diff --git a/.gitignore b/.gitignore index 102e165..1837221 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-10.12.0.tar.gz +SOURCES/pki-10.14.3.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index 78529e8..a5e8c43 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -14942c7bda42ccd0f57ea5b2e538eb13a559572f SOURCES/pki-10.12.0.tar.gz +0508d8fa638b11f309d958338afc71e4c9f24f8d SOURCES/pki-10.14.3.tar.gz diff --git a/SOURCES/0001-Disable-access-to-external-entities-when-parsing-XML.patch b/SOURCES/0001-Disable-access-to-external-entities-when-parsing-XML.patch deleted file mode 100644 index 75da580..0000000 --- a/SOURCES/0001-Disable-access-to-external-entities-when-parsing-XML.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 039b3453d17bb5666d4b7a4eacc6a014703416c7 Mon Sep 17 00:00:00 2001 -From: Chris Kelley -Date: Fri, 10 Jun 2022 17:25:07 +0100 -Subject: [PATCH] Disable access to external entities when parsing XML - -This reduces the vulnerability of XML parsers to XXE (XML external -entity) injection. - -The best way to prevent XXE is to stop using XML altogether, which we do -plan to do. Until that happens I consider it worthwhile to tighten the -security here though. ---- - .../cms/servlet/csadmin/SecurityDomainProcessor.java | 6 +++++- - .../main/java/com/netscape/cmscore/apps/ServerXml.java | 1 + - .../main/java/com/netscape/cmsutil/xml/XMLObject.java | 9 +++++++++ - .../src/test/java/com/netscape/test/TestListener.java | 5 ++++- - 4 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java -index bdd485e89a..07fae1ad50 100644 ---- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java -+++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java -@@ -24,6 +24,7 @@ import java.util.Enumeration; - import java.util.Locale; - import java.util.Vector; - -+import javax.xml.XMLConstants; - import javax.xml.parsers.ParserConfigurationException; - import javax.xml.transform.OutputKeys; - import javax.xml.transform.Transformer; -@@ -697,7 +698,10 @@ public class SecurityDomainProcessor extends Processor { - XMLObject xmlObject = convertDomainInfoToXMLObject(before); - Document document = xmlObject.getDocument(); - -- Transformer transformer = TransformerFactory.newInstance().newTransformer(); -+ TransformerFactory transformerFactory = TransformerFactory.newInstance(); -+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); -+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); -+ Transformer transformer = transformerFactory.newTransformer(); - transformer.setOutputProperty(OutputKeys.INDENT, "yes"); - transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); - -diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java -index 2a02d722a1..d9ac572747 100644 ---- a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java -+++ b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java -@@ -41,6 +41,7 @@ public class ServerXml { - ServerXml serverXml = new ServerXml(); - - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); -+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - DocumentBuilder builder = factory.newDocumentBuilder(); - Document document = builder.parse(filename); - -diff --git a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java -index 81fdbf4b2e..1043bcb477 100644 ---- a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java -+++ b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java -@@ -25,6 +25,7 @@ import java.io.OutputStream; - import java.io.StringWriter; - import java.util.Vector; - -+import javax.xml.XMLConstants; - import javax.xml.parsers.DocumentBuilder; - import javax.xml.parsers.DocumentBuilderFactory; - import javax.xml.parsers.ParserConfigurationException; -@@ -56,6 +57,7 @@ public class XMLObject { - public XMLObject(InputStream s) - throws SAXException, IOException, ParserConfigurationException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); -+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - DocumentBuilder docBuilder = factory.newDocumentBuilder(); - mDoc = docBuilder.parse(s); - } -@@ -63,6 +65,7 @@ public class XMLObject { - public XMLObject(File f) - throws SAXException, IOException, ParserConfigurationException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); -+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - DocumentBuilder docBuilder = factory.newDocumentBuilder(); - mDoc = docBuilder.parse(f); - } -@@ -159,6 +162,8 @@ public class XMLObject { - public byte[] toByteArray() throws TransformerConfigurationException, TransformerException { - ByteArrayOutputStream bos = new ByteArrayOutputStream(); - TransformerFactory tranFactory = TransformerFactory.newInstance(); -+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); -+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - Transformer aTransformer = tranFactory.newTransformer(); - Source src = new DOMSource(mDoc); - Result dest = new StreamResult(bos); -@@ -169,6 +174,8 @@ public class XMLObject { - public void output(OutputStream os) - throws TransformerConfigurationException, TransformerException { - TransformerFactory tranFactory = TransformerFactory.newInstance(); -+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); -+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - Transformer aTransformer = tranFactory.newTransformer(); - Source src = new DOMSource(mDoc); - Result dest = new StreamResult(os); -@@ -177,6 +184,8 @@ public class XMLObject { - - public String toXMLString() throws TransformerConfigurationException, TransformerException { - TransformerFactory tranFactory = TransformerFactory.newInstance(); -+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); -+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - Transformer transformer = tranFactory.newTransformer(); - Source src = new DOMSource(mDoc); - StreamResult dest = new StreamResult(new StringWriter()); -diff --git a/base/util/src/test/java/com/netscape/test/TestListener.java b/base/util/src/test/java/com/netscape/test/TestListener.java -index 3181d53dc8..ac5d6e0f42 100644 ---- a/base/util/src/test/java/com/netscape/test/TestListener.java -+++ b/base/util/src/test/java/com/netscape/test/TestListener.java -@@ -10,6 +10,7 @@ import java.text.SimpleDateFormat; - import java.util.Date; - import java.util.TimeZone; - -+import javax.xml.XMLConstants; - import javax.xml.parsers.DocumentBuilder; - import javax.xml.parsers.DocumentBuilderFactory; - import javax.xml.transform.OutputKeys; -@@ -22,7 +23,6 @@ import org.junit.runner.Description; - import org.junit.runner.Result; - import org.junit.runner.notification.Failure; - import org.junit.runner.notification.RunListener; -- - import org.w3c.dom.Document; - import org.w3c.dom.Element; - import org.w3c.dom.Text; -@@ -64,9 +64,12 @@ public class TestListener extends RunListener { - dateFormat.setTimeZone(TimeZone.getTimeZone("GMT")); - - docBuilderFactory = DocumentBuilderFactory.newInstance(); -+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - docBuilder = docBuilderFactory.newDocumentBuilder(); - - transFactory = TransformerFactory.newInstance(); -+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); -+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - trans = transFactory.newTransformer(); - trans.setOutputProperty(OutputKeys.INDENT, "yes"); - --- -2.35.1 - diff --git a/SOURCES/0001-Fix-accidental-renaming-of-factories-in-conflict-res.patch b/SOURCES/0001-Fix-accidental-renaming-of-factories-in-conflict-res.patch deleted file mode 100644 index 1b057a2..0000000 --- a/SOURCES/0001-Fix-accidental-renaming-of-factories-in-conflict-res.patch +++ /dev/null @@ -1,32 +0,0 @@ -From af9d5ee1e57b128603974595e26feb3effe05c87 Mon Sep 17 00:00:00 2001 -From: Chris Kelley -Date: Thu, 14 Jul 2022 16:49:25 +0100 -Subject: [PATCH] Fix accidental renaming of factories in conflict resolution. - ---- - base/util/src/test/java/com/netscape/test/TestListener.java | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/base/util/src/test/java/com/netscape/test/TestListener.java b/base/util/src/test/java/com/netscape/test/TestListener.java -index ac5d6e0f42..56b7793f61 100644 ---- a/base/util/src/test/java/com/netscape/test/TestListener.java -+++ b/base/util/src/test/java/com/netscape/test/TestListener.java -@@ -64,12 +64,12 @@ public class TestListener extends RunListener { - dateFormat.setTimeZone(TimeZone.getTimeZone("GMT")); - - docBuilderFactory = DocumentBuilderFactory.newInstance(); -- factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); -+ docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - docBuilder = docBuilderFactory.newDocumentBuilder(); - - transFactory = TransformerFactory.newInstance(); -- tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); -- tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); -+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); -+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - trans = transFactory.newTransformer(); - trans.setOutputProperty(OutputKeys.INDENT, "yes"); - --- -2.35.1 - diff --git a/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch b/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch deleted file mode 100644 index 065a9d9..0000000 --- a/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch +++ /dev/null @@ -1,332 +0,0 @@ -From 7d62105c676fc79e0c32766c41cd034655a524ff Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 25 Jan 2022 16:29:53 -0600 -Subject: [PATCH] Fix pki-healthcheck for clones - -Previously the ClonesConnectivyAndDataCheck.check_kra_clones() -was trying to check KRA clone status by retrieving a key using -the subsystem cert. This operation did not work since the user -associated with the cert did not have access to the keys. The -code has been changed to get the status from GetStatus service -instead. The original code might be moved into IPA later so it -could run with IPA's RA agent credentials which would allow -access to the keys. - -Previously the ClonesPlugin.contact_subsystem_using_sslget() -used sslget to call GetStatus service and returned the entire -output which was then incorrectly processed in XML format. The -method has been renamed to get_status() and changed to use -PKIConnection and process the response in either JSON or XML -format, then only return the subsystem status. All callers -have been updated accordingly. - -The ClonesPlugin.contact_subsystem_using_pki() is no longer -used so it has been removed. ---- - .../clones/connectivity_and_data.py | 130 ++++++++---------- - .../pki/server/healthcheck/clones/plugin.py | 75 ++++------ - base/server/python/pki/server/__init__.py | 8 +- - 3 files changed, 91 insertions(+), 122 deletions(-) - -diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py -index ca5d6dae48..d9bb480f7f 100644 ---- a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py -+++ b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py -@@ -46,93 +46,83 @@ class ClonesConnectivyAndDataCheck(ClonesPlugin): - - def check_kra_clones(self): - for host in self.clone_kras: -- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort -- # Reach out and get some keys or requests , to serve as a data and connectivity check -+ -+ url = 'https://' + host.Hostname + ':' + host.SecurePort -+ - try: -- client_nick = self.security_domain.config.get('ca.connector.KRA.nickName') -- -- output = self.contact_subsystem_using_pki( -- host.SecurePort, host.Hostname, client_nick, -- self.passwd, self.db_dir, 'kra-key-show', ['0x01']) -- -- # check to see if we either got a key or a key not found exception -- # of which either will imply a successful connection -- if output is not None: -- key_found = output.find('Key ID:') -- key_not_found = output.find('KeyNotFoundException:') -- if key_found >= 0: -- logger.info('Key material found from kra clone.') -- -- if key_not_found >= 0: -- logger.info('key not found, possibly empty kra') -- -- if key_not_found == -1 and key_found == -1: -- logger.info('Failure to get key material from kra') -- raise BaseException('KRA clone problem detected ' + cur_clone_msg) -- else: -- raise BaseException('No data obtained from KRA clone.' + cur_clone_msg) -+ status = self.get_status( -+ host.Hostname, -+ host.SecurePort, -+ '/kra/admin/kra/getStatus') - -- except BaseException as e: -- logger.error("Internal error