From 34668cf7d42fc6eb774ea8ab96062bff6daa2bad Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 31 2020 09:35:50 +0000 Subject: import jss-4.4.7-2.el7 --- diff --git a/.gitignore b/.gitignore index 5ac3a73..8d0656a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/jss-4.4.6.tar.gz +SOURCES/jss-4.4.7.tar.gz diff --git a/.jss.metadata b/.jss.metadata index 759bb43..9b6805b 100644 --- a/.jss.metadata +++ b/.jss.metadata @@ -1 +1 @@ -19fe5139c0d258849c3905b4991145dba94f99de SOURCES/jss-4.4.6.tar.gz +73cfcfdf2eefc39351b4b1dd9ee6f517faa64f19 SOURCES/jss-4.4.7.tar.gz diff --git a/SOURCES/0001-JSS-CVE-2019-14823-fix.patch b/SOURCES/0001-JSS-CVE-2019-14823-fix.patch index d80be6a..46d1e4e 100644 --- a/SOURCES/0001-JSS-CVE-2019-14823-fix.patch +++ b/SOURCES/0001-JSS-CVE-2019-14823-fix.patch @@ -1,4 +1,4 @@ -From 32d6c776ad5c489efea9f380fdac296a63209ea5 Mon Sep 17 00:00:00 2001 +From 4c44f138e67db9c583baf78c7aa0460a941e9842 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 4 Sep 2019 08:33:14 -0400 Subject: [PATCH] Fix root certificate validation @@ -17,13 +17,21 @@ Fixes CVE-2019-14823 Signed-off-by: Alexander Scheel --- org/mozilla/jss/ssl/common.c | 239 ++++++++++++++++++++--------------- - 1 file changed, 138 insertions(+), 101 deletions(-) + 1 file changed, 136 insertions(+), 103 deletions(-) diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c -index 8c2a2240..030588c8 100644 +index cd4d4425..3a448c54 100644 --- a/org/mozilla/jss/ssl/common.c +++ b/org/mozilla/jss/ssl/common.c -@@ -936,170 +936,207 @@ finish: +@@ -901,7 +901,6 @@ finish: + } + + /* Get the trusted anchor for pkix */ +- + CERTCertificate *getRoot(CERTCertificate *cert, + SECCertUsage certUsage) + { +@@ -935,79 +934,84 @@ finish: return root; } @@ -145,22 +153,23 @@ index 8c2a2240..030588c8 100644 int inParamIndex = 0; int outParamIndex = 0; - CERTRevocationFlags *rev = NULL; - +- - CERTCertList *trustedCertList = NULL; - - PRBool fetchCerts = PR_FALSE; -- + - SECCertUsage certUsage = certUsageSSLClient /* 0 */; - SECStatus res = SECFailure; + +- CERTCertificate *root = NULL; +- - if(cert == NULL) { -+ + if (cert == NULL) { goto finish; } -- if(ocspPolicy != OCSP_LEAF_AND_CHAIN_POLICY) { -+ if (ocspPolicy != OCSP_LEAF_AND_CHAIN_POLICY) { +@@ -1015,93 +1019,122 @@ SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert, goto finish; } @@ -206,7 +215,7 @@ index 8c2a2240..030588c8 100644 - SECCertificateUsage testUsage = certificateUsage; - while (0 != (testUsage = testUsage >> 1)) { certUsage++; } - -- CERTCertificate *root = getRoot(cert,certUsage); +- root = getRoot(cert,certUsage); - - /* Try to add the root as the trust anchor so all the - other memebers of the ca chain will get validated. diff --git a/SPECS/jss.spec b/SPECS/jss.spec index 144f8c7..59edb0f 100644 --- a/SPECS/jss.spec +++ b/SPECS/jss.spec @@ -6,8 +6,8 @@ Summary: Java Security Services (JSS) URL: http://www.dogtagpki.org/wiki/JSS License: MPLv1.1 or GPLv2+ or LGPLv2+ -Version: 4.4.6 -Release: 3%{?_timestamp}%{?_commit_id}.el7_7 +Version: 4.4.7 +Release: 2%{?dist} # To generate the source tarball: # $ git clone https://github.com/dogtagpki/jss.git @@ -180,11 +180,11 @@ cp -p jss/*.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} ################################################################################ %changelog -* Thu Sep 12 2019 Dogtag PKI Team 4.4.7-2 +- Bugzilla #1747967 - CVE 2019-14823 jss: OCSP policy "Leaf and Chain" implicitly trusts the root certificate -* Wed Sep 11 2019 Dogtag PKI Team 4.4.6-2 -- Bugzilla #1747966 - CVE 2019-14823 jss: OCSP policy "Leaf and Chain" implicitly trusts the root certificate +* Mon Aug 5 2019 Dogtag PKI Team 4.4.7-1 +- Bugzilla #1733590 - Rebase JSS in RHEL 7.8 (ascheel) * Fri Mar 15 2019 Dogtag PKI Team 4.4.6-1 - Bugzilla #1659527 - Rebase JSS in RHEL 7.7 (ascheel)