diff --git a/SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch b/SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
new file mode 100644
index 0000000..9d0939f
--- /dev/null
+++ b/SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
@@ -0,0 +1,124 @@
+From baa2a485190d1b31f3dae06a18dc24d71dbe35bf Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Fri, 11 Mar 2022 12:04:14 +0100
+Subject: [PATCH] Use SHA-256 instead of SHA-1 for PKINIT CMS digest
+
+Various organizations including NIST have been strongly recommending to
+stop using SHA-1 for digital signatures for some years already. CMS
+digest is used to generate such signatures, hence it should be upgraded
+to use SHA-256.
+---
+ .../preauth/pkinit/pkinit_crypto_openssl.c | 40 ++++++++++---------
+ 1 file changed, 22 insertions(+), 18 deletions(-)
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index dbb054378..32291e3ac 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -1234,7 +1234,7 @@ cms_signeddata_create(krb5_context context,
+ /* will not fill-out EVP_PKEY because it's on the smartcard */
+
+ /* Set digest algs */
+- p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha1);
++ p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha256);
+
+ if (p7si->digest_alg->parameter != NULL)
+ ASN1_TYPE_free(p7si->digest_alg->parameter);
+@@ -1245,17 +1245,18 @@ cms_signeddata_create(krb5_context context,
+ /* Set sig algs */
+ if (p7si->digest_enc_alg->parameter != NULL)
+ ASN1_TYPE_free(p7si->digest_enc_alg->parameter);
+- p7si->digest_enc_alg->algorithm = OBJ_nid2obj(NID_sha1WithRSAEncryption);
++ p7si->digest_enc_alg->algorithm =
++ OBJ_nid2obj(NID_sha256WithRSAEncryption);
+ if (!(p7si->digest_enc_alg->parameter = ASN1_TYPE_new()))
+ goto cleanup;
+ p7si->digest_enc_alg->parameter->type = V_ASN1_NULL;
+
+ /* add signed attributes */
+- /* compute sha1 digest over the EncapsulatedContentInfo */
++ /* compute sha256 digest over the EncapsulatedContentInfo */
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL)
+ goto cleanup;
+- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
++ EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
+ EVP_DigestUpdate(ctx, data, data_len);
+ md_tmp = EVP_MD_CTX_md(ctx);
+ EVP_DigestFinal_ex(ctx, md_data, &md_len);
+@@ -1283,12 +1284,14 @@ cms_signeddata_create(krb5_context context,
+ goto cleanup2;
+
+ #ifndef WITHOUT_PKCS11
+- /* Some tokens can only do RSAEncryption without sha1 hash */
+- /* to compute sha1WithRSAEncryption, encode the algorithm ID for the hash
+- * function and the hash value into an ASN.1 value of type DigestInfo
+- * DigestInfo::=SEQUENCE {
+- * digestAlgorithm AlgorithmIdentifier,
+- * digest OCTET STRING }
++ /*
++ * Some tokens can only do RSAEncryption without a hash. To compute
++ * sha256WithRSAEncryption, encode the algorithm ID for the hash
++ * function and the hash value into an ASN.1 value of type DigestInfo:
++ * DigestInfo ::= SEQUENCE {
++ * digestAlgorithm AlgorithmIdentifier,
++ * digest OCTET STRING
++ * }
+ */
+ if (id_cryptoctx->pkcs11_method == 1 &&
+ id_cryptoctx->mech == CKM_RSA_PKCS) {
+@@ -1304,7 +1307,7 @@ cms_signeddata_create(krb5_context context,
+ alg = X509_ALGOR_new();
+ if (alg == NULL)
+ goto cleanup2;
+- X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha1), V_ASN1_NULL, NULL);
++ X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha256), V_ASN1_NULL, NULL);
+ alg_len = i2d_X509_ALGOR(alg, NULL);
+
+ digest = ASN1_OCTET_STRING_new();
+@@ -1333,7 +1336,7 @@ cms_signeddata_create(krb5_context context,
+ #endif
+ {
+ pkiDebug("mech = %s\n",
+- id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA1_RSA_PKCS" : "FS");
++ id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA256_RSA_PKCS" : "FS");
+ retval = pkinit_sign_data(context, id_cryptoctx, abuf, alen,
+ &sig, &sig_len);
+ }
+@@ -4147,7 +4150,7 @@ create_signature(unsigned char **sig, unsigned int *sig_len,
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL)
+ return ENOMEM;
+- EVP_SignInit(ctx, EVP_sha1());
++ EVP_SignInit(ctx, EVP_sha256());
+ EVP_SignUpdate(ctx, data, data_len);
+ *sig_len = EVP_PKEY_size(pkey);
+ if ((*sig = malloc(*sig_len)) == NULL)
+@@ -4623,10 +4626,11 @@ pkinit_get_certs_pkcs11(krb5_context context,
+
+ #ifndef PKINIT_USE_MECH_LIST
+ /*
+- * We'd like to use CKM_SHA1_RSA_PKCS for signing if it's available, but
+- * many cards seems to be confused about whether they are capable of
+- * this or not. The safe thing seems to be to ignore the mechanism list,
+- * always use CKM_RSA_PKCS and calculate the sha1 digest ourselves.
++ * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but
++ * historically many cards seem to be confused about whether they are
++ * capable of mechanisms or not. The safe thing seems to be to ignore the
++ * mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest
++ * ourselves.
+ */
+
+ id_cryptoctx->mech = CKM_RSA_PKCS;
+@@ -4654,7 +4658,7 @@ pkinit_get_certs_pkcs11(krb5_context context,
+ if (mechp[i] == CKM_RSA_PKCS) {
+ /* This seems backwards... */
+ id_cryptoctx->mech =
+- (info.flags & CKF_SIGN) ? CKM_SHA1_RSA_PKCS : CKM_RSA_PKCS;
++ (info.flags & CKF_SIGN) ? CKM_SHA256_RSA_PKCS : CKM_RSA_PKCS;
+ }
+ }
+ free(mechp);
+--
+2.35.1
+
diff --git a/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch b/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
new file mode 100644
index 0000000..3b8ccec
--- /dev/null
+++ b/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
@@ -0,0 +1,342 @@
+From cc1cd235a6a8c066531a17d5773f601455bedb52 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Thu, 31 Mar 2022 18:24:39 +0200
+Subject: [PATCH] Use newly enforced dejagnu path naming convention
+
+Since version 1.6.3, dejagnu started to enforce a naming convention that
+was already in place, but not mandatory: dejagnu test directories have
+to be named "testsuite". If they don't implicit relative sub-paths
+resolution (e.g. "lib", "config") is not forking.
+
+This commit renames kadm5 library's unit tests directory to match this
+requirement.
+
+Resolves: rhbz#2070879
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+---
+ src/configure.ac | 2 +-
+ src/lib/kadm5/Makefile.in | 2 +-
+ .../{unit-test => testsuite}/Makefile.in | 28 +++++++++----------
+ .../api.2/crte-policy.exp | 0
+ .../api.2/get-policy.exp | 0
+ .../api.2/mod-policy.exp | 0
+ .../api.current/chpass-principal-v2.exp | 0
+ .../api.current/chpass-principal.exp | 0
+ .../api.current/crte-policy.exp | 0
+ .../api.current/crte-principal.exp | 0
+ .../api.current/destroy.exp | 0
+ .../api.current/dlte-policy.exp | 0
+ .../api.current/dlte-principal.exp | 0
+ .../api.current/get-policy.exp | 0
+ .../api.current/get-principal-v2.exp | 0
+ .../api.current/get-principal.exp | 0
+ .../api.current/init-v2.exp | 0
+ .../api.current/init.exp | 0
+ .../api.current/mod-policy.exp | 0
+ .../api.current/mod-principal-v2.exp | 0
+ .../api.current/mod-principal.exp | 0
+ .../api.current/randkey-principal-v2.exp | 0
+ .../api.current/randkey-principal.exp | 0
+ .../{unit-test => testsuite}/config/unix.exp | 0
+ src/lib/kadm5/{unit-test => testsuite}/deps | 0
+ .../{unit-test => testsuite}/destroy-test.c | 0
+ .../diff-files/destroy-1 | 0
+ .../diff-files/no-diffs | 0
+ .../{unit-test => testsuite}/handle-test.c | 0
+ .../{unit-test => testsuite}/init-test.c | 0
+ .../{unit-test => testsuite}/iter-test.c | 0
+ .../kadm5/{unit-test => testsuite}/lib/lib.t | 2 +-
+ .../{unit-test => testsuite}/lock-test.c | 0
+ .../{unit-test => testsuite}/randkey-test.c | 0
+ .../{unit-test => testsuite}/setkey-test.c | 0
+ .../kadm5/{unit-test => testsuite}/site.exp | 0
+ 36 files changed, 17 insertions(+), 17 deletions(-)
+ rename src/lib/kadm5/{unit-test => testsuite}/Makefile.in (86%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.2/crte-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.2/get-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.2/mod-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/destroy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/init-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/init.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/config/unix.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/deps (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/destroy-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/diff-files/destroy-1 (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/diff-files/no-diffs (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/handle-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/init-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/iter-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/lib/lib.t (99%)
+ rename src/lib/kadm5/{unit-test => testsuite}/lock-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/randkey-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/setkey-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/site.exp (100%)
+
+diff --git a/src/configure.ac b/src/configure.ac
+index 29be532cb..37e36b76d 100644
+--- a/src/configure.ac
++++ b/src/configure.ac
+@@ -1499,7 +1499,7 @@ V5_AC_OUTPUT_MAKEFILE(.