testing KRA clone. %s", e) -- raise BaseException('Internal error testing KRA clone.' + cur_clone_msg) -+ logger.info('KRA at %s is %s', url, status) - -- return -+ if status != 'running': -+ raise Exception('KRA at %s is %s' % (url, status)) -+ -+ except Exception as e: -+ logger.error('Unable to reach KRA at %s: %s', url, e) -+ raise Exception('Unable to reach KRA at %s: %s' % (url, e)) - - def check_ocsp_clones(self): - for host in self.clone_ocsps: -- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort -- # Reach out to the ocsp clones -+ -+ url = 'https://' + host.Hostname + ':' + host.SecurePort -+ - try: -- output = self.contact_subsystem_using_sslget( -- host.SecurePort, host.Hostname, None, -- self.passwd, self.db_dir, None, '/ocsp/admin/ocsp/getStatus') -- -- good_status = output.find('1') -- if good_status == -1: -- raise BaseException('OCSP clone problem detected.' + cur_clone_msg) -- logger.info('good_status %s ', good_status) -- except BaseException as e: -- logger.error("Internal error testing OCSP clone. %s", e) -- raise BaseException('Internal error testing OCSP clone.' + cur_clone_msg) -+ status = self.get_status( -+ host.Hostname, -+ host.SecurePort, -+ '/ocsp/admin/ocsp/getStatus') - -- return -+ logger.info('OCSP at %s is %s', url, status) -+ -+ if status != 'running': -+ raise Exception('OCSP at %s is %s' % (url, status)) -+ -+ except Exception as e: -+ logger.error('Unable to reach OCSP at %s: %s', url, e) -+ raise Exception('Unable to reach OCSP at %s: %s' % (url, e)) - - def check_tks_clones(self): - for host in self.clone_tkss: -- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort -- # Reach out to the tks clones -+ -+ url = 'https://' + host.Hostname + ':' + host.SecurePort -+ - try: -- output = self.contact_subsystem_using_sslget( -- host.SecurePort, host.Hostname, None, -- self.passwd, self.db_dir, None, '/tks/admin/tks/getStatus') -- -- good_status = output.find('1') -- if good_status == -1: -- raise BaseException('TKS clone problem detected.' + cur_clone_msg) -- logger.info('good_status %s ', good_status) -- except BaseException as e: -- logger.error("Internal error testing TKS clone. %s", e) -- raise BaseException('Internal error testing TKS clone.' + cur_clone_msg) -+ status = self.get_status( -+ host.Hostname, -+ host.SecurePort, -+ '/tks/admin/tks/getStatus') - -- return -+ logger.info('TKS at %s is %s', url, status) -+ -+ if status != 'running': -+ raise Exception('TKS at %s is %s' % (url, status)) -+ -+ except Exception as e: -+ logger.error('Unable to reach TKS at %s: %s', url, e) -+ raise Exception('Unable to reach TKS at %s: %s' % (url, e)) - - def check_tps_clones(self): - for host in self.clone_tpss: -- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort -- # Reach out to the tps clones -+ -+ url = 'https://' + host.Hostname + ':' + host.SecurePort -+ - try: -- output = self.contact_subsystem_using_sslget( -- host.SecurePort, host.Hostname, None, -- self.passwd, self.db_dir, None, '/tps/admin/tps/getStatus') -- -- good_status = output.find('1') -- if good_status == -1: -- raise BaseException('TPS clone problem detected.' + cur_clone_msg) -- logger.info('good_status %s ', good_status) -- except BaseException as e: -- logger.error("Internal error testing TPS clone. %s", e) -- raise BaseException('Internal error testing TPS clone.' + cur_clone_msg) -- return -+ status = self.get_status( -+ host.Hostname, -+ host.SecurePort, -+ '/tps/admin/tps/getStatus') -+ -+ logger.info('TPS at %s is %s', url, status) -+ -+ if status != 'running': -+ raise Exception('TPS at %s is %s' % (url, status)) -+ -+ except Exception as e: -+ logger.error('Unable to reach TPS at %s: %s', url, e) -+ raise Exception('Unable to reach TPS at %s: %s' % (url, e)) - - @duration - def check(self): -diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py -index 2472f35b5b..824c36a1a9 100644 ---- a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py -+++ b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py -@@ -6,6 +6,10 @@ - # SPDX-License-Identifier: GPL-2.0-or-later - # - -+import