diff --git a/SOURCES/Make-kprop-work-for-dump-files-larger-than-4GB.patch b/SOURCES/Make-kprop-work-for-dump-files-larger-than-4GB.patch
new file mode 100644
index 0000000..8358d7e
--- /dev/null
+++ b/SOURCES/Make-kprop-work-for-dump-files-larger-than-4GB.patch
@@ -0,0 +1,365 @@
+From 5d541f1f0b468b1c976acf8ec2359bd0c8c73be7 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Wed, 19 Jan 2022 19:46:08 +0100
+Subject: [PATCH] Make kprop work for dump files larger than 4GB
+
+If the dump file size does not fit in 32 bits, encode four zero bytes
+(forcing an error for unmodified kpropd) followed by the size in the
+next 64 bits.
+
+Add a functional test case, but only run it when an environment
+variable is set, as processing a 4GB dump file is too
+resource-intensive for make check.
+
+[ghudson@mit.edu: edited comments and commit message; eliminated use
+of defined constant in some cases; added test case]
+
+ticket: 9053 (new)
+---
+ src/kprop/kprop.c | 37 +++++++++++++++++++++----------------
+ src/kprop/kprop.h | 12 ++++++++++++
+ src/kprop/kprop_util.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ src/kprop/kpropd.c | 33 +++++++++++++++++++++------------
+ src/tests/t_kprop.py | 34 ++++++++++++++++++++++++++++++++++
+ 5 files changed, 130 insertions(+), 28 deletions(-)
+
+diff --git a/src/kprop/kprop.c b/src/kprop/kprop.c
+index 0b53aae7e..5adb4d31f 100644
+--- a/src/kprop/kprop.c
++++ b/src/kprop/kprop.c
+@@ -25,6 +25,7 @@
+ */
+
+ #include "k5-int.h"
++#include <inttypes.h>
+ #include <locale.h>
+ #include <sys/file.h>
+ #include <signal.h>
+@@ -71,11 +72,11 @@ static void open_connection(krb5_context context, char *host, int *fd_out);
+ static void kerberos_authenticate(krb5_context context,
+ krb5_auth_context *auth_context, int fd,
+ krb5_principal me, krb5_creds **new_creds);
+-static int open_database(krb5_context context, char *data_fn, int *size);
++static int open_database(krb5_context context, char *data_fn, off_t *size);
+ static void close_database(krb5_context context, int fd);
+ static void xmit_database(krb5_context context,
+ krb5_auth_context auth_context, krb5_creds *my_creds,
+- int fd, int database_fd, int in_database_size);
++ int fd, int database_fd, off_t in_database_size);
+ static void send_error(krb5_context context, krb5_creds *my_creds, int fd,
+ char *err_text, krb5_error_code err_code);
+ static void update_last_prop_file(char *hostname, char *file_name);
+@@ -90,7 +91,8 @@ static void usage()
+ int
+ main(int argc, char **argv)
+ {
+- int fd, database_fd, database_size;
++ int fd, database_fd;
++ off_t database_size;
+ krb5_error_code retval;
+ krb5_context context;
+ krb5_creds *my_creds;
+@@ -339,7 +341,7 @@ kerberos_authenticate(krb5_context context, krb5_auth_context *auth_context,
+ * in the size of the database file.
+ */
+ static int
+-open_database(krb5_context context, char *data_fn, int *size)
++open_database(krb5_context context, char *data_fn, off_t *size)
+ {
+ struct stat stbuf, stbuf_ok;
+ char *data_ok_fn;
+@@ -413,19 +415,18 @@ close_database(krb5_context context, int fd)
+ static void
+ xmit_database(krb5_context context, krb5_auth_context auth_context,
+ krb5_creds *my_creds, int fd, int database_fd,
+- int in_database_size)
++ off_t in_database_size)
+ {
+ krb5_int32 n;
+ krb5_data inbuf, outbuf;
+- char buf[KPROP_BUFSIZ];
++ char buf[KPROP_BUFSIZ], dbsize_buf[KPROP_DBSIZE_MAX_BUFSIZ];
+ krb5_error_code retval;
+ krb5_error *error;
+- krb5_ui_4 database_size = in_database_size, send_size, sent_size;
++ uint64_t database_size = in_database_size, send_size, sent_size;
+
+ /* Send over the size. */
+- send_size = htonl(database_size);
+- inbuf.data = (char *)&send_size;
+- inbuf.length = sizeof(send_size); /* must be 4, really */
++ inbuf = make_data(dbsize_buf, sizeof(dbsize_buf));
++ encode_database_size(database_size, &inbuf);
+ /* KPROP_CKSUMTYPE */
+ retval = krb5_mk_safe(context, auth_context, &inbuf, &outbuf, NULL);
+ if (retval) {
+@@ -460,7 +461,7 @@ xmit_database(krb5_context context, krb5_auth_context auth_context,
+ retval = krb5_mk_priv(context, auth_context, &inbuf, &outbuf, NULL);
+ if (retval) {
+ snprintf(buf, sizeof(buf),
+- "while encoding database block starting at %d",
++ "while encoding database block starting at %"PRIu64,
+ sent_size);
+ com_err(progname, retval, "%s", buf);
+ send_error(context, my_creds, fd, buf, retval);
+@@ -471,14 +472,14 @@ xmit_database(krb5_context context, krb5_auth_context auth_context,
+ if (retval) {
+ krb5_free_data_contents(context, &outbuf);
+ com_err(progname, retval,
+- _("while sending database block starting at %d"),
++ _("while sending database block starting at %"PRIu64),
+ sent_size);
+ exit(1);
+ }
+ krb5_free_data_contents(context, &outbuf);
+ sent_size += n;
+ if (debug)
+- printf("%d bytes sent.\n", sent_size);
++ printf("%"PRIu64" bytes sent.\n", sent_size);
+ }
+ if (sent_size != database_size) {
+ com_err(progname, 0, _("Premature EOF found for database file!"));
+@@ -533,10 +534,14 @@ xmit_database(krb5_context context, krb5_auth_context auth_context,
+ exit(1);
+ }
+
+- memcpy(&send_size, outbuf.data, sizeof(send_size));
+- send_size = ntohl(send_size);
++ retval = decode_database_size(&outbuf, &send_size);
++ if (retval) {
++ com_err(progname, retval, _("malformed sent database size message"));
++ exit(1);
++ }
+ if (send_size != database_size) {
+- com_err(progname, 0, _("Kpropd sent database size %d, expecting %d"),
++ com_err(progname, 0, _("Kpropd sent database size %"PRIu64
++ ", expecting %"PRIu64),
+ send_size, database_size);
+ exit(1);
+ }
+diff --git a/src/kprop/kprop.h b/src/kprop/kprop.h
+index 75331cc8a..3a319b535 100644
+--- a/src/kprop/kprop.h
++++ b/src/kprop/kprop.h
+@@ -32,6 +32,7 @@
+ #define KPROP_PROT_VERSION "kprop5_01"
+
+ #define KPROP_BUFSIZ 32768
++#define KPROP_DBSIZE_MAX_BUFSIZ 12 /* max length of an encoded DB size */
+
+ /* pathnames are in osconf.h, included via k5-int.h */
+
+@@ -41,3 +42,14 @@ int sockaddr2krbaddr(krb5_context context, int family, struct sockaddr *sa,
+ krb5_error_code
+ sn2princ_realm(krb5_context context, const char *hostname, const char *sname,
+ const char *realm, krb5_principal *princ_out);
++
++/*
++ * Encode size in four bytes (for backward compatibility) if it fits; otherwise
++ * use the larger encoding. buf must be allocated with at least
++ * KPROP_DBSIZE_MAX_BUFSIZ bytes.
