From 1beea6cffd45e4a640030d7cef0328703cd810bd Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 15 2019 14:36:56 +0000 Subject: import jss-4.4.6-3.el7_7 --- diff --git a/SOURCES/0001-JSS-CVE-2019-14823-fix.patch b/SOURCES/0001-JSS-CVE-2019-14823-fix.patch new file mode 100644 index 0000000..d80be6a --- /dev/null +++ b/SOURCES/0001-JSS-CVE-2019-14823-fix.patch @@ -0,0 +1,337 @@ +From 32d6c776ad5c489efea9f380fdac296a63209ea5 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Wed, 4 Sep 2019 08:33:14 -0400 +Subject: [PATCH] Fix root certificate validation + +When the Leaf and Chain OCSP checking policy is enabled in +CryptoManager, JSS will switch to alternative certificate verification +logic in JSSL_DefaultCertAuthCallback. In this method, the root +certificate was incorrectly trusted without being verified to exist in +the trust store. + +This patch cleans up the logic in JSSL_verifyCertPKIX and makes it +more explicit in addition to fixing the error. + +Fixes CVE-2019-14823 + +Signed-off-by: Alexander Scheel +--- + org/mozilla/jss/ssl/common.c | 239 ++++++++++++++++++++--------------- + 1 file changed, 138 insertions(+), 101 deletions(-) + +diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c +index 8c2a2240..030588c8 100644 +--- a/org/mozilla/jss/ssl/common.c ++++ b/org/mozilla/jss/ssl/common.c +@@ -936,170 +936,207 @@ finish: + return root; + } + +-/* Verify a cert using explicit PKIX call. +- * For now only used in OCSP AIA context. +- * The result of this call will be a full chain +- * and leaf network AIA ocsp validation. +- * The policy param will be used in the future to +- * handle more scenarios. +- */ +- +-SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert, +- SECCertificateUsage certificateUsage,secuPWData *pwdata, int ocspPolicy, +- CERTVerifyLog *log, SECCertificateUsage *usage) ++/* Internal helper for the below call. */ ++static SECStatus ++JSSL_verifyCertPKIXInternal(CERTCertificate *cert, ++ SECCertificateUsage certificateUsage, secuPWData *pwdata, int ocspPolicy, ++ CERTVerifyLog *log, SECCertificateUsage *usage, ++ CERTCertList *trustedCertList) + { +- +- /* put the first set of possible flags internally here first */ +- /* later there could be a more complete list to choose from */ +- /* support our hard core fetch aia ocsp policy for now */ +- +- static PRUint64 ocsp_Enabled_Hard_Policy_LeafFlags[2] = { ++ /* Put the first set of possible flags internally here first. Later ++ * there could be a more complete list to choose from; for now we only ++ * support our hard core fetch AIA OCSP policy. Note that we disable ++ * CRL fetching as Dogtag doesn't support it. Additionally, enable OCSP ++ * checking on the chained CA certificates. Since NSS/PKIX's ++ * CERT_GetClassicOCSPEnabledHardFailurePolicy doesn't do what we want, ++ * we construct the policy ourselves. */ ++ PRUint64 ocsp_Enabled_Hard_Policy_LeafFlags[2] = { + /* crl */ +- 0, ++ CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD, + /* ocsp */ + CERT_REV_M_TEST_USING_THIS_METHOD | +- CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO ++ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO + }; + +- static PRUint64 ocsp_Enabled_Hard_Policy_ChainFlags[2] = { ++ PRUint64 ocsp_Enabled_Hard_Policy_ChainFlags[2] = { + /* crl */ +- 0, ++ CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD, + /* ocsp */ + CERT_REV_M_TEST_USING_THIS_METHOD | +- CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO ++ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO + }; + +- static CERTRevocationMethodIndex +- ocsp_Enabled_Hard_Policy_Method_Preference = { +- cert_revocation_method_ocsp +- }; +- +- static CERTRevocationFlags ocsp_Enabled_Hard_Policy = { +- { /* leafTests */ +- 2, +- ocsp_Enabled_Hard_Policy_LeafFlags, +- 1, +- &ocsp_Enabled_Hard_Policy_Method_Preference, +- 0 }, +- { /* chainTests */ +- 2, +- ocsp_Enabled_Hard_Policy_ChainFlags, +- 1, +- &ocsp_Enabled_Hard_Policy_Method_Preference, +- 0 } ++ CERTRevocationMethodIndex ocsp_Enabled_Hard_Policy_Method_Preference[1] = { ++ cert_revocation_method_ocsp + }; + +- /* for future expansion */ ++ CERTRevocationFlags ocsp_Enabled_Hard_Policy = { ++ /* CERTRevocationTests - leafTests */ ++ { ++ /* number_of_defined_methods */ ++ 2, ++ /* cert_rev_flags_per_method */ ++ ocsp_Enabled_Hard_Policy_LeafFlags, ++ /* number_of_preferred_methods */ ++ 1, ++ /* preferred_methods */ ++ ocsp_Enabled_Hard_Policy_Method_Preference, ++ /* cert_rev_method_independent_flags */ ++ 0 ++ }, ++ /* CERTRevocationTests - chainTests */ ++ { ++ /* number_of_defined_methods */ ++ 2, ++ /* cert_rev_flags_per_method */ ++ ocsp_Enabled_Hard_Policy_ChainFlags, ++ /* number_of_preferred_methods */ ++ 1, ++ /* preferred_methods */ ++ ocsp_Enabled_Hard_Policy_Method_Preference, ++ /* cert_rev_method_independent_flags */ ++ 0 ++ } ++ }; + +- CERTValOutParam cvout[20] = {0}; +- CERTValInParam cvin[20] = {0}; ++ /* The size of these objects are defined here based upon maximum possible ++ * inputs. A dynamic allocation could reallocate based upon actual usage, ++ * however this would affect the size by at most one or two. Note that, ++ * due to the required usage of cert_pi_end/cert_po_end, these sizes are ++ * inflated by one. */ ++ CERTValOutParam cvout[3] = {{0}}; ++ CERTValInParam cvin[6] = {{0}}; + ++ int usageIndex = -1; + int inParamIndex = 0; + int outParamIndex = 0; +- CERTRevocationFlags *rev = NULL; + +- CERTCertList *trustedCertList = NULL; +- +- PRBool fetchCerts = PR_FALSE; +- +- SECCertUsage certUsage = certUsageSSLClient /* 0 */; +- + SECStatus res = SECFailure; +- if(cert == NULL) { ++ ++ if (cert == NULL) { + goto finish; + } + +- if(ocspPolicy != OCSP_LEAF_AND_CHAIN_POLICY) { ++ if (ocspPolicy != OCSP_LEAF_AND_CHAIN_POLICY) { + goto finish; + } + +- /* Force the strict ocsp network check on chain +- and leaf. +- */ +- +- fetchCerts = PR_TRUE; +- rev = &ocsp_Enabled_Hard_Policy; +- +- /* fetch aia over net */ +- ++ /* Enable live AIA fetching over the network. */ + cvin[inParamIndex].type = cert_pi_useAIACertFetch; +- cvin[inParamIndex].value.scalar.b = fetchCerts; +- inParamIndex++; +- +- /* time */ ++ cvin[inParamIndex].value.scalar.b = PR_TRUE; ++ inParamIndex++; + ++ /* By setting the time to zero, we choose the current time when the ++ * check is performed. */ + cvin[inParamIndex].type = cert_pi_date; +- cvin[inParamIndex].value.scalar.time = PR_Now(); ++ cvin[inParamIndex].value.scalar.time = 0; + inParamIndex++; + +- /* flags */ +- ++ /* Force the strict OCSP check on both the leaf and its chain. */ + cvin[inParamIndex].type = cert_pi_revocationFlags; +- cvin[inParamIndex].value.pointer.revocation = rev; ++ cvin[inParamIndex].value.pointer.revocation = &ocsp_Enabled_Hard_Policy; + inParamIndex++; + +- /* establish trust anchor */ +- +- /* We need to convert the SECCertificateUsage to a SECCertUsage to obtain +- * the root. +- */ +- +- SECCertificateUsage testUsage = certificateUsage; +- while (0 != (testUsage = testUsage >> 1)) { certUsage++; } +- +- CERTCertificate *root = getRoot(cert,certUsage); +- +- /* Try to add the root as the trust anchor so all the +- other memebers of the ca chain will get validated. +- */ +- +- if( root != NULL ) { +- trustedCertList = CERT_NewCertList(); +- CERT_AddCertToListTail(trustedCertList, root); +- ++ /* Establish a trust anchor if it is passed to us. NOTE: this trust anchor ++ * must previously be validated before it is passed to us here. */ ++ if (trustedCertList != NULL) { + cvin[inParamIndex].type = cert_pi_trustAnchors; + cvin[inParamIndex].value.pointer.chain = trustedCertList; +- + inParamIndex++; + } + ++ /* Done establishing input parameters. */ + cvin[inParamIndex].type = cert_pi_end; + +- if(log != NULL) { ++ /* When we need to log rationale for failure, pass it as an output ++ * parameter. */ ++ if (log != NULL) { + cvout[outParamIndex].type = cert_po_errorLog; + cvout[outParamIndex].value.pointer.log = log; + outParamIndex ++; + } + +- int usageIndex = 0; +- if(usage != NULL) { ++ /* When we need to inquire about the resulting certificate usage, pass it ++ * here. */ ++ if (usage != NULL) { + usageIndex = outParamIndex; + cvout[outParamIndex].type = cert_po_usages; + cvout[outParamIndex].value.scalar.usages = 0; + outParamIndex ++; + } + ++ /* Done establishing output parameters. */ + cvout[outParamIndex].type = cert_po_end; + ++ /* Call into NSS's PKIX library to validate our certificate. */ + res = CERT_PKIXVerifyCert(cert, certificateUsage, cvin, cvout, &pwdata); + + finish: +- /* clean up any trusted cert list */ +- ++ /* Clean up any certificates in the trusted certificate list. This was ++ * a passed input parameter, but by taking ownership of it and clearing it, ++ * we enable tail calls to this function. */ + if (trustedCertList) { ++ /* CERT_DestroyCertList destroys interior certs for us. */ + CERT_DestroyCertList(trustedCertList); + trustedCertList = NULL; + } + +- /* CERT_DestroyCertList destroys interior certs for us. */ +- +- if(root) { +- root = NULL; +- } +- +- if(res == SECSuccess && usage) { ++ if (res == SECSuccess && usage && usageIndex != -1) { + *usage = cvout[usageIndex].value.scalar.usages; + } + + return res; + } ++ ++/* Verify a cert using an explicit PKIX call. For now only perform this call ++ * when the OCSP policy is set to leaf and chain. Performs a blocking, online ++ * OCSP status refresh. The result of this call will be a full-chain OCSP ++ * validation. ++ * ++ * In the future, we'll use ocspPolicy to condition around additional policies ++ * and handle them all with this method (and a call to PKIX). ++ * ++ * Note that this currently requires the certificate to be added directly ++ * to the NSS DB. We can't otherwise validate against root certificates in ++ * the default NSS DB. ++ */ ++SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert, ++ SECCertificateUsage certificateUsage, secuPWData *pwdata, int ocspPolicy, ++ CERTVerifyLog *log, SECCertificateUsage *usage) ++{ ++ SECCertUsage certUsage = certUsageSSLClient /* 0 */; ++ ++ /* We need to convert the SECCertificateUsage to a SECCertUsage to obtain ++ * the root. ++ */ ++ ++ SECCertificateUsage testUsage = certificateUsage; ++ while (0 != (testUsage = testUsage >> 1)) { certUsage++; } ++ ++ CERTCertificate *root = getRoot(cert, certUsage); ++ ++ // Two cases: either the root is present, or it isn't. ++ if (root == NULL) { ++ /* In this case, we've had a hard time finding the root. In all ++ * likelihood, the following call will fail to validate the end cert ++ * as well and thus fail to validate. I don't believe there's a risk ++ * in trying it however. */ ++ return JSSL_verifyCertPKIXInternal(cert, certificateUsage, pwdata, ++ ocspPolicy, log, usage, NULL); ++ } else { ++ /* In this case, we've found the root certificate. Before passing it ++ * to the leaf, explicitly validate it with strict