diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/0013-Do-not-run-trust-upgrade-code-if-master-lacks-Samba-bindings_1854038_rhbz#1773516.patch b/SOURCES/0013-Do-not-run-trust-upgrade-code-if-master-lacks-Samba-bindings_1854038_rhbz#1773516.patch
new file mode 100644
index 0000000..456f839
--- /dev/null
+++ b/SOURCES/0013-Do-not-run-trust-upgrade-code-if-master-lacks-Samba-bindings_1854038_rhbz#1773516.patch
@@ -0,0 +1,41 @@
+From 18540386230e295087296e58761ced2b781ae4e3 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Nov 21 2019 09:44:37 +0000
+Subject: Do not run trust upgrade code if master lacks Samba bindings
+
+
+If a replica has no Samba bindings but there are trust agreements
+configured on some trust controller, skip trust upgrade code on this
+replica.
+
+Resolves: https://pagure.io/freeipa/issue/8001
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+
+---
+
+diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
+index b7bb53f..2a9b4f0 100644
+--- a/ipaserver/install/plugins/adtrust.py
++++ b/ipaserver/install/plugins/adtrust.py
+@@ -24,6 +24,8 @@ except ImportError:
+ def ndr_unpack(x):
+ raise NotImplementedError
+
++ drsblobs = None
++
+ logger = logging.getLogger(__name__)
+
+ register = Registry()
+@@ -633,6 +635,10 @@ class update_tdo_to_new_layout(Updater):
+ logger.debug('AD Trusts are not enabled on this server')
+ return False, []
+
++ # If we have no Samba bindings, this master is not a trust controller
++ if drsblobs is None:
++ return False, []
++
+ ldap = self.api.Backend.ldap2
+ gidNumber = get_gidNumber(ldap, self.api.env)
+ if gidNumber is None:
+
diff --git a/SOURCES/0014-CVE-2019-10195-and-CVE-2019-14867.patch b/SOURCES/0014-CVE-2019-10195-and-CVE-2019-14867.patch
new file mode 100644
index 0000000..9b399a3
--- /dev/null
+++ b/SOURCES/0014-CVE-2019-10195-and-CVE-2019-14867.patch
@@ -0,0 +1,187 @@
+From e11e73abc101361c0b66b3b958a64c9c8f6c608b Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 16 Sep 2019 11:12:25 -0400
+Subject: [PATCH 1/2] CVE-2019-14867: Make sure to have storage space for tag
+
+ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
+by "t", if that is not provided the pointer will be store in whatever
+memory location is pointed by the stack at that time causeing a crash.
+
+It's also possible for unprivileged end users to trigger parsing of the
+krbPrincipalKey.
+
+Fixes #8071: CVE-2019-14867
+
+Reported by Todd Lipcon from Cloudera
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+(cherry picked from commit d2e0d94521893bc5f002a335a8c0b99601e1afd6)
+---
+ util/ipa_krb5.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
+index a27cd4a4e..c09c3daa5 100644
+--- a/util/ipa_krb5.c
++++ b/util/ipa_krb5.c
+@@ -554,7 +554,7 @@ int ber_decode_krb5_key_data(struct berval *encoded, int *m_kvno,
+ retag = ber_peek_tag(be, &setlen);
+ if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) {
+ /* not supported yet, skip */
+- retag = ber_scanf(be, "t[x]}");
++ retag = ber_scanf(be, "t[x]}", &tag);
+ } else {
+ retag = ber_scanf(be, "}");
+ }
+--
+2.23.0
+
+
+From 39120fa9a4a00983917659e4253446ed82839975 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 2 Jul 2019 13:44:48 -0400
+Subject: [PATCH 2/2] CVE-2019-10195: Don't log passwords embedded in commands
+ in calls using batch
+
+A raw batch request was fully logged which could expose parameters
+we don't want logged, like passwords.
+
+Override _repr_iter to use the individual commands to log the
+values so that values are properly obscured.
+
+In case of errors log the full value on when the server is in
+debug mode.
+
+Reported by Jamison Bennett from Cloudera
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-by: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipaserver/plugins/batch.py | 96 ++++++++++++++++++++++++++++----------
+ 1 file changed, 72 insertions(+), 24 deletions(-)
+
+diff --git a/ipaserver/plugins/batch.py b/ipaserver/plugins/batch.py
+index c9895a8f6..b95944c54 100644
+--- a/ipaserver/plugins/batch.py
++++ b/ipaserver/plugins/batch.py
+@@ -93,35 +93,82 @@ class batch(Command):
+ Output('results', (list, tuple), doc='')
+ )
+
++ def _validate_request(self, request):
++ """
++ Check that an individual request in a batch is parseable and the
++ commands exists.