++ */
++void encode_database_size(uint64_t size, krb5_data *buf);
++
++/* Decode a database size. Return KRB5KRB_ERR_GENERIC if buf has an invalid
++ * length or did not encode a 32-bit size compactly. */
++krb5_error_code decode_database_size(const krb5_data *buf, uint64_t *size_out);
+diff --git a/src/kprop/kprop_util.c b/src/kprop/kprop_util.c
+index c32d174b9..9d6b25389 100644
+--- a/src/kprop/kprop_util.c
++++ b/src/kprop/kprop_util.c
+@@ -96,3 +96,45 @@ sn2princ_realm(krb5_context context, const char *hostname, const char *sname,
+ (*princ_out)->type = KRB5_NT_SRV_HST;
+ return ret;
+ }
++
++void
++encode_database_size(uint64_t size, krb5_data *buf)
++{
++ assert(buf->length >= 12);
++ if (size > 0 && size <= UINT32_MAX) {
++ /* Encode in 32 bits for backward compatibility. */
++ store_32_be(size, buf->data);
++ buf->length = 4;
++ } else {
++ /* Set the first 32 bits to 0 and encode in the following 64 bits. */
++ store_32_be(0, buf->data);
++ store_64_be(size, buf->data + 4);
++ buf->length = 12;
++ }
++}
++
++krb5_error_code
++decode_database_size(const krb5_data *buf, uint64_t *size_out)
++{
++ uint64_t size;
++
++ if (buf->length == 12) {
++ /* A 12-byte buffer must have the first four bytes zeroed. */
++ if (load_32_be(buf->data) != 0)
++ return KRB5KRB_ERR_GENERIC;
++
++ /* The size is stored in the next 64 bits. Values from 1..2^32-1 must
++ * be encoded in four bytes. */
++ size = load_64_be(buf->data + 4);
++ if (size > 0 && size <= UINT32_MAX)
++ return KRB5KRB_ERR_GENERIC;
++ } else if (buf->length == 4) {
++ size = load_32_be(buf->data);
++ } else {
++ /* Invalid buffer size. */
++ return KRB5KRB_ERR_GENERIC;
++ }
++
++ *size_out = size;
++ return 0;
++}
+diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
+index 356e3e0e6..a83a86866 100644
+--- a/src/kprop/kpropd.c
++++ b/src/kprop/kpropd.c
+@@ -55,6 +55,7 @@
+ #include "com_err.h"
+ #include "fake-addrinfo.h"
+
++#include <inttypes.h>
+ #include <locale.h>
+ #include <ctype.h>
+ #include <sys/file.h>
+@@ -1354,9 +1355,10 @@ static void
+ recv_database(krb5_context context, int fd, int database_fd,
+ krb5_data *confmsg)
+ {
+- krb5_ui_4 database_size, received_size;
++ uint64_t database_size, received_size;
+ int n;
+ char buf[1024];
++ char dbsize_buf[KPROP_DBSIZE_MAX_BUFSIZ];
+ krb5_data inbuf, outbuf;
+ krb5_error_code retval;
+
+@@ -1378,10 +1380,17 @@ recv_database(krb5_context context, int fd, int database_fd,
+ _("while decoding database size from client"));
+ exit(1);
+ }
+- memcpy(&database_size, outbuf.data, sizeof(database_size));
++
++ retval = decode_database_size(&outbuf, &database_size);
++ if (retval) {
++ send_error(context, fd, retval, "malformed database size message");
++ com_err(progname, retval,
++ _("malformed database size message from client"));
++ exit(1);
++ }
++
+ krb5_free_data_contents(context, &inbuf);
+ krb5_free_data_contents(context, &outbuf);
+- database_size = ntohl(database_size);
+
+ /* Initialize the initial vector. */
+ retval = krb5_auth_con_initivector(context, auth_context);
+@@ -1401,7 +1410,7 @@ recv_database(krb5_context context, int fd, int database_fd,
+ retval = krb5_read_message(context, &fd, &inbuf);
+ if (retval) {
+ snprintf(buf, sizeof(buf),
+- "while reading database block starting at offset %d",
++ "while reading database block starting at offset %"PRIu64,
+ received_size);
+ com_err(progname, retval, "%s", buf);
+ send_error(context, fd, retval, buf);
+@@ -1412,8 +1421,8 @@ recv_database(krb5_context context, int fd, int database_fd,
+ retval = krb5_rd_priv(context, auth_context, &inbuf, &outbuf, NULL);
+ if (retval) {
+ snprintf(buf, sizeof(buf),
+- "while decoding database block starting at offset %d",
+- received_size);
++ "while decoding database block starting at offset %"
++ PRIu64, received_size);
+ com_err(progname, retval, "%s", buf);
+ send_error(context, fd, retval, buf);
+ krb5_free_data_contents(context, &inbuf);
+@@ -1424,13 +1433,13 @@ recv_database(krb5_context context, int fd, int database_fd,
+ krb5_free_data_contents(context, &outbuf);
+ if (n < 0) {
+ snprintf(buf, sizeof(buf),
+- "while writing database block starting at offset %d",
++ "while writing database block starting at offset %"PRIu64,
+ received_size);
+ send_error(context, fd, errno, buf);
+ } else if ((unsigned int)n != outbuf.length) {
+ snprintf(buf, sizeof(buf),
+ "incomplete write while writing database block starting "
+- "at \noffset %d (%d written, %d expected)",
++ "at \noffset %"PRIu64" (%d written, %d expected)",
+ received_size, n, outbuf.length);
+ send_error(context, fd, KRB5KRB_ERR_GENERIC, buf);
+ }
+@@ -1440,7 +1449,8 @@ recv_database(krb5_context context, int fd, int database_fd,
+ /* OK, we've seen the entire file. Did we get too many bytes? */
+ if (received_size > database_size) {
+ snprintf(buf, sizeof(buf),
+- "Received %d bytes, expected %d bytes for database file",
++ "Received %"PRIu64" bytes, expected %"PRIu64
++ " bytes for database file",
+ received_size, database_size);
+ send_error(context, fd, KRB5KRB_ERR_GENERIC, buf);
+ }
+@@ -1450,9 +1460,8 @@ recv_database(krb5_context context, int fd, int database_fd,
+
+ /* Create message acknowledging number of bytes received, but
+ * don't send it until kdb5_util returns successfully. */
+- database_size = htonl(database_size);
+- inbuf.data = (char *)&database_size;
+- inbuf.length = sizeof(database_size);
++ inbuf = make_data(dbsize_buf, sizeof(dbsize_buf));
++ encode_database_size(database_size, &inbuf);
+ retval = krb5_mk_safe(context,auth_context,&inbuf,confmsg,NULL);
+ if (retval) {
+ com_err(progname, retval, "while encoding # of receieved bytes");
+diff --git a/src/tests/t_kprop.py b/src/tests/t_kprop.py
+index c33e4fea2..f8ffd653a 100755
+--- a/src/tests/t_kprop.py
++++ b/src/tests/t_kprop.py
+@@ -87,5 +87,39 @@ realm.run([kdb5_util, 'dump', dumpfile])
+ realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname])
+ check_output(kpropd)
+ realm.run([kadminl, 'listprincs'], replica3, expected_msg='wakawaka')
++stop_daemon(kpropd)
++
++# This test is too resource-intensive to be included in "make check"
++# by default, but it can be enabled in the environment to test the
++# propagation of databases large enough to require a 12-byte encoding
++# of the database size.