OCSP checking. Then ++ * validate the leaf certificate with a known and trusted root ++ * certificate. */ ++ SECStatus ret = JSSL_verifyCertPKIXInternal(root, certificateUsageSSLCA, ++ pwdata, ocspPolicy, log, usage, NULL); ++ if (ret != SECSuccess) { ++ return ret; ++ } ++ ++ CERTCertList *rootList = CERT_NewCertList(); ++ CERT_AddCertToListTail(rootList, root); ++ return JSSL_verifyCertPKIXInternal(cert, certificateUsage, pwdata, ++ ocspPolicy, log, usage, rootList); ++ } ++} +-- +2.21.0 + diff --git a/SOURCES/0002-Add-script-to-add-common-root-CAs.patch b/SOURCES/0002-Add-script-to-add-common-root-CAs.patch new file mode 100644 index 0000000..cde61fe --- /dev/null +++ b/SOURCES/0002-Add-script-to-add-common-root-CAs.patch @@ -0,0 +1,59 @@ +From 61985f642b0b5cc75fc3f254ef6c99aeb56acbe2 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Thu, 29 Aug 2019 16:14:08 -0400 +Subject: [PATCH 2/3] Add script to add common root CAs + +When given an NSS DB, common_roots.sh uses the trust command to extract +the root CAs trusted by the local system and add them to said NSS DB. + +Signed-off-by: Alexander Scheel +--- + tools/common_roots.sh | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + create mode 100755 tools/common_roots.sh + +diff --git a/tools/common_roots.sh b/tools/common_roots.sh +new file mode 100755 +index 00000000..97341c4c +--- /dev/null ++++ b/tools/common_roots.sh +@@ -0,0 +1,36 @@ ++#!/bin/bash ++ ++# This script reads the contents of the OS CA bundle store, ++# /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit ++# and places the contained CAs into the specified NSS DB. ++# ++# This NSS DB is used by various JSS tests that aren't enabled ++# by default because they require an active internet connection. ++ ++nssdb="$1" ++ ++if [ -z "$nssdb" ] && [ -e "build" ]; then ++ nssdb="build/results/cadb" ++elif [ -z "$nssdb" ] && [ -e "../build" ]; then ++ nssdb="../build/results/cadb" ++else ++ echo "Must provide path to NSS DB!" 1>&2 ++ exit 1 ++fi ++ ++if [ -e "$nssdb" ]; then ++ rm -rf "$nssdb" ++fi ++ ++mkdir -p "$nssdb" ++echo "" > "$nssdb/password.txt" ++certutil -N -d "$nssdb" -f "$nssdb/password.txt" ++ ++trust extract --format=pem-bundle --filter=ca-anchors "$nssdb/complete.pem" ++ ++# From: https://serverfault.com/questions/391396/how-to-split-a-pem-file ++csplit -f "$nssdb/individual-" "$nssdb/complete.pem" '/-----BEGIN CERTIFICATE-----/' '{*}' ++ ++for cert in "$nssdb"/individual*; do ++ certutil -A -a -i "$cert" -n "$cert" -t CT,C,C -d "$nssdb" -f "$nssdb/password.txt" ++done +-- +2.21.0 + diff --git a/SOURCES/0003-Add-optional-test-case-against-badssl.com.patch b/SOURCES/0003-Add-optional-test-case-against-badssl.com.patch new file mode 100644 index 0000000..ba155f1 --- /dev/null +++ b/SOURCES/0003-Add-optional-test-case-against-badssl.com.patch @@ -0,0 +1,233 @@ +From 7b4c0fa04f5e4469fc8bc442c9f12f975c5e1610 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Wed, 28 Aug 2019 09:23:41 -0400 +Subject: [PATCH 3/3] Add optional test case against badssl.com + +badssl.com maintains a number of subdomains with valid and invalid TLS +configurations. A number of these test certificates which fail in +certain scenarios (revoked, expired, etc). Add a test runner which +validates SSLSocket's implementation against badssl.com. + +Signed-off-by: Alexander Scheel +--- + org/mozilla/jss/tests/BadSSL.java | 208 ++++++++++++++++++++++++++++++ + 1 file changed, 208 insertions(+) + create mode 100644 org/mozilla/jss/tests/BadSSL.java + +diff --git a/org/mozilla/jss/tests/BadSSL.java b/org/mozilla/jss/tests/BadSSL.java +new file mode 100644 +index 