++ """
++ if 'method' not in request:
++ raise errors.RequirementError(name='method')
++ if 'params' not in request:
++ raise errors.RequirementError(name='params')
++ name = request['method']
++ if (name not in self.api.Command or
++ isinstance(self.api.Command[name], Local)):
++ raise errors.CommandError(name=name)
++
++ # If params are not formated as a tuple(list, dict)
++ # the following lines will raise an exception
++ # that triggers an internal server error
++ # Raise a ConversionError instead to report the issue
++ # to the client
++ try:
++ a, kw = request['params']
++ newkw = dict((str(k), v) for k, v in kw.items())
++ api.Command[name].args_options_2_params(*a, **newkw)
++ except (AttributeError, ValueError, TypeError):
++ raise errors.ConversionError(
++ name='params',
++ error=_(u'must contain a tuple (list, dict)'))
++ except Exception as e:
++ raise errors.ConversionError(
++ name='params',
++ error=str(e))
++
++ def _repr_iter(self, **params):
++ """
++ Iterate through the request and use the Command _repr_intr so
++ that sensitive information (passwords) is not exposed.
++
++ In case of a malformatted request redact the entire thing.
++ """
++ exceptions = False
++ for arg in (params.get('methods', [])):
++ try:
++ self._validate_request(arg)
++ except Exception:
++ # redact the whole request since we don't know what's in it
++ exceptions = True
++ yield u'********'
++ continue
++
++ name = arg['method']
++ a, kw = arg['params']
++ newkw = dict((str(k), v) for k, v in kw.items())
++ param = api.Command[name].args_options_2_params(
++ *a, **newkw)
++
++ yield '{}({})'.format(
++ api.Command[name].name,
++ ', '.join(api.Command[name]._repr_iter(**param))
++ )
++
++ if exceptions:
++ logger.debug('batch: %s',
++ ', '.join(super(batch, self)._repr_iter(**params)))
++
+ def execute(self, methods=None, **options):
+ results = []
+ for arg in (methods or []):
+ params = dict()
+ name = None
+ try:
+- if 'method' not in arg:
+- raise errors.RequirementError(name='method')
+- if 'params' not in arg:
+- raise errors.RequirementError(name='params')
++ self._validate_request(arg)
+ name = arg['method']
+- if (name not in self.api.Command or
+- isinstance(self.api.Command[name], Local)):
+- raise errors.CommandError(name=name)
+-
+- # If params are not formated as a tuple(list, dict)
+- # the following lines will raise an exception
+- # that triggers an internal server error
+- # Raise a ConversionError instead to report the issue
+- # to the client
+- try:
+- a, kw = arg['params']
+- newkw = dict((str(k), v) for k, v in kw.items())
+- params = api.Command[name].args_options_2_params(
+- *a, **newkw)
+- except (AttributeError, ValueError, TypeError):
+- raise errors.ConversionError(
+- name='params',
+- error=_(u'must contain a tuple (list, dict)'))
++ a, kw = arg['params']
++ newkw = dict((str(k), v) for k, v in kw.items())
++ params = api.Command[name].args_options_2_params(
++ *a, **newkw)
+ newkw.setdefault('version', options['version'])
+
+ result = api.Command[name](*a, **newkw)
+@@ -133,8 +180,9 @@ class batch(Command):
+ )
+ result['error']=None
+ except Exception as e:
+- if isinstance(e, errors.RequirementError) or \
+- isinstance(e, errors.CommandError):
++ if (isinstance(e, errors.RequirementError) or
++ isinstance(e, errors.CommandError) or
++ isinstance(e, errors.ConversionError)):
+ logger.info(
+ '%s: batch: %s',
+ context.principal, # pylint: disable=no-member
+--
+2.23.0
+
diff --git a/SOURCES/9001-Update-ipa.css.patch b/SOURCES/9001-Update-ipa.css.patch
deleted file mode 100644
index 8bd3498..0000000
--- a/SOURCES/9001-Update-ipa.css.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From a82e5eb637463755642f88fe94badff85d6e50e5 Mon Sep 17 00:00:00 2001
-From: Alain Reguera Delgado <areguera@centosproject.org>
-Date: Sat, 23 Nov 2019 18:42:41 -0300
-Subject: [PATCH 9001/9003] Update ipa.css
-
-- Previously, the CentOS logos doesn't look the same width than CentOS
- logos in cockpit ui. So, when you change between them, a visual
- difference affects calls the attention (are we using two different
- branding?). In order to make these visual transition from one app to
- another consistent, changed the logo width to look the same both in
- cockpit and ipa ui.