++if 'KPROP_LARGE_DB_TEST' in os.environ:
++ output('Generating >4GB dumpfile\n')
++ with open(dumpfile, 'w') as f:
++ f.write('kdb5_util load_dump version 6\n')
++ f.write('princ\t38\t15\t3\t1\t0\tK/M@KRBTEST.COM\t64\t86400\t0\t0\t0'
++ '\t0\t0\t0\t8\t2\t0100\t9\t8\t0100010000000000\t2\t28'
++ '\tb93e105164625f6372656174696f6e404b5242544553542e434f4d00'
++ '\t1\t1\t18\t62\t2000408c027c250e8cc3b81476414f2214d57c1ce'
++ '38891e29792e87258247c73547df4d5756266931dd6686b62270e6568'
++ '95a31ec66bfe913b4f15226227\t-1;\n')
++ for i in range(1, 20000000):
++ f.write('princ\t38\t21\t1\t1\t0\tp%08d@KRBTEST.COM' % i)
++ f.write('\t0\t86400\t0\t0\t0\t0\t0\t0\t2\t27'
++ '\td73e1051757365722f61646d696e404b5242544553542e434f4d00'
++ '\t1\t1\t17\t46'
++ '\t10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c49'
++ '5605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf\t-1;\n')
++ assert os.path.getsize(dumpfile) > 4 * 1024 * 1024 * 1024
++ with open(dumpfile + '.dump_ok', 'w') as f:
++ f.write('\0')
++ conf_large = {'dbmodules': {'db': {'database_name': '$testdir/db.large'}},
++ 'realms': {'$realm': {'iprop_resync_timeout': '3600'}}}
++ large = realm.special_env('large', True, kdc_conf=conf_large)
++ kpropd = realm.start_kpropd(large, ['-d'])
++ realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname])
++ check_output(kpropd)
++ realm.run([kadminl, 'getprinc', 'p19999999'], env=large,
++ expected_msg='Principal: p19999999')
+
+ success('kprop tests')
+--
+2.35.1
+
diff --git a/SOURCES/Try-harder-to-avoid-password-change-replay-errors.patch b/SOURCES/Try-harder-to-avoid-password-change-replay-errors.patch
new file mode 100644
index 0000000..382559f
--- /dev/null
+++ b/SOURCES/Try-harder-to-avoid-password-change-replay-errors.patch
@@ -0,0 +1,91 @@
+From 6b4cdaac48e6b736b66ccc21f4eed7c6fc4c2e4a Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 4 Mar 2022 00:45:00 -0500
+Subject: [PATCH] Try harder to avoid password change replay errors
+
+Commit d7b3018d338fc9c989c3fa17505870f23c3759a8 (ticket 7905) changed
+change_set_password() to prefer TCP. However, because UDP_LAST falls
+back to UDP after one second, we can still get a replay error due to a
+dropped packet, before the TCP layer has a chance to retry.
+
+Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
+TCP fails completely without reaching a server. In sendto_kdc.c,
+implement an ONLY_UDP transport strategy to allow the UDP fallback.
+
+ticket: 9037
+---
+ src/lib/krb5/os/changepw.c | 9 ++++++++-
+ src/lib/krb5/os/os-proto.h | 1 +
+ src/lib/krb5/os/sendto_kdc.c | 12 ++++++++----
+ 3 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
+index 9f968da7f..c59232586 100644
+--- a/src/lib/krb5/os/changepw.c
++++ b/src/lib/krb5/os/changepw.c
+@@ -255,9 +255,16 @@ change_set_password(krb5_context context,
+ callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup;
+ krb5_free_data_contents(callback_ctx.context, &chpw_rep);
+
++ /* UDP retransmits may be seen as replays. Only try UDP after other
++ * transports fail completely. */
+ code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm,
+- &sl, UDP_LAST, &callback_info, &chpw_rep,
++ &sl, NO_UDP, &callback_info, &chpw_rep,
+ ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL);
++ if (code == KRB5_KDC_UNREACH) {
++ code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm,
++ &sl, ONLY_UDP, &callback_info, &chpw_rep,
++ ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL);
++ }
+ if (code)
+ goto cleanup;
+
+diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
+index a16a34b74..ad3839131 100644
+--- a/src/lib/krb5/os/os-proto.h
++++ b/src/lib/krb5/os/os-proto.h
+@@ -49,6 +49,7 @@ typedef enum {
+ UDP_FIRST = 0,
+ UDP_LAST,
+ NO_UDP,
++ ONLY_UDP
+ } k5_transport_strategy;
+
+ /* A single server hostname or address. */
+diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
+index 82523c561..d76e24ccf 100644
+--- a/src/lib/krb5/os/sendto_kdc.c
++++ b/src/lib/krb5/os/sendto_kdc.c
+@@ -799,11 +799,14 @@ resolve_server(krb5_context context, const krb5_data *realm,
+ int err, result;
+ char portbuf[PORT_LENGTH];
+
+- /* Skip UDP entries if we don't want UDP. */
++ /* Skip entries excluded by the strategy. */
+ if (strategy == NO_UDP && entry->transport == UDP)
+ return 0;
++ if (strategy == ONLY_UDP && entry->transport != UDP &&
++ entry->transport != TCP_OR_UDP)
++ return 0;
+
+- transport = (strategy == UDP_FIRST) ? UDP : TCP;
++ transport = (strategy == UDP_FIRST || strategy == ONLY_UDP) ? UDP : TCP;
+ if (entry->hostname == NULL) {
+ /* Added by a module, so transport is either TCP or UDP. */
+ ai.ai_socktype = socktype_for_transport(entry->transport);
+@@ -847,8 +850,9 @@ resolve_server(krb5_context context, const krb5_data *realm,
+ }
+
+ /* For TCP_OR_UDP entries, add each address again with the non-preferred
+- * transport, unless we are avoiding UDP. Flag these as deferred. */
+- if (retval == 0 && entry->transport == TCP_OR_UDP && strategy != NO_UDP) {
++ * transport, if there is one. Flag these as deferred. */
++ if (retval == 0 && entry->transport == TCP_OR_UDP &&
++ (strategy == UDP_FIRST || strategy == UDP_LAST)) {
+ transport = (strategy == UDP_FIRST) ? TCP : UDP;
+ for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
+ a->ai_socktype = socktype_for_transport(transport);
+--
+2.35.1
+
diff --git a/SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch b/SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
new file mode 100644
index 0000000..9d0939f
--- /dev/null
+++ b/SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
@@ -0,0 +1,124 @@
+From baa2a485190d1b31f3dae06a18dc24d71dbe35bf Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Fri, 11 Mar 2022 12:04:14 +0100
+Subject: [PATCH] Use SHA-256 instead of SHA-1 for PKINIT CMS digest
+
+Various organizations including NIST have been strongly recommending to
+stop using SHA-1 for digital signatures for some years already. CMS
+digest is used to generate such signatures, hence it should be upgraded
+to use SHA-256.
