share/java-utils/java-functions;
+   _prefer_jre=true;
+   set_jvm;
+   echo $JAVA_HOME)
+
+%endif

 ################################################################################
 # Application Server
@ -1012,6 +1029,7 @@ popd

 # Remove all symbol table and relocation information from the executable.
 C_FLAGS="-s"
+CXX_FLAGS="$CXX_FLAGS -g -fPIE -pie"

 %if 0%{?fedora}
 # https://sourceware.org/annobin/annobin.html/Test-gaps.html
@ -1022,12 +1040,23 @@ C_FLAGS="$C_FLAGS -fcf-protection=full"

 # https://sourceware.org/annobin/annobin.html/Test-optimization.html
 C_FLAGS="$C_FLAGS -O2"
+CXX_FLAGS="$CXX_FLAGS -O2"

 # https://sourceware.org/annobin/annobin.html/Test-glibcxx-assertions.html
 C_FLAGS="$C_FLAGS -D_GLIBCXX_ASSERTIONS"
+CXX_FLAGS="$CXX_FLAGS -D_GLIBCXX_ASSERTIONS"

 # https://sourceware.org/annobin/annobin.html/Test-lto.html
 C_FLAGS="$C_FLAGS -fno-lto"
+
+# https://sourceware.org/annobin/annobin.html/Test-fortify.html
+C_FLAGS="$C_FLAGS -D_FORTIFY_SOURCE=3"
+CXX_FLAGS="$CXX_FLAGS -D_FORTIFY_SOURCE=3"
+
+# https://sourceware.org/annobin/annobin.html/Test-stack-clash.html
+C_FLAGS="$C_FLAGS -fstack-clash-protection"
+CXX_FLAGS="$CXX_FLAGS -fstack-clash-protection"
+
 %endif

 pkgs=base\
@ -1061,6 +1090,7 @@ pkgs=base\
    --share-dir=%{_datadir} \
    --cmake=%{__cmake} \
    --c-flags="$C_FLAGS" \
+    --cxx-flags="$CXX_FLAGS" \
    --java-home=%{java_home} \
    --jni-dir=%{_jnidir} \
    --unit-dir=%{_unitdir} \
@ -1502,8 +1532,8 @@ fi

 ################################################################################
 %changelog
-* Thu Mar 28 2024 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.5.0-2
- RHEL-9916 CVE-2023-4727 pki-core: dogtag ca: token authentication bypass vulnerability
+* Fri Jun 21 2024 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.5.1-1
+- Rebase to PKI 11.5.1

 * Wed Feb 21 2024 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.5.0-1
 - Rebase to PKI 11.5.0