----
- install/ui/ipa.css | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/install/ui/ipa.css b/install/ui/ipa.css
-index 2921f43..e56caeb 100644
---- a/install/ui/ipa.css
-+++ b/install/ui/ipa.css
-@@ -559,3 +559,8 @@ table.scrollable tbody {
- font-weight: bold;
- font-size: 1.1em;
- }
-+
-+/* --- CentOS Logo on the top-right corner --- */
-+#badge img {
-+ width: 225px;
-+}
---
-2.23.0
-
diff --git a/SOURCES/9002-Update-login.less.patch b/SOURCES/9002-Update-login.less.patch
deleted file mode 100644
index 3c8c3fd..0000000
--- a/SOURCES/9002-Update-login.less.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 25aecc3b5de468ac3c9d1cf80681f2b6625eb50b Mon Sep 17 00:00:00 2001
-From: Alain Reguera Delgado <areguera@centosproject.org>
-Date: Sat, 23 Nov 2019 18:46:38 -0300
-Subject: [PATCH 9002/9003] Update login.less
-
----
- install/ui/less/login.less | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/install/ui/less/login.less b/install/ui/less/login.less
-index 8996560..4c39bec 100644
---- a/install/ui/less/login.less
-+++ b/install/ui/less/login.less
-@@ -26,7 +26,7 @@
-
- .login-pf-body {
- height: 100%;
-- background: @login-bg-color url("@{img-path}/@{img-bg-login}") repeat-x 50% 0;
-+ background: @login-bg-color url("@{img-path}/@{img-bg-login}") no-repeat 100% 0;
- background-size: auto;
- color: #fff;
-
-@@ -50,10 +50,10 @@
- // 768px = @screen-sm-min)
- @media (min-width: 768px) {
- .login-pf-body {
-- background-size: 100% auto;
-+ background-size: auto;
- }
- }
-
- @media (max-height: 300px) {
- .reset-login-pf-height;
--}
-\ No newline at end of file
-+}
---
-2.23.0
-
diff --git a/SOURCES/9003-Update-variables.less.patch b/SOURCES/9003-Update-variables.less.patch
deleted file mode 100644
index 795cd01..0000000
--- a/SOURCES/9003-Update-variables.less.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 8e4746d4b697302b9573dd6f8b2e28f12ca6669b Mon Sep 17 00:00:00 2001
-From: Alain Reguera Delgado <areguera@centosproject.org>
-Date: Sat, 23 Nov 2019 18:46:47 -0300
-Subject: [PATCH 9003/9003] Update variables.less
-
----
- install/ui/less/variables.less | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/install/ui/less/variables.less b/install/ui/less/variables.less
-index 5a7a3ea..ca63d0c 100644
---- a/install/ui/less/variables.less
-+++ b/install/ui/less/variables.less
-@@ -1,5 +1,5 @@
- // FreeIPA Less Variables
-
- @img-path: '../images';
--@img-bg-login: 'login-screen-background.jpg';
--@login-bg-color: #25292d;
-\ No newline at end of file
-+@img-bg-login: 'login-screen-background.png';
-+@login-bg-color: #101010;
---
-2.23.0
-
diff --git a/SOURCES/system-logo-icon.png b/SOURCES/system-logo-icon.png
deleted file mode 100644
index 6961083..0000000
Binary files a/SOURCES/system-logo-icon.png and /dev/null differ
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index bb85096..a09e435 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -135,7 +135,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
-Release: 11%{?dist}
+Release: 13%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@@ -162,17 +162,12 @@ Patch0009: 0009-extdom-unify-error-code-handling-especially-LDAP_NO_SUCH_OB
Patch0010: 0010-Fix-automount-behavior-with-authselect_rhbz#1740167.patch
Patch0011: 0011-adtrust-avoid-using-timestamp-in-klist-output_ed1c1626-rhbz#1750242.patch
Patch0012: 0012-add-default-access-control-configuration-to-trusted-domain-objects_rhbz#1751707.patch
+Patch0013: 0013-Do-not-run-trust-upgrade-code-if-master-lacks-Samba-bindings_1854038_rhbz#1773516.patch
+Patch0014: 0014-CVE-2019-10195-and-CVE-2019-14867.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-4.8.0-Remove-csrgen.patch
# RHEL spec file only: END
-# CentOS spec file only: START
-Source9001: system-logo-icon.png
-Patch9001: 9001-Update-ipa.css.patch
-Patch9002: 9002-Update-login.less.patch
-Patch9003: 9003-Update-variables.less.patch
-# CentOS spec file only: END
-
# For the timestamp trick in patch application
BuildRequires: diffstat
@@ -787,11 +782,6 @@ done
# product-name.png
# RHEL spec file only: END
-# CentOS spec file only: START
-# Change favicon using CentOS logo
-cp %{SOURCE9001} install/ui/favicon.ico
-# CentOS spec file only: END
-
%build
# RHEL spec file only: START
autoreconf -i -f
@@ -804,8 +794,7 @@ export PYTHON=%{__python3}
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
# run build in default dir
# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
@@ -1406,8 +1395,15 @@ fi
%changelog
-* Tue Nov 05 2019 CentOS Sources <bugs@centos.org> - 4.8.0-11.el8.centos
-- Apply debranding changes
+* Tue Nov 26 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.0-13
+- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf()
+ Resolves: RHBZ#1767303
+- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
+ Resolves: RHBZ#1728125
+
+* Thu Nov 21 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-12
+- Do not run trust upgrade code if master lacks Samba bindings
+ Resolves: RHBZ#1773516
* Mon Sep 23 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-11
- Adtrust: avoid using timestamp in klist output