+---
+ .../preauth/pkinit/pkinit_crypto_openssl.c | 40 ++++++++++---------
+ 1 file changed, 22 insertions(+), 18 deletions(-)
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index dbb054378..32291e3ac 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -1234,7 +1234,7 @@ cms_signeddata_create(krb5_context context,
+ /* will not fill-out EVP_PKEY because it's on the smartcard */
+
+ /* Set digest algs */
+- p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha1);
++ p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha256);
+
+ if (p7si->digest_alg->parameter != NULL)
+ ASN1_TYPE_free(p7si->digest_alg->parameter);
+@@ -1245,17 +1245,18 @@ cms_signeddata_create(krb5_context context,
+ /* Set sig algs */
+ if (p7si->digest_enc_alg->parameter != NULL)
+ ASN1_TYPE_free(p7si->digest_enc_alg->parameter);
+- p7si->digest_enc_alg->algorithm = OBJ_nid2obj(NID_sha1WithRSAEncryption);
++ p7si->digest_enc_alg->algorithm =
++ OBJ_nid2obj(NID_sha256WithRSAEncryption);
+ if (!(p7si->digest_enc_alg->parameter = ASN1_TYPE_new()))
+ goto cleanup;
+ p7si->digest_enc_alg->parameter->type = V_ASN1_NULL;
+
+ /* add signed attributes */
+- /* compute sha1 digest over the EncapsulatedContentInfo */
++ /* compute sha256 digest over the EncapsulatedContentInfo */
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL)
+ goto cleanup;
+- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
++ EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
+ EVP_DigestUpdate(ctx, data, data_len);
+ md_tmp = EVP_MD_CTX_md(ctx);
+ EVP_DigestFinal_ex(ctx, md_data, &md_len);
+@@ -1283,12 +1284,14 @@ cms_signeddata_create(krb5_context context,
+ goto cleanup2;
+
+ #ifndef WITHOUT_PKCS11
+- /* Some tokens can only do RSAEncryption without sha1 hash */
+- /* to compute sha1WithRSAEncryption, encode the algorithm ID for the hash
+- * function and the hash value into an ASN.1 value of type DigestInfo
+- * DigestInfo::=SEQUENCE {
+- * digestAlgorithm AlgorithmIdentifier,
+- * digest OCTET STRING }
++ /*
++ * Some tokens can only do RSAEncryption without a hash. To compute
++ * sha256WithRSAEncryption, encode the algorithm ID for the hash
++ * function and the hash value into an ASN.1 value of type DigestInfo:
++ * DigestInfo ::= SEQUENCE {
++ * digestAlgorithm AlgorithmIdentifier,
++ * digest OCTET STRING
++ * }
+ */
+ if (id_cryptoctx->pkcs11_method == 1 &&
+ id_cryptoctx->mech == CKM_RSA_PKCS) {
+@@ -1304,7 +1307,7 @@ cms_signeddata_create(krb5_context context,
+ alg = X509_ALGOR_new();
+ if (alg == NULL)
+ goto cleanup2;
+- X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha1), V_ASN1_NULL, NULL);
++ X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha256), V_ASN1_NULL, NULL);
+ alg_len = i2d_X509_ALGOR(alg, NULL);
+
+ digest = ASN1_OCTET_STRING_new();
+@@ -1333,7 +1336,7 @@ cms_signeddata_create(krb5_context context,
+ #endif
+ {
+ pkiDebug("mech = %s\n",
+- id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA1_RSA_PKCS" : "FS");
++ id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA256_RSA_PKCS" : "FS");
+ retval = pkinit_sign_data(context, id_cryptoctx, abuf, alen,
+ &sig, &sig_len);
+ }
+@@ -4147,7 +4150,7 @@ create_signature(unsigned char **sig, unsigned int *sig_len,
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL)
+ return ENOMEM;
+- EVP_SignInit(ctx, EVP_sha1());
++ EVP_SignInit(ctx, EVP_sha256());
+ EVP_SignUpdate(ctx, data, data_len);
+ *sig_len = EVP_PKEY_size(pkey);
+ if ((*sig = malloc(*sig_len)) == NULL)
+@@ -4623,10 +4626,11 @@ pkinit_get_certs_pkcs11(krb5_context context,
+
+ #ifndef PKINIT_USE_MECH_LIST
+ /*
+- * We'd like to use CKM_SHA1_RSA_PKCS for signing if it's available, but
+- * many cards seems to be confused about whether they are capable of
+- * this or not. The safe thing seems to be to ignore the mechanism list,
+- * always use CKM_RSA_PKCS and calculate the sha1 digest ourselves.
++ * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but
++ * historically many cards seem to be confused about whether they are
++ * capable of mechanisms or not. The safe thing seems to be to ignore the
++ * mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest
++ * ourselves.
+ */
+
+ id_cryptoctx->mech = CKM_RSA_PKCS;
+@@ -4654,7 +4658,7 @@ pkinit_get_certs_pkcs11(krb5_context context,
+ if (mechp[i] == CKM_RSA_PKCS) {
+ /* This seems backwards... */
+ id_cryptoctx->mech =
+- (info.flags & CKF_SIGN) ? CKM_SHA1_RSA_PKCS : CKM_RSA_PKCS;
++ (info.flags & CKF_SIGN) ? CKM_SHA256_RSA_PKCS : CKM_RSA_PKCS;
+ }
+ }
+ free(mechp);
+--
+2.35.1
+
diff --git a/SOURCES/downstream-Fix-dejagnu-unit-tests-directory-name-for-RPC-lib.patch b/SOURCES/downstream-Fix-dejagnu-unit-tests-directory-name-for-RPC-lib.patch
new file mode 100644
index 0000000..7028373
--- /dev/null
+++ b/SOURCES/downstream-Fix-dejagnu-unit-tests-directory-name-for-RPC-lib.patch
@@ -0,0 +1,156 @@
+From 10b32480395a01798b21818e884a593930b400d1 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Wed, 27 Apr 2022 15:29:08 +0200
+Subject: [PATCH] Fix dejagnu unit tests directory name for RPC lib
+
+This commit renames RPC library's unit tests directory to match the
+newly enforced naming convention of dejagnu.
+
+Resolves: rhbz#2070879
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+---
+ src/configure.ac | 2 +-
+ src/lib/rpc/Makefile.in | 2 +-
+ src/lib/rpc/{unit-test => testsuite}/Makefile.in | 10 +++++-----
+ src/lib/rpc/{unit-test => testsuite}/client.c | 0
+ src/lib/rpc/{unit-test => testsuite}/config/unix.exp | 0
+ src/lib/rpc/{unit-test => testsuite}/deps | 0
+ src/lib/rpc/{unit-test => testsuite}/lib/helpers.exp | 0
+ .../rpc/{unit-test => testsuite}/rpc_test.0/expire.exp | 0
+ .../{unit-test => testsuite}/rpc_test.0/fullrun.exp | 0
+ .../rpc/{unit-test => testsuite}/rpc_test.0/gsserr.exp | 0
+ src/lib/rpc/{unit-test => testsuite}/rpc_test.h | 0
+ src/lib/rpc/{unit-test => testsuite}/rpc_test.x | 0
+ src/lib/rpc/{unit-test => testsuite}/rpc_test_clnt.c | 0
+ src/lib/rpc/{unit-test => testsuite}/rpc_test_svc.c | 0
+ src/lib/rpc/{unit-test => testsuite}/server.c | 0
+ 15 files changed, 7 insertions(+), 7 deletions(-)
+ rename src/lib/rpc/{unit-test => testsuite}/Makefile.in (93%)
+ rename src/lib/rpc/{unit-test => testsuite}/client.c (100%)
+ rename src/lib/rpc/{unit-test => testsuite}/config/unix.exp (100%)
+ rename src/lib/rpc/{unit-test => testsuite}/deps (100%)
+ rename src/lib/rpc/{unit-test => testsuite}/lib/helpers.exp (100%)
+ rename src/lib/rpc/{unit-test => testsuite}/rpc_test.0/expire.exp (100%)
+ rename src/lib/rpc/{unit-test => testsuite}/rpc_test.0/fullrun.exp (100%)
+ rename src/lib/rpc/{unit-test => testsuite}/rpc_test.0/gsserr.exp (100%)
+ rename src/lib/rpc/{unit-test => testsuite}/rpc_test.h (100%)
+ rename src/lib/rpc/{unit-test => testsuite}/rpc_test.x (100%)
+ rename src/lib/rpc/{unit-test => testsuite}/rpc_test_clnt.c (100%)
+ rename src/lib/rpc/{unit-test => testsuite}/rpc_test_svc.c (100%)
+ rename src/lib/rpc/{unit-test => testsuite}/server.c (100%)
+
+diff --git a/src/configure.ac b/src/configure.ac
+index 37e36b76d..2a48aa83d 100644
+--- a/src/configure.ac
++++ b/src/configure.ac
+@@ -1497,7 +1497,7 @@ V5_AC_OUTPUT_MAKEFILE(.
+ lib/gssapi lib/gssapi/generic lib/gssapi/krb5 lib/gssapi/spnego
+ lib/gssapi/mechglue
+
+- lib/rpc lib/rpc/unit-test
++ lib/rpc lib/rpc/testsuite
+
+ lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/testsuite
+ lib/krad
+diff --git a/src/lib/rpc/Makefile.in b/src/lib/rpc/Makefile.in
+index 6b5f1e70a..78c7a1326 100644
+--- a/src/lib/rpc/Makefile.in
++++ b/src/lib/rpc/Makefile.in
+@@ -2,7 +2,7 @@ mydir=lib$(S)rpc
+ BUILDTOP=$(REL)..$(S)..
+ DEFINES = -DGSSAPI_KRB5 -DDEBUG_GSSAPI=0 -DGSSRPC__IMPL
+
+-SUBDIRS=unit-test
++SUBDIRS=testsuite
+
+ ##DOSBUILDTOP = ..\..