+
+ lib/rpc lib/rpc/unit-test
+
+- lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/unit-test
++ lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/testsuite
+ lib/krad
+ lib/apputils
+
+diff --git a/src/lib/kadm5/Makefile.in b/src/lib/kadm5/Makefile.in
+index c4eaad38d..76fc4b548 100644
+--- a/src/lib/kadm5/Makefile.in
++++ b/src/lib/kadm5/Makefile.in
+@@ -1,6 +1,6 @@
+ mydir=lib$(S)kadm5
+ BUILDTOP=$(REL)..$(S)..
+-SUBDIRS = clnt srv unit-test
++SUBDIRS = clnt srv testsuite
+
+ ##DOSBUILDTOP = ..\..
+
+diff --git a/src/lib/kadm5/unit-test/Makefile.in b/src/lib/kadm5/testsuite/Makefile.in
+similarity index 86%
+rename from src/lib/kadm5/unit-test/Makefile.in
+rename to src/lib/kadm5/testsuite/Makefile.in
+index 68fa097ff..5a55b786b 100644
+--- a/src/lib/kadm5/unit-test/Makefile.in
++++ b/src/lib/kadm5/testsuite/Makefile.in
+@@ -1,4 +1,4 @@
+-mydir=lib$(S)kadm5$(S)unit-test
++mydir=lib$(S)kadm5$(S)testsuite
+ BUILDTOP=$(REL)..$(S)..$(S)..
+ KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS)
+
+@@ -61,7 +61,7 @@ runenv.exp: Makefile
+ eval echo "set env\($$i\) \$$$$i"; done > runenv.exp
+
+ #
+-# The unit-test targets
++# The testsuite targets
+ #
+
+ check: check-@DO_TEST@
+@@ -72,13 +72,13 @@ check-:
+ @echo "+++ Either tcl, runtest, or Perl is unavailable."
+ @echo "+++"
+
+-check-ok unit-test: unit-test-client unit-test-server
++check-ok testsuite: testsuite-client testsuite-server
+
+-unit-test-client: unit-test-client-setup unit-test-client-body \
+- unit-test-client-cleanup
++testsuite-client: testsuite-client-setup testsuite-client-body \
++ testsuite-client-cleanup
+
+-unit-test-server: unit-test-server-setup unit-test-server-body \
+- unit-test-server-cleanup
++testsuite-server: testsuite-server-setup testsuite-server-body \
++ testsuite-server-cleanup
+
+ test-randkey: randkey-test
+ $(ENV_SETUP) $(VALGRIND) ./randkey-test
+@@ -98,19 +98,19 @@ test-destroy: destroy-test
+ test-setkey-client: client-setkey-test
+ $(ENV_SETUP) $(VALGRIND) ./client-setkey-test testkeys admin admin
+
+-unit-test-client-setup: runenv.sh
++testsuite-client-setup: runenv.sh
+ $(ENV_SETUP) $(VALGRIND) $(START_SERVERS)
+
+-unit-test-client-cleanup:
++testsuite-client-cleanup:
+ $(ENV_SETUP) $(STOP_SERVERS)
+
+-unit-test-server-setup: runenv.sh
++testsuite-server-setup: runenv.sh
+ $(ENV_SETUP) $(VALGRIND) $(START_SERVERS_LOCAL)
+
+-unit-test-server-cleanup:
++testsuite-server-cleanup:
+ $(ENV_SETUP) $(STOP_SERVERS_LOCAL)
+
+-unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \
++testsuite-client-body: site.exp test-noauth test-destroy test-handle-client \
+ test-setkey-client runenv.exp
+ $(ENV_SETUP) $(RUNTEST) --tool api RPC=1 API=$(CLNTTCL) \
+ KINIT=$(BUILDTOP)/clients/kinit/kinit \
+@@ -121,7 +121,7 @@ unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \
+ -mv api.log capi.log
+ -mv api.sum capi.sum
+
+-unit-test-server-body: site.exp test-handle-server lock-test
++testsuite-server-body: site.exp test-handle-server lock-test
+ $(ENV_SETUP) $(RUNTEST) --tool api RPC=0 API=$(SRVTCL) \
+ LOCKTEST=./lock-test \
+ KADMIN_LOCAL=$(BUILDTOP)/kadmin/cli/kadmin.local \
+@@ -140,4 +140,4 @@ clean:
+ $(RM) lock-test lock-test.o
+ $(RM) server-iter-test iter-test.o
+ $(RM) server-setkey-test client-setkey-test setkey-test.o
+- $(RM) *.log *.plog *.sum *.psum unit-test-log.* runenv.exp
++ $(RM) *.log *.plog *.sum *.psum testsuite-log.* runenv.exp
+diff --git a/src/lib/kadm5/unit-test/api.2/crte-policy.exp b/src/lib/kadm5/testsuite/api.2/crte-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.2/crte-policy.exp
+rename to src/lib/kadm5/testsuite/api.2/crte-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.2/get-policy.exp b/src/lib/kadm5/testsuite/api.2/get-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.2/get-policy.exp