00000000..60bfe820 +--- /dev/null ++++ b/org/mozilla/jss/tests/BadSSL.java +@@ -0,0 +1,208 @@ ++package org.mozilla.jss.tests; ++ ++import org.mozilla.jss.CryptoManager; ++ ++import org.mozilla.jss.ssl.SSLSocket; ++import org.mozilla.jss.ssl.SSLSocketException; ++ ++import org.mozilla.jss.util.NativeErrcodes; ++ ++/** ++ * The BadSSL test case maintains an internal mapping from badssl.com ++ * subdomains to expected exceptions and validates they occur. ++ * ++ * Since badssl.com offers no guaranteed SLA or availability, we likely ++ * shouldn't add this site to automated tests. ++ */ ++ ++public class BadSSL { ++ public static void main(String[] args) throws Exception { ++ boolean ocsp = false; ++ ++ if (args.length < 1) { ++ System.out.println("Usage: BadSSL nssdb [LEAF_AND_CHAIN]"); ++ return; ++ } ++ ++ if (args.length >= 2 && args[1].equals("LEAF_AND_CHAIN")) { ++ System.out.println("Enabling leaf and chain policy..."); ++ ocsp = true; ++ } ++ ++ CryptoManager.initialize(args[0]); ++ CryptoManager cm = CryptoManager.getInstance(); ++ ++ if (ocsp) { ++ cm.setOCSPPolicy(CryptoManager.OCSPPolicy.LEAF_AND_CHAIN); ++ } ++ ++ ++ // Test cases which should fail due to various certificate errors. ++ testExpired(); ++ testWrongHost(); ++ testSelfSigned(); ++ testUntrustedRoot(); ++ ++ // The following test cases depend on crypto-policies or local NSS ++ // configuration. ++ testSHA1(); ++ testRC4MD5(); ++ testRC4(); ++ test3DES(); ++ testNULL(); ++ ++ // The following test cases depend on OCSP being enabled. ++ if (ocsp) { ++ testRevoked(); ++ } ++ ++ // Test cases which should pass given the correct root certs. ++ testSHA256(); ++ testSHA384(); ++ testSHA512(); ++ ++ testECC256(); ++ testECC384(); ++ ++ testRSA2048(); ++ testRSA4096(); ++ testRSA8192(); ++ ++ testExtendedValidation(); ++ } ++ ++ /* Test cases whose handshakes should fail below. */ ++ ++ public static void testExpired() throws Exception { ++ testHelper("expired.badssl.com", 443, new String[]{ "(-8181)", "has expired" }); ++ } ++ ++ public static void testWrongHost() throws Exception { ++ testHelper("wrong.host.badssl.com", 443, new String[]{ "(-12276)", "domain name does not match" }); ++ } ++ ++ public static void testSelfSigned() throws Exception { ++ testHelper("self-signed.badssl.com", 443, new String[]{ "(-8101)", "(-8156)", "type not approved", "issuer certificate is invalid" }); ++ } ++ ++ public static void testUntrustedRoot() throws Exception { ++ testHelper("untrusted-root.badssl.com", 443, new String[]{ "(-8172)", "certificate issuer has been marked as not trusted" }); ++ } ++ ++ public static void testRevoked() throws Exception { ++ testHelper("revoked.badssl.com", 443, new String[]{ "(-8180)", "has been revoked" }); ++ } ++ ++ public static void testSHA1() throws Exception { ++ testHelper("sha1-intermediate.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" }); ++ } ++ ++ public static void testRC4MD5() throws Exception { ++ testHelper("rc4-md5.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" }); ++ } ++ ++ public static void testRC4() throws Exception { ++ testHelper("rc4.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" }); ++ } ++ ++ public static void test3DES() throws Exception { ++ testHelper("3des.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" }); ++ } ++ ++ public static void testNULL() throws Exception { ++ testHelper("null.