diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/0041-Fix-memory-leak-in-the-OTP-last-token-plugin.patch b/SOURCES/0041-Fix-memory-leak-in-the-OTP-last-token-plugin.patch
new file mode 100644
index 0000000..3642e98
--- /dev/null
+++ b/SOURCES/0041-Fix-memory-leak-in-the-OTP-last-token-plugin.patch
@@ -0,0 +1,117 @@
+From bb224602e105859e93a52f8c9f464eb9cbe79b0a Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 26 Jun 2023 13:06:51 -0400
+Subject: [PATCH] Fix memory leak in the OTP last token plugin
+
+Three memory leaks are addressed:
+
+1. String values retrieved from the pblock need to be manually
+freed.
+
+2. The list of objectclasses retreived from the pblock need to be
+freed.
+
+3. Internal search results need to be freed.
+
+Fixes: https://pagure.io/freeipa/issue/9403
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ .../ipa-otp-lasttoken/ipa_otp_lasttoken.c | 38 +++++++++++++------
+ daemons/ipa-slapi-plugins/libotp/otp_token.c | 1 +
+ 2 files changed, 27 insertions(+), 12 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
+index b7a2ba7f012fdbf90284ee6605788e196aa4793b..11106b239f9de9074125979cfae7c02e434936e1 100644
+--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
++++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
+@@ -54,7 +54,7 @@ void *ipa_otp_lasttoken_plugin_id;
+
+ static bool entry_is_token(Slapi_Entry *entry)
+ {
+- char **ocls;
++ char **ocls = NULL;
+
+ ocls = slapi_entry_attr_get_charray(entry, SLAPI_ATTR_OBJECTCLASS);
+ for (size_t i = 0; ocls != NULL && ocls[i] != NULL; i++) {
+@@ -64,6 +64,7 @@ static bool entry_is_token(Slapi_Entry *entry)
+ }
+ }
+
++ slapi_ch_array_free(ocls);
+ return false;
+ }
+
+@@ -138,7 +139,8 @@ static bool is_pwd_enabled(const char *user_dn)
+ static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry)
+ {
+ Slapi_DN *target_sdn = NULL;
+- const char *bind_dn;
++ char *bind_dn;
++ bool rv = false;
+
+ /* Ignore internal operations. */
+ if (slapi_op_internal(pb))
+@@ -147,23 +149,35 @@ static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry)
+ /* Load parameters. */
+ (void) slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
+ (void) slapi_pblock_get(pb, SLAPI_CONN_DN, &bind_dn);
+- if (target_sdn == NULL || bind_dn == NULL) {
+- LOG_FATAL("Missing parameters!\n");
+- return false;
++ if (bind_dn == NULL) {
++ LOG_FATAL("bind_dn parameter missing!\n");
++ goto done;
++ }
++ if (target_sdn == NULL) {
++ LOG_FATAL("target_sdn parameter missing!\n");
++ goto done;
+ }
+
+ if (entry != NULL
+ ? !entry_is_token(entry)
+- : !sdn_in_otp_container(target_sdn))
+- return true;
++ : !sdn_in_otp_container(target_sdn)) {
++ rv = true;
++ goto done;
++ }
+
+- if (!sdn_is_only_enabled_token(target_sdn, bind_dn))
+- return true;
++ if (!sdn_is_only_enabled_token(target_sdn, bind_dn)) {
++ rv = true;
++ goto done;
++ }
+
+- if (is_pwd_enabled(bind_dn))
+- return true;
++ if (is_pwd_enabled(bind_dn)) {
++ rv = true;
++ goto done;
++ }
+
+- return false;
++done:
++ slapi_ch_free_string(&bind_dn);
++ return rv;
+ }
+
+ static inline int send_error(Slapi_PBlock *pb, int rc, const char *errstr)
+diff --git a/daemons/ipa-slapi-plugins/libotp/otp_token.c b/daemons/ipa-slapi-plugins/libotp/otp_token.c
+index a3cbfb0621c071f8addb29f7ce02f870a807c61d..4be4ede07cbbd0d26bcc9952ef4d84d777076ae7 100644
+--- a/daemons/ipa-slapi-plugins/libotp/otp_token.c
++++ b/daemons/ipa-slapi-plugins/libotp/otp_token.c
+@@ -398,6 +398,7 @@ static struct otp_token **find(const struct otp_config *cfg, const char *user_dn
+ }
+
+ error:
++ slapi_free_search_results_internal(pb);
+ slapi_pblock_destroy(pb);
+ return tokens;
+ }
+--
+2.41.0
+
diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
index 5e6669d..cc61279 100644
--- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
-From 312afefae97cf9cdb9cfe2dd4c2e601b96398f2f Mon Sep 17 00:00:00 2001
+From 13ee263bba8f46a9f1d4c368d72524552c332dad Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 15:48:07 +0000
Subject: [PATCH] Change branding to IPA and Identity Management
@@ -1106,5 +1106,5 @@ index 643215985e932cae6e8d954596194032655b25d4..68baa0174ed88ede3f42092fb68150b5
""") + _("""
To enable the binddn run the following command to set the password:
--
-2.39.2
+2.41.0
diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
index 25153c9..fd08eff 100644
--- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch
+++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
@@ -1,4 +1,4 @@
-From 647b13eb361f5c47ed48eeb013b5b16c5b721822 Mon Sep 17 00:00:00 2001