+rename to src/lib/kadm5/testsuite/api.2/get-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.2/mod-policy.exp b/src/lib/kadm5/testsuite/api.2/mod-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.2/mod-policy.exp
+rename to src/lib/kadm5/testsuite/api.2/mod-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/chpass-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/chpass-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/crte-policy.exp b/src/lib/kadm5/testsuite/api.current/crte-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/crte-policy.exp
+rename to src/lib/kadm5/testsuite/api.current/crte-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/crte-principal.exp b/src/lib/kadm5/testsuite/api.current/crte-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/crte-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/crte-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/destroy.exp b/src/lib/kadm5/testsuite/api.current/destroy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/destroy.exp
+rename to src/lib/kadm5/testsuite/api.current/destroy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp b/src/lib/kadm5/testsuite/api.current/dlte-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/dlte-policy.exp
+rename to src/lib/kadm5/testsuite/api.current/dlte-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp b/src/lib/kadm5/testsuite/api.current/dlte-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/dlte-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/dlte-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/get-policy.exp b/src/lib/kadm5/testsuite/api.current/get-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/get-policy.exp
+rename to src/lib/kadm5/testsuite/api.current/get-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/get-principal-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/get-principal-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/get-principal.exp b/src/lib/kadm5/testsuite/api.current/get-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/get-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/get-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/testsuite/api.current/init-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/init-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/init-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/init.exp b/src/lib/kadm5/testsuite/api.current/init.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/init.exp
+rename to src/lib/kadm5/testsuite/api.current/init.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/mod-policy.exp b/src/lib/kadm5/testsuite/api.current/mod-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/mod-policy.exp
+rename to src/lib/kadm5/testsuite/api.current/mod-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal.exp b/src/lib/kadm5/testsuite/api.current/mod-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/mod-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/mod-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/randkey-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/randkey-principal.exp
+diff --git a/src/lib/kadm5/unit-test/config/unix.exp b/src/lib/kadm5/testsuite/config/unix.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/config/unix.exp
+rename to src/lib/kadm5/testsuite/config/unix.exp
+diff --git a/src/lib/kadm5/unit-test/deps b/src/lib/kadm5/testsuite/deps
+similarity index 100%
+rename from src/lib/kadm5/unit-test/deps
+rename to src/lib/kadm5/testsuite/deps
+diff --git a/src/lib/kadm5/unit-test/destroy-test.c b/src/lib/kadm5/testsuite/destroy-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/destroy-test.c
+rename to src/lib/kadm5/testsuite/destroy-test.c
+diff --git a/src/lib/kadm5/unit-test/diff-files/destroy-1 b/src/lib/kadm5/testsuite/diff-files/destroy-1