+ ##DOSLIBNAME=libgssrpc.lib
+diff --git a/src/lib/rpc/unit-test/Makefile.in b/src/lib/rpc/testsuite/Makefile.in
+similarity index 93%
+rename from src/lib/rpc/unit-test/Makefile.in
+rename to src/lib/rpc/testsuite/Makefile.in
+index 0b6e5203d..0fab26c10 100644
+--- a/src/lib/rpc/unit-test/Makefile.in
++++ b/src/lib/rpc/testsuite/Makefile.in
+@@ -1,4 +1,4 @@
+-mydir=lib$(S)rpc$(S)unit-test
++mydir=lib$(S)rpc$(S)testsuite
+ BUILDTOP=$(REL)..$(S)..$(S)..
+
+ OBJS= client.o rpc_test_clnt.o rpc_test_svc.o server.o
+@@ -34,19 +34,19 @@ runenv.exp: Makefile
+ # rm -f rpc_test.h rpc_test_clnt.c rpc_test_svc.c
+ #
+
+-check unit-test: unit-test-@DO_TEST@
++check testsuite: testsuite-@DO_TEST@
+
+-unit-test-:
++testsuite-:
+ @echo "+++"
+ @echo "+++ WARNING: lib/rpc unit tests not run."
+ @echo "+++ Either tcl, runtest, or Perl is unavailable."
+ @echo "+++"
+ @echo 'Skipped rpc tests: runtest or Perl not found' >> $(SKIPTESTS)
+
+-unit-test-ok: unit-test-body
++testsuite-ok: testsuite-body
+
+ PASS=@PASS@
+-unit-test-body: runenv.sh runenv.exp
++testsuite-body: runenv.sh runenv.exp
+ $(RM) krb5cc_rpc_test_*
+ $(ENV_SETUP) $(VALGRIND) $(START_SERVERS)
+ RPC_TEST_KEYTAB=/tmp/rpc_test_keytab.$$$$ ; export RPC_TEST_KEYTAB ; \
+diff --git a/src/lib/rpc/unit-test/client.c b/src/lib/rpc/testsuite/client.c
+similarity index 100%
+rename from src/lib/rpc/unit-test/client.c
+rename to src/lib/rpc/testsuite/client.c
+diff --git a/src/lib/rpc/unit-test/config/unix.exp b/src/lib/rpc/testsuite/config/unix.exp
+similarity index 100%
+rename from src/lib/rpc/unit-test/config/unix.exp
+rename to src/lib/rpc/testsuite/config/unix.exp
+diff --git a/src/lib/rpc/unit-test/deps b/src/lib/rpc/testsuite/deps
+similarity index 100%
+rename from src/lib/rpc/unit-test/deps
+rename to src/lib/rpc/testsuite/deps
+diff --git a/src/lib/rpc/unit-test/lib/helpers.exp b/src/lib/rpc/testsuite/lib/helpers.exp
+similarity index 100%
+rename from src/lib/rpc/unit-test/lib/helpers.exp
+rename to src/lib/rpc/testsuite/lib/helpers.exp
+diff --git a/src/lib/rpc/unit-test/rpc_test.0/expire.exp b/src/lib/rpc/testsuite/rpc_test.0/expire.exp
+similarity index 100%
+rename from src/lib/rpc/unit-test/rpc_test.0/expire.exp
+rename to src/lib/rpc/testsuite/rpc_test.0/expire.exp
+diff --git a/src/lib/rpc/unit-test/rpc_test.0/fullrun.exp b/src/lib/rpc/testsuite/rpc_test.0/fullrun.exp
+similarity index 100%
+rename from src/lib/rpc/unit-test/rpc_test.0/fullrun.exp
+rename to src/lib/rpc/testsuite/rpc_test.0/fullrun.exp
+diff --git a/src/lib/rpc/unit-test/rpc_test.0/gsserr.exp b/src/lib/rpc/testsuite/rpc_test.0/gsserr.exp
+similarity index 100%
+rename from src/lib/rpc/unit-test/rpc_test.0/gsserr.exp
+rename to src/lib/rpc/testsuite/rpc_test.0/gsserr.exp
+diff --git a/src/lib/rpc/unit-test/rpc_test.h b/src/lib/rpc/testsuite/rpc_test.h
+similarity index 100%
+rename from src/lib/rpc/unit-test/rpc_test.h
+rename to src/lib/rpc/testsuite/rpc_test.h
+diff --git a/src/lib/rpc/unit-test/rpc_test.x b/src/lib/rpc/testsuite/rpc_test.x
+similarity index 100%
+rename from src/lib/rpc/unit-test/rpc_test.x
+rename to src/lib/rpc/testsuite/rpc_test.x
+diff --git a/src/lib/rpc/unit-test/rpc_test_clnt.c b/src/lib/rpc/testsuite/rpc_test_clnt.c
+similarity index 100%
+rename from src/lib/rpc/unit-test/rpc_test_clnt.c
+rename to src/lib/rpc/testsuite/rpc_test_clnt.c
+diff --git a/src/lib/rpc/unit-test/rpc_test_svc.c b/src/lib/rpc/testsuite/rpc_test_svc.c
+similarity index 100%
+rename from src/lib/rpc/unit-test/rpc_test_svc.c
+rename to src/lib/rpc/testsuite/rpc_test_svc.c
+diff --git a/src/lib/rpc/unit-test/server.c b/src/lib/rpc/testsuite/server.c
+similarity index 100%
+rename from src/lib/rpc/unit-test/server.c
+rename to src/lib/rpc/testsuite/server.c
+--
+2.35.1
+
diff --git a/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch b/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
new file mode 100644
index 0000000..3b8ccec
--- /dev/null
+++ b/SOURCES/downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
@@ -0,0 +1,342 @@
+From cc1cd235a6a8c066531a17d5773f601455bedb52 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Thu, 31 Mar 2022 18:24:39 +0200
+Subject: [PATCH] Use newly enforced dejagnu path naming convention
+
+Since version 1.6.3, dejagnu started to enforce a naming convention that
+was already in place, but not mandatory: dejagnu test directories have
+to be named "testsuite". If they don't implicit relative sub-paths
+resolution (e.g. "lib", "config") is not forking.
+
+This commit renames kadm5 library's unit tests directory to match this
+requirement.
+
+Resolves: rhbz#2070879
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+---
+ src/configure.ac | 2 +-
+ src/lib/kadm5/Makefile.in | 2 +-
+ .../{unit-test => testsuite}/Makefile.in | 28 +++++++++----------
+ .../api.2/crte-policy.exp | 0
+ .../api.2/get-policy.exp | 0
+ .../api.2/mod-policy.exp | 0
+ .../api.current/chpass-principal-v2.exp | 0
+ .../api.current/chpass-principal.exp | 0
+ .../api.current/crte-policy.exp | 0
+ .../api.current/crte-principal.exp | 0
+ .../api.current/destroy.exp | 0
+ .../api.current/dlte-policy.exp | 0
+ .../api.current/dlte-principal.exp | 0
+ .../api.current/get-policy.exp | 0
+ .../api.current/get-principal-v2.exp | 0
+ .../api.current/get-principal.exp | 0
+ .../api.current/init-v2.exp | 0
+ .../api.current/init.exp | 0
+ .../api.current/mod-policy.exp | 0
+ .../api.current/mod-principal-v2.exp | 0
+ .../api.current/mod-principal.exp | 0
+ .../api.current/randkey-principal-v2.exp | 0
+ .../api.current/randkey-principal.exp | 0
+ .../{unit-test => testsuite}/config/unix.exp | 0
+ src/lib/kadm5/{unit-test => testsuite}/deps | 0
+ .../{unit-test => testsuite}/destroy-test.c | 0
+ .../diff-files/destroy-1 | 0
+ .../diff-files/no-diffs | 0
+ .../{unit-test => testsuite}/handle-test.c | 0
+ .../{unit-test => testsuite}/init-test.c | 0
+ .../{unit-test => testsuite}/iter-test.c | 0
+ .../kadm5/{unit-test => testsuite}/lib/lib.t | 2 +-
+ .../{unit-test => testsuite}/lock-test.c | 0
+ .../{unit-test => testsuite}/randkey-test.c | 0
+ .../{unit-test => testsuite}/setkey-test.c | 0
+ .../kadm5/{unit-test => testsuite}/site.exp | 0
+ 36 files changed, 17 insertions(+), 17 deletions(-)
+ rename src/lib/kadm5/{unit-test => testsuite}/Makefile.in (86%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.2/crte-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.2/get-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.2/mod-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/chpass-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/crte-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/destroy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/dlte-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/get-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/init-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/init.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-policy.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/mod-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal-v2.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/api.current/randkey-principal.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/config/unix.exp (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/deps (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/destroy-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/diff-files/destroy-1 (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/diff-files/no-diffs (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/handle-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/init-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/iter-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/lib/lib.t (99%)
+ rename src/lib/kadm5/{unit-test => testsuite}/lock-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/randkey-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/setkey-test.c (100%)
+ rename src/lib/kadm5/{unit-test => testsuite}/site.exp (100%)
+
+diff --git a/src/configure.ac b/src/configure.ac
+index 29be532cb..37e36b76d 100644
+--- a/src/configure.ac
++++ b/src/configure.ac
+@@ -1499,7 +1499,7 @@ V5_AC_OUTPUT_MAKEFILE(.