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" }); ++ } ++ ++ /* Test cases which should handshake successfully below. */ ++ ++ public static void testSHA256() throws Exception { ++ testHelper("sha256.badssl.com", 443); ++ } ++ ++ public static void testSHA384() throws Exception { ++ testHelper("sha384.badssl.com", 443); ++ } ++ ++ public static void testSHA512() throws Exception { ++ testHelper("sha512.badssl.com", 443); ++ } ++ ++ public static void testECC256() throws Exception { ++ testHelper("ecc256.badssl.com", 443); ++ } ++ ++ public static void testECC384() throws Exception { ++ testHelper("ecc384.badssl.com", 443); ++ } ++ ++ public static void testRSA2048() throws Exception { ++ testHelper("rsa2048.badssl.com", 443); ++ } ++ ++ public static void testRSA4096() throws Exception { ++ testHelper("rsa4096.badssl.com", 443); ++ } ++ ++ public static void testRSA8192() throws Exception { ++ testHelper("rsa8192.badssl.com", 443); ++ } ++ ++ public static void testExtendedValidation() throws Exception { ++ testHelper("extended-validation.badssl.com", 443); ++ } ++ ++ /* Test case helpers. */ ++ ++ public static void testHelper(String host, int port) throws Exception { ++ testSite(host, port); ++ System.out.println("\t...ok"); ++ } ++ ++ public static void testHelper(String host, int port, String[] substrs) throws Exception { ++ try { ++ testSite(host, port); ++ } catch (SSLSocketException sse) { ++ String actual = sse.getMessage().toLowerCase(); ++ ++ for (String expected : substrs) { ++ if (actual.contains(expected.toLowerCase())) { ++ System.out.println("\t...got expected error message."); ++ return; ++ } ++ } ++ ++ System.err.println("\tUnexpected error message: " + actual); ++ throw sse; ++ } ++ ++ throw new RuntimeException("Expected to get an exception, but didn't!"); ++ } ++ ++ public static void testHelper(String host, int port, int[] codes) throws Exception { ++ try { ++ testSite(host, port); ++ } catch (SSLSocketException sse) { ++ int actual = sse.getErrcode(); ++ for (int expected : codes) { ++ if (actual == expected) { ++ System.out.println("\t...got expected error code."); ++ return; ++ } ++ } ++ ++ System.err.println("\tUnexpected error code: " + actual); ++ throw sse; ++ } ++ ++ throw new RuntimeException("Expected to get an exception, but didn't!"); ++ } ++ ++ public static void testSite(String host, int port) throws Exception { ++ System.out.println("Testing connection to " + host + ":" + port); ++ SSLSocket sock = new SSLSocket(host, 443); ++ sock.forceHandshake(); ++ sock.shutdownOutput(); ++ sock.shutdownInput(); ++ sock.close(); ++ } ++} +-- +2.21.0 + diff --git a/SPECS/jss.spec b/SPECS/jss.spec index 91f266d..144f8c7 100644 --- a/SPECS/jss.spec +++ b/SPECS/jss.spec @@ -7,7 +7,7 @@ URL: http://www.dogtagpki.org/wiki/JSS License: MPLv1.1 or GPLv2+ or LGPLv2+ Version: 4.4.6 -Release: 1%{?_timestamp}%{?_commit_id}%{?dist} +Release: 3%{?_timestamp}%{?_commit_id}.el7_7 # To generate the source tarball: # $ git clone https://github.com/dogtagpki/jss.git @@ -23,7 +23,9 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}/%{name} # --stdout \ # \ # > jss-VERSION-RELEASE.patch -# Patch: jss-VERSION-RELEASE.patch +Patch1: 0001-JSS-CVE-2019-14823-fix.patch +Patch2: 0002-Add-script-to-add-common-root-CAs.patch +Patch3: 0003-Add-optional-test-case-against-badssl.com.patch Conflicts: idm-console-framework < 1.1.17-4 Conflicts: pki-base < 10.4.0 @@ -178,6 +180,12 @@ cp -p jss/*.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} ################################################################################ %changelog +* Thu Sep 12 2019 Dogtag PKI Team 4.4.6-2 +- Bugzilla #1747966 - CVE 2019-14823 jss: OCSP policy "Leaf and Chain" implicitly trusts the root certificate + * Fri Mar 15 2019 Dogtag PKI Team 4.4.6-1 - Bugzilla #1659527 - Rebase JSS in RHEL 7.7 (ascheel)