+similarity index 100%
+rename from src/lib/kadm5/unit-test/diff-files/destroy-1
+rename to src/lib/kadm5/testsuite/diff-files/destroy-1
+diff --git a/src/lib/kadm5/unit-test/diff-files/no-diffs b/src/lib/kadm5/testsuite/diff-files/no-diffs
+similarity index 100%
+rename from src/lib/kadm5/unit-test/diff-files/no-diffs
+rename to src/lib/kadm5/testsuite/diff-files/no-diffs
+diff --git a/src/lib/kadm5/unit-test/handle-test.c b/src/lib/kadm5/testsuite/handle-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/handle-test.c
+rename to src/lib/kadm5/testsuite/handle-test.c
+diff --git a/src/lib/kadm5/unit-test/init-test.c b/src/lib/kadm5/testsuite/init-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/init-test.c
+rename to src/lib/kadm5/testsuite/init-test.c
+diff --git a/src/lib/kadm5/unit-test/iter-test.c b/src/lib/kadm5/testsuite/iter-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/iter-test.c
+rename to src/lib/kadm5/testsuite/iter-test.c
+diff --git a/src/lib/kadm5/unit-test/lib/lib.t b/src/lib/kadm5/testsuite/lib/lib.t
+similarity index 99%
+rename from src/lib/kadm5/unit-test/lib/lib.t
+rename to src/lib/kadm5/testsuite/lib/lib.t
+index 3444775cf..327946849 100644
+--- a/src/lib/kadm5/unit-test/lib/lib.t
++++ b/src/lib/kadm5/testsuite/lib/lib.t
+@@ -226,7 +226,7 @@ proc end_dump_compare {name} {
+ global RPC
+
+ if { ! $RPC } {
+-# set file $TOP/admin/lib/unit-test/diff-files/$name
++# set file $TOP/admin/lib/testsuite/diff-files/$name
+ # exec $env(SIMPLE_DUMP) > /tmp/dump.after
+ # exec $env(COMPARE_DUMP) /tmp/dump.before /tmp/dump.after $file
+ }
+diff --git a/src/lib/kadm5/unit-test/lock-test.c b/src/lib/kadm5/testsuite/lock-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/lock-test.c
+rename to src/lib/kadm5/testsuite/lock-test.c
+diff --git a/src/lib/kadm5/unit-test/randkey-test.c b/src/lib/kadm5/testsuite/randkey-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/randkey-test.c
+rename to src/lib/kadm5/testsuite/randkey-test.c
+diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/testsuite/setkey-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/setkey-test.c
+rename to src/lib/kadm5/testsuite/setkey-test.c
+diff --git a/src/lib/kadm5/unit-test/site.exp b/src/lib/kadm5/testsuite/site.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/site.exp
+rename to src/lib/kadm5/testsuite/site.exp
+--
+2.35.1
+
diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec
index 5e13c23..d969a61 100644
--- a/SPECS/krb5.spec
+++ b/SPECS/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.18.2
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 14%{?dist}
+Release: 17%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@@ -86,6 +86,8 @@ Patch140: Use-KCM_OP_RETRIEVE-in-KCM-client.patch
Patch141: Fix-KCM-retrieval-support-for-sssd.patch
Patch142: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
Patch143: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
+Patch144: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
+Patch145: downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -291,7 +293,7 @@ popd
# builds going on the same host don't step on each other.
cfg="src/kadmin/testing/proto/kdc.conf.proto \
src/kadmin/testing/proto/krb5.conf.proto \
- src/lib/kadm5/unit-test/api.current/init-v2.exp \
+ src/lib/kadm5/testsuite/api.current/init-v2.exp \
src/util/k5test.py"
LONG_BIT=`getconf LONG_BIT`
PORT=`expr 61000 + $LONG_BIT - 48`
@@ -696,6 +698,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
+* Mon Mar 21 2022 Julien Rische <jrische@redhat.com> - 1.18.2-15
+- Backport usage of SHA-256 instead of SHA-1 for PKINIT CMS digest
+- Resolves: #2066316
+
* Wed Aug 25 2021 Robbie Harwood <rharwood@redhat.com> - 1.18.2-14
- Fix KDC null deref on TGS inner body null server (CVE-2021-37750)
- Resolves: #1997601