+From 0ca1bc7a49208ec65dd97e86cb881977145b8313 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 16:07:15 +0000
Subject: [PATCH] Package copy-schema-to-ca.py
@@ -40,5 +40,5 @@ index 922185c4b948fa7a5d1bcab6b2be3b34e99f66d4..8fead26f50cb4f045db6d60f9ca71dd9
--
-2.39.2
+2.41.0
diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
index 7ff17c9..ea33ea8 100644
--- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
+++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -1,4 +1,4 @@
-From b3a5f7efdb263aaa093fa66ca8322dc3e1d0d691 Mon Sep 17 00:00:00 2001
+From 3755f0fca552596947965a0619a0b4c441c2478b Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 22 Jun 2016 13:53:46 +0200
Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout"
@@ -24,5 +24,5 @@ index 912a63c2240e0681dfbeeac223a902b15b304716..c5fc518f803d379287043b405efeb46d
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
--
-2.39.2
+2.41.0
diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch
index 9c51298..b9b2fc9 100644
--- a/SOURCES/1004-Remove-csrgen.patch
+++ b/SOURCES/1004-Remove-csrgen.patch
@@ -1,4 +1,4 @@
-From 857aad5b92ae9b489fa7440cb27e8277150ce563 Mon Sep 17 00:00:00 2001
+From 14bef27a42a6ab0ce59f1fdcb3be15d587f75d12 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 16 Mar 2017 09:44:21 +0000
Subject: [PATCH] Remove csrgen
@@ -403,5 +403,5 @@ index 79111ab686b4fe25227796509b3cd3fcb54af728..00000000000000000000000000000000
@@ -1 +0,0 @@
-{{ options|join(";") }}
--
-2.39.2
+2.41.0
diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch
index 3caf84c..a01c350 100644
--- a/SOURCES/1005-Removing-filesystem-encoding-check.patch
+++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch
@@ -1,4 +1,4 @@
-From 3cd6a0d933544b98b6f0ead1c5f7ff1f8e131e80 Mon Sep 17 00:00:00 2001
+From 1982419219ed9bae2931452e3feace026344b82a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tdudlak@redhat.com>
Date: Fri, 10 Aug 2018 13:16:38 +0200
Subject: [PATCH] Removing filesystem encoding check
@@ -126,5 +126,5 @@ index b660532bd6e8db964b8287845ed1b5ebbcb43b9b..60309c58f250a263c8c3d13b0b47773b
IPA_NOT_CONFIGURED = b'IPA is not configured on this system'
IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system'
--
-2.39.2
+2.41.0
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 9c4d18e..c0f2b6c 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -103,7 +103,7 @@
Name: ipa
Version: %{IPA_VERSION}
-Release: 5%{?dist}.14
+Release: 5%{?dist}.15
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -111,9 +111,9 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -158,6 +158,7 @@ Patch0037: 0037-Defer-creating-the-final-krb5.conf-on-clients.patch
Patch0038: 0038-Move-client-certificate-request-after-krb5.conf-is-c.patch
Patch0039: 0039-server-install-remove-error-log-about-missing-bkup-f.patch
Patch0040: 0040-ipaserver-deepcopy-objectclasses-list-from-IPA-confi.patch
+Patch0041: 0041-Fix-memory-leak-in-the-OTP-last-token-plugin.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Package-copy-schema-to-ca.py.patch
Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -414,10 +415,7 @@ Requires: oddjob
Requires: gssproxy >= 0.7.0-2
# 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
Requires: sssd-dbus >= 1.15.2
-
-%if 0%{?centos} == 0
Requires: system-logos >= 70.7.0
-%endif
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
@@ -974,9 +972,9 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
# with_python3
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
@@ -1000,8 +998,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
%make_build
@@ -1022,8 +1019,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
popd
%endif
# with_python3
@@ -1110,11 +1106,9 @@ ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-tes
# remove files which are useful only for make uninstall
find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
-%if 0%{?centos} == 0
# RHEL spec file only: START: Replace login-screen-logo.png with a symlink
ln -sf %{_datadir}/pixmaps/fedora-gdm-logo.png %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
# RHEL spec file only: END: Replace login-screen-logo.png with a symlink
-%endif
%find_lang %{gettext_domain}
@@ -1771,6 +1765,9 @@ fi
%changelog
+* Thu Aug 03 2023 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.8-5.el7_9.15
+- Resolves: 2209636 libipa_otp_lasttoken plugin memory leak
+
* Thu Mar 23 2023 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.8-5.el7_9.14
- Resolves: 2180919 [rhel-7] Sequence processing failures for group_add using server context
- ipaserver: deepcopy objectclasses list from IPA config