+
+ lib/rpc lib/rpc/unit-test
+
+- lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/unit-test
++ lib/kadm5 lib/kadm5/clnt lib/kadm5/srv lib/kadm5/testsuite
+ lib/krad
+ lib/apputils
+
+diff --git a/src/lib/kadm5/Makefile.in b/src/lib/kadm5/Makefile.in
+index c4eaad38d..76fc4b548 100644
+--- a/src/lib/kadm5/Makefile.in
++++ b/src/lib/kadm5/Makefile.in
+@@ -1,6 +1,6 @@
+ mydir=lib$(S)kadm5
+ BUILDTOP=$(REL)..$(S)..
+-SUBDIRS = clnt srv unit-test
++SUBDIRS = clnt srv testsuite
+
+ ##DOSBUILDTOP = ..\..
+
+diff --git a/src/lib/kadm5/unit-test/Makefile.in b/src/lib/kadm5/testsuite/Makefile.in
+similarity index 86%
+rename from src/lib/kadm5/unit-test/Makefile.in
+rename to src/lib/kadm5/testsuite/Makefile.in
+index 68fa097ff..5a55b786b 100644
+--- a/src/lib/kadm5/unit-test/Makefile.in
++++ b/src/lib/kadm5/testsuite/Makefile.in
+@@ -1,4 +1,4 @@
+-mydir=lib$(S)kadm5$(S)unit-test
++mydir=lib$(S)kadm5$(S)testsuite
+ BUILDTOP=$(REL)..$(S)..$(S)..
+ KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS)
+
+@@ -61,7 +61,7 @@ runenv.exp: Makefile
+ eval echo "set env\($$i\) \$$$$i"; done > runenv.exp
+
+ #
+-# The unit-test targets
++# The testsuite targets
+ #
+
+ check: check-@DO_TEST@
+@@ -72,13 +72,13 @@ check-:
+ @echo "+++ Either tcl, runtest, or Perl is unavailable."
+ @echo "+++"
+
+-check-ok unit-test: unit-test-client unit-test-server
++check-ok testsuite: testsuite-client testsuite-server
+
+-unit-test-client: unit-test-client-setup unit-test-client-body \
+- unit-test-client-cleanup
++testsuite-client: testsuite-client-setup testsuite-client-body \
++ testsuite-client-cleanup
+
+-unit-test-server: unit-test-server-setup unit-test-server-body \
+- unit-test-server-cleanup
++testsuite-server: testsuite-server-setup testsuite-server-body \
++ testsuite-server-cleanup
+
+ test-randkey: randkey-test
+ $(ENV_SETUP) $(VALGRIND) ./randkey-test
+@@ -98,19 +98,19 @@ test-destroy: destroy-test
+ test-setkey-client: client-setkey-test
+ $(ENV_SETUP) $(VALGRIND) ./client-setkey-test testkeys admin admin
+
+-unit-test-client-setup: runenv.sh
++testsuite-client-setup: runenv.sh
+ $(ENV_SETUP) $(VALGRIND) $(START_SERVERS)
+
+-unit-test-client-cleanup:
++testsuite-client-cleanup:
+ $(ENV_SETUP) $(STOP_SERVERS)
+
+-unit-test-server-setup: runenv.sh
++testsuite-server-setup: runenv.sh
+ $(ENV_SETUP) $(VALGRIND) $(START_SERVERS_LOCAL)
+
+-unit-test-server-cleanup:
++testsuite-server-cleanup:
+ $(ENV_SETUP) $(STOP_SERVERS_LOCAL)
+
+-unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \
++testsuite-client-body: site.exp test-noauth test-destroy test-handle-client \
+ test-setkey-client runenv.exp
+ $(ENV_SETUP) $(RUNTEST) --tool api RPC=1 API=$(CLNTTCL) \
+ KINIT=$(BUILDTOP)/clients/kinit/kinit \
+@@ -121,7 +121,7 @@ unit-test-client-body: site.exp test-noauth test-destroy test-handle-client \
+ -mv api.log capi.log
+ -mv api.sum capi.sum
+
+-unit-test-server-body: site.exp test-handle-server lock-test
++testsuite-server-body: site.exp test-handle-server lock-test
+ $(ENV_SETUP) $(RUNTEST) --tool api RPC=0 API=$(SRVTCL) \
+ LOCKTEST=./lock-test \
+ KADMIN_LOCAL=$(BUILDTOP)/kadmin/cli/kadmin.local \
+@@ -140,4 +140,4 @@ clean:
+ $(RM) lock-test lock-test.o
+ $(RM) server-iter-test iter-test.o
+ $(RM) server-setkey-test client-setkey-test setkey-test.o
+- $(RM) *.log *.plog *.sum *.psum unit-test-log.* runenv.exp
++ $(RM) *.log *.plog *.sum *.psum testsuite-log.* runenv.exp
+diff --git a/src/lib/kadm5/unit-test/api.2/crte-policy.exp b/src/lib/kadm5/testsuite/api.2/crte-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.2/crte-policy.exp
+rename to src/lib/kadm5/testsuite/api.2/crte-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.2/get-policy.exp b/src/lib/kadm5/testsuite/api.2/get-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.2/get-policy.exp
+rename to src/lib/kadm5/testsuite/api.2/get-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.2/mod-policy.exp b/src/lib/kadm5/testsuite/api.2/mod-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.2/mod-policy.exp
+rename to src/lib/kadm5/testsuite/api.2/mod-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/chpass-principal-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/chpass-principal-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/chpass-principal.exp b/src/lib/kadm5/testsuite/api.current/chpass-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/chpass-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/chpass-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/crte-policy.exp b/src/lib/kadm5/testsuite/api.current/crte-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/crte-policy.exp
+rename to src/lib/kadm5/testsuite/api.current/crte-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/crte-principal.exp b/src/lib/kadm5/testsuite/api.current/crte-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/crte-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/crte-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/destroy.exp b/src/lib/kadm5/testsuite/api.current/destroy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/destroy.exp
+rename to src/lib/kadm5/testsuite/api.current/destroy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp b/src/lib/kadm5/testsuite/api.current/dlte-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/dlte-policy.exp
+rename to src/lib/kadm5/testsuite/api.current/dlte-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp b/src/lib/kadm5/testsuite/api.current/dlte-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/dlte-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/dlte-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/get-policy.exp b/src/lib/kadm5/testsuite/api.current/get-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/get-policy.exp
+rename to src/lib/kadm5/testsuite/api.current/get-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/get-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/get-principal-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/get-principal-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/get-principal-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/get-principal.exp b/src/lib/kadm5/testsuite/api.current/get-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/get-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/get-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/testsuite/api.current/init-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/init-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/init-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/init.exp b/src/lib/kadm5/testsuite/api.current/init.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/init.exp
+rename to src/lib/kadm5/testsuite/api.current/init.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/mod-policy.exp b/src/lib/kadm5/testsuite/api.current/mod-policy.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/mod-policy.exp
+rename to src/lib/kadm5/testsuite/api.current/mod-policy.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/mod-principal-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/mod-principal-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal.exp b/src/lib/kadm5/testsuite/api.current/mod-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/mod-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/mod-principal.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/randkey-principal-v2.exp
+rename to src/lib/kadm5/testsuite/api.current/randkey-principal-v2.exp
+diff --git a/src/lib/kadm5/unit-test/api.current/randkey-principal.exp b/src/lib/kadm5/testsuite/api.current/randkey-principal.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/api.current/randkey-principal.exp
+rename to src/lib/kadm5/testsuite/api.current/randkey-principal.exp
+diff --git a/src/lib/kadm5/unit-test/config/unix.exp b/src/lib/kadm5/testsuite/config/unix.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/config/unix.exp
+rename to src/lib/kadm5/testsuite/config/unix.exp
+diff --git a/src/lib/kadm5/unit-test/deps b/src/lib/kadm5/testsuite/deps
+similarity index 100%
+rename from src/lib/kadm5/unit-test/deps
+rename to src/lib/kadm5/testsuite/deps
+diff --git a/src/lib/kadm5/unit-test/destroy-test.c b/src/lib/kadm5/testsuite/destroy-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/destroy-test.c
+rename to src/lib/kadm5/testsuite/destroy-test.c
+diff --git a/src/lib/kadm5/unit-test/diff-files/destroy-1 b/src/lib/kadm5/testsuite/diff-files/destroy-1
+similarity index 100%
+rename from src/lib/kadm5/unit-test/diff-files/destroy-1
+rename to src/lib/kadm5/testsuite/diff-files/destroy-1
+diff --git a/src/lib/kadm5/unit-test/diff-files/no-diffs b/src/lib/kadm5/testsuite/diff-files/no-diffs
+similarity index 100%
+rename from src/lib/kadm5/unit-test/diff-files/no-diffs
+rename to src/lib/kadm5/testsuite/diff-files/no-diffs
+diff --git a/src/lib/kadm5/unit-test/handle-test.c b/src/lib/kadm5/testsuite/handle-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/handle-test.c
+rename to src/lib/kadm5/testsuite/handle-test.c
+diff --git a/src/lib/kadm5/unit-test/init-test.c b/src/lib/kadm5/testsuite/init-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/init-test.c
+rename to src/lib/kadm5/testsuite/init-test.c
+diff --git a/src/lib/kadm5/unit-test/iter-test.c b/src/lib/kadm5/testsuite/iter-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/iter-test.c
+rename to src/lib/kadm5/testsuite/iter-test.c
+diff --git a/src/lib/kadm5/unit-test/lib/lib.t b/src/lib/kadm5/testsuite/lib/lib.t
+similarity index 99%
+rename from src/lib/kadm5/unit-test/lib/lib.t
+rename to src/lib/kadm5/testsuite/lib/lib.t
+index 3444775cf..327946849 100644
+--- a/src/lib/kadm5/unit-test/lib/lib.t
++++ b/src/lib/kadm5/testsuite/lib/lib.t
+@@ -226,7 +226,7 @@ proc end_dump_compare {name} {
+ global RPC
+
+ if { ! $RPC } {
+-# set file $TOP/admin/lib/unit-test/diff-files/$name
++# set file $TOP/admin/lib/testsuite/diff-files/$name
+ # exec $env(SIMPLE_DUMP) > /tmp/dump.after
+ # exec $env(COMPARE_DUMP) /tmp/dump.before /tmp/dump.after $file
+ }
+diff --git a/src/lib/kadm5/unit-test/lock-test.c b/src/lib/kadm5/testsuite/lock-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/lock-test.c
+rename to src/lib/kadm5/testsuite/lock-test.c
+diff --git a/src/lib/kadm5/unit-test/randkey-test.c b/src/lib/kadm5/testsuite/randkey-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/randkey-test.c
+rename to src/lib/kadm5/testsuite/randkey-test.c
+diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/testsuite/setkey-test.c
+similarity index 100%
+rename from src/lib/kadm5/unit-test/setkey-test.c
+rename to src/lib/kadm5/testsuite/setkey-test.c
+diff --git a/src/lib/kadm5/unit-test/site.exp b/src/lib/kadm5/testsuite/site.exp
+similarity index 100%
+rename from src/lib/kadm5/unit-test/site.exp
+rename to src/lib/kadm5/testsuite/site.exp
+--
+2.35.1
+
diff --git a/SOURCES/krb5-krad-larger-attrs.patch b/SOURCES/krb5-krad-larger-attrs.patch
new file mode 100644
index 0000000..8437921
--- /dev/null
+++ b/SOURCES/krb5-krad-larger-attrs.patch
@@ -0,0 +1,69 @@
+From b2b7729d71e7ab2cde9c73b40b8e972c82a875a2 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 8 Nov 2021 17:48:50 +0100
+Subject: [PATCH] Support larger RADIUS attributes in libkrad
+
+In kr_attrset_decode(), explicitly treat the length byte as unsigned.
+Otherwise attributes longer than 125 characters will be rejected with
+EBADMSG.
+
+Add a 253-character-long NAS-Identifier attribute to the tests to make
+sure that attributes with the maximal number of characters are working
+as expected.
+
+[ghudson@mit.edu: used uint8_t cast per current practices; edited
+commit message]
+
+ticket: 9036 (new)
+---
+ src/lib/krad/attrset.c | 2 +-
+ src/lib/krad/t_packet.c | 13 +++++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c
+index d89982a13..6ec031e32 100644
+--- a/src/lib/krad/attrset.c
++++ b/src/lib/krad/attrset.c
+@@ -218,7 +218,7 @@ kr_attrset_decode(krb5_context ctx, const krb5_data *in, const char *secret,
+
+ for (i = 0; i + 2 < in->length; ) {
+ type = in->data[i++];
+- tmp = make_data(&in->data[i + 1], in->data[i] - 2);
++ tmp = make_data(&in->data[i + 1], (uint8_t)in->data[i] - 2);
+ i += tmp.length + 1;
+
+ retval = (in->length < i) ? EBADMSG : 0;
+diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c
+index 0a92e9cc2..c22489144 100644
+--- a/src/lib/krad/t_packet.c
++++ b/src/lib/krad/t_packet.c
+@@ -57,6 +57,14 @@ make_packet(krb5_context ctx, const krb5_data *username,
+ krb5_error_code retval;
+ const krb5_data *data;
+ int i = 0;
++ krb5_data nas_id;
++
++ nas_id = string2data("12345678901234567890123456789012345678901234567890"
++ "12345678901234567890123456789012345678901234567890"
++ "12345678901234567890123456789012345678901234567890"
++ "12345678901234567890123456789012345678901234567890"
++ "12345678901234567890123456789012345678901234567890"
++ "123");
+
+ retval = krad_attrset_new(ctx, &set);
+ if (retval != 0)
+@@ -71,6 +79,11 @@ make_packet(krb5_context ctx, const krb5_data *username,
+ if (retval != 0)
+ goto out;
+
++ retval = krad_attrset_add(set, krad_attr_name2num("NAS-Identifier"),
++ &nas_id);
++ if (retval != 0)
++ goto out;
++
+ retval = krad_packet_new_request(ctx, "foo",
+ krad_code_name2num("Access-Request"),
+ set, iterator, &i, &tmp);
+--
+2.35.3
+
diff --git a/SOURCES/krb5-krad-remote.patch b/SOURCES/krb5-krad-remote.patch
new file mode 100644
index 0000000..d9c4d9e
--- /dev/null
+++ b/SOURCES/krb5-krad-remote.patch
@@ -0,0 +1,171 @@
+From da677b071dadda3700d12d037f5896b166d3546d Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 9 Nov 2021 13:00:43 -0500
+Subject: [PATCH] Avoid use after free during libkrad cleanup
+
+libkrad client requests contain a list of references to remotes, with
+no back-references or reference counts. To prevent accesses to
+dangling references during cleanup, cancel all requests on all remotes
+before freeing any remotes.
+
+Remove the code for aging out unused servers. This code was fairly
+safe as all requests referencing a remote should have completed or
+timed out during an hour of disuse, but in the current design we have
+no way to guarantee or check that. The set of addresses we send
+RADIUS requests to will generally be small, so aging out servers is
+unnecessary.
+
+ticket: 9035 (new)
+---
+ src/lib/krad/client.c | 42 ++++++++++++++---------------------------
+ src/lib/krad/internal.h | 4 ++++
+ src/lib/krad/remote.c | 11 ++++++++---
+ 3 files changed, 26 insertions(+), 31 deletions(-)
+
+diff --git a/src/lib/krad/client.c b/src/lib/krad/client.c
+index 6365dd1c6..810940afc 100644
+--- a/src/lib/krad/client.c
++++ b/src/lib/krad/client.c
+@@ -64,7 +64,6 @@ struct request_st {
+
+ struct server_st {
+ krad_remote *serv;
+- time_t last;
+ K5_LIST_ENTRY(server_st) list;
+ };
+
+@@ -81,15 +80,10 @@ get_server(krad_client *rc, const struct addrinfo *ai, const char *secret,
+ krad_remote **out)
+ {
+ krb5_error_code retval;
+- time_t currtime;
+ server *srv;
+
+- if (time(&currtime) == (time_t)-1)
+- return errno;
+-
+ K5_LIST_FOREACH(srv, &rc->servers, list) {
+ if (kr_remote_equals(srv->serv, ai, secret)) {
+- srv->last = currtime;
+ *out = srv->serv;
+ return 0;
+ }
+@@ -98,7 +92,6 @@ get_server(krad_client *rc, const struct addrinfo *ai, const char *secret,
+ srv = calloc(1, sizeof(server));
+ if (srv == NULL)
+ return ENOMEM;
+- srv->last = currtime;
+
+ retval = kr_remote_new(rc->kctx, rc->vctx, ai, secret, &srv->serv);
+ if (retval != 0) {
+@@ -173,28 +166,12 @@ request_new(krad_client *rc, krad_code code, const krad_attrset *attrs,
+ return 0;
+ }
+
+-/* Close remotes that haven't been used in a while. */
+-static void
+-age(struct server_head *head, time_t currtime)
+-{
+- server *srv, *tmp;
+-
+- K5_LIST_FOREACH_SAFE(srv, head, list, tmp) {
+- if (currtime == (time_t)-1 || currtime - srv->last > 60 * 60) {
+- K5_LIST_REMOVE(srv, list);
+- kr_remote_free(srv->serv);
+- free(srv);
+- }
+- }
+-}
+-
+ /* Handle a response from a server (or related errors). */
+ static void
+ on_response(krb5_error_code retval, const krad_packet *reqp,
+ const krad_packet *rspp, void *data)
+ {
+ request *req = data;
+- time_t currtime;
+ size_t i;
+
+ /* Do nothing if we are already completed. */
+@@ -221,10 +198,6 @@ on_response(krb5_error_code retval, const krad_packet *reqp,
+ for (i = 0; req->remotes[i].remote != NULL; i++)
+ kr_remote_cancel(req->remotes[i].remote, req->remotes[i].packet);
+
+- /* Age out servers that haven't been used in a while. */
+- if (time(&currtime) != (time_t)-1)
+- age(&req->rc->servers, currtime);
+-
+ request_free(req);
+ }
+
+@@ -247,10 +220,23 @@ krad_client_new(krb5_context kctx, verto_ctx *vctx, krad_client **out)
+ void
+ krad_client_free(krad_client *rc)
+ {
++ server *srv;
++
+ if (rc == NULL)
+ return;
+
+- age(&rc->servers, -1);
++ /* Cancel all requests before freeing any remotes, since each request's
++ * callback data may contain references to multiple remotes. */
++ K5_LIST_FOREACH(srv, &rc->servers, list)
++ kr_remote_cancel_all(srv->serv);
++
++ while (!K5_LIST_EMPTY(&rc->servers)) {
++ srv = K5_LIST_FIRST(&rc->servers);
++ K5_LIST_REMOVE(srv, list);
++ kr_remote_free(srv->serv);
++ free(srv);
++ }
++
+ free(rc);
+ }
+
+diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
+index 312dc8258..b086598fb 100644
+--- a/src/lib/krad/internal.h
++++ b/src/lib/krad/internal.h
+@@ -120,6 +120,10 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
+ void
+ kr_remote_cancel(krad_remote *rr, const krad_packet *pkt);
+
++/* Cancel all requests awaiting responses. */
++void
++kr_remote_cancel_all(krad_remote *rr);
++
+ /* Determine if this remote object refers to the remote resource identified
+ * by the addrinfo struct and the secret. */
+ krb5_boolean
+diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
+index 0f90443ce..b5dd8cd19 100644
+--- a/src/lib/krad/remote.c
++++ b/src/lib/krad/remote.c
+@@ -421,15 +421,20 @@ error:
+ return retval;
+ }
+
++void
++kr_remote_cancel_all(krad_remote *rr)
++{
++ while (!K5_TAILQ_EMPTY(&rr->list))
++ request_finish(K5_TAILQ_FIRST(&rr->list), ECANCELED, NULL);
++}
++
+ void
+ kr_remote_free(krad_remote *rr)
+ {
+ if (rr == NULL)
+ return;
+
+- while (!K5_TAILQ_EMPTY(&rr->list))
+- request_finish(K5_TAILQ_FIRST(&rr->list), ECANCELED, NULL);
+-
++ kr_remote_cancel_all(rr);
+ free(rr->secret);
+ if (rr->info != NULL)
+ free(rr->info->ai_addr);
+--
+2.35.3
+
diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec
index 5e13c23..8c2049b 100644
--- a/SPECS/krb5.spec
+++ b/SPECS/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.18.2
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 14%{?dist}
+Release: 21%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@@ -86,6 +86,13 @@ Patch140: Use-KCM_OP_RETRIEVE-in-KCM-client.patch
Patch141: Fix-KCM-retrieval-support-for-sssd.patch
Patch142: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
Patch143: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
+Patch144: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
+Patch145: downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
+Patch146: Make-kprop-work-for-dump-files-larger-than-4GB.patch
+Patch147: Try-harder-to-avoid-password-change-replay-errors.patch
+Patch148: downstream-Fix-dejagnu-unit-tests-directory-name-for-RPC-lib.patch
+Patch149: krb5-krad-larger-attrs.patch
+Patch150: krb5-krad-remote.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -291,7 +298,7 @@ popd
# builds going on the same host don't step on each other.
cfg="src/kadmin/testing/proto/kdc.conf.proto \
src/kadmin/testing/proto/krb5.conf.proto \
- src/lib/kadm5/unit-test/api.current/init-v2.exp \
+ src/lib/kadm5/testsuite/api.current/init-v2.exp \
src/util/k5test.py"
LONG_BIT=`getconf LONG_BIT`
PORT=`expr 61000 + $LONG_BIT - 48`
@@ -696,6 +703,23 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
+* Fri Jul 01 2022 Julien Rische <jrische@redhat.com> - 1.18.2-21
+- Backport fix of memory use after free during libkrad cleanup
+- Backport support for larger RADIUS attributes in libkrad
+- Resolves: rhbz#2103125
+
+* Wed Apr 27 2022 Julien Rische <jrische@redhat.com> - 1.18.2-19
+- Try harder to avoid password change replay errors
+- Resolves: #2077563
+
+* Wed Apr 13 2022 Julien Rische <jrische@redhat.com> - 1.18.2-18
+- Fix kprop for propagating dump files larger than 4GB
+- Resolves: #2026462
+
+* Mon Mar 21 2022 Julien Rische <jrische@redhat.com> - 1.18.2-15
+- Backport usage of SHA-256 instead of SHA-1 for PKINIT CMS digest
+- Resolves: #2066316
+
* Wed Aug 25 2021 Robbie Harwood <rharwood@redhat.com> - 1.18.2-14
- Fix KDC null deref on TGS inner body null server (CVE-2021-37750)
- Resolves: #1997601