json -+import logging -+import xml.etree.ElementTree as ET -+ - from ipahealthcheck.core.plugin import Plugin, Registry - from pki.server.instance import PKIInstance - from pki.client import PKIConnection -@@ -13,9 +17,6 @@ from pki.system import SecurityDomainClient - - from pki.server.healthcheck.core.main import merge_dogtag_config - --import logging --import subprocess -- - logger = logging.getLogger(__name__) - - # Temporary workaround to skip VERBOSE data. Fix already pushed to upstream -@@ -46,60 +47,36 @@ class ClonesPlugin(Plugin): - - self.instance = PKIInstance(self.config.instance_name) - -- def contact_subsystem_using_pki( -- self, subport, subhost, subsystemnick, -- token_pwd, db_path, cmd, exts=None): -- command = ["/usr/bin/pki", -- "-p", str(subport), -- "-h", subhost, -- "-n", subsystemnick, -- "-P", "https", -- "-d", db_path, -- "-c", token_pwd, -- cmd] -- -- if exts is not None: -- command.extend(exts) -- -- output = None -- try: -- output = subprocess.check_output(command, stderr=subprocess.STDOUT) -- except subprocess.CalledProcessError as e: -- output = e.output.decode('utf-8') -- return output -+ def get_status(self, host, port, path): - -- output = output.decode('utf-8') -+ self.instance.export_ca_cert() - -- return output -+ connection = PKIConnection( -+ protocol='https', -+ hostname=host, -+ port=port, -+ cert_paths=self.instance.ca_cert) - -- def contact_subsystem_using_sslget( -- self, port, host, subsystemnick, -- token_pwd, db_path, params, url): -+ response = connection.get(path) - -- command = ["/usr/bin/sslget"] -+ content_type = response.headers['Content-Type'] -+ content = response.text -+ logger.info('Content:\n%s', content) - -- if subsystemnick is not None: -- command.extend(["-n", subsystemnick]) -+ # https://github.com/dogtagpki/pki/wiki/GetStatus-Service -+ if content_type == 'application/json': -+ json_response = json.loads(content) -+ status = json_response['Response']['Status'] - -- command.extend(["-p", token_pwd, "-d", db_path]) -- -- if params is not None: -- command.extend(["-e", params]) -- -- command.extend([ -- "-r", url, host + ":" + port]) -- -- logger.info(' command : %s ', command) -- output = None -- try: -- output = subprocess.check_output(command, stderr=subprocess.STDOUT) -- except subprocess.CalledProcessError as e: -- output = e.output.decode('utf-8') -- return output -+ elif content_type == 'application/xml': -+ root = ET.fromstring(content) -+ status = root.findtext('Status') - -- output = output.decode('utf-8') -+ else: -+ raise Exception('Unsupported content-type: %s' % content_type) - -- return output -+ logger.info('Status: %s', status) -+ return status - - def get_security_domain_data(self, host, port): - domain_data = None -diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py -index 4fbb74684b..0515bbb197 100644 ---- a/base/server/python/pki/server/__init__.py -+++ b/base/server/python/pki/server/__init__.py -@@ -241,6 +241,10 @@ class PKIServer(object): - def jss_conf(self): - return os.path.join(self.conf_dir, 'jss.conf') - -+ @property -+ def ca_cert(self): -+ return os.path.join(self.nssdb_dir, 'ca.crt') -+ - def is_valid(self): - return self.exists() - -@@ -259,8 +263,6 @@ class PKIServer(object): - - def export_ca_cert(self): - -- ca_path = os.path.join(self.nssdb_dir, 'ca.crt') -- - token = pki.nssdb.INTERNAL_TOKEN_NAME - nickname = self.get_sslserver_cert_nickname() - -@@ -272,7 +274,7 @@ class PKIServer(object): - nssdb = self.open_nssdb(token=token) - - try: -- nssdb.extract_ca_cert(ca_path, nickname) -+ nssdb.extract_ca_cert(self.ca_cert, nickname) - finally: - nssdb.close() - --- -2.33.1 - diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index e171a44..a6cacd8 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -12,9 +12,10 @@ License: GPLv2 and LGPLv2 # For development (i.e. unsupported) releases, use x.y.z-0.n.. # For official (i.e. supported) releases, use x.y.z-r where r >=1. -Version: 10.12.0 -Release: 4%{?_timestamp}%{?_commit_id}%{?dist} -#global _phase -alpha1 +%global release_number 1 +Version: 10.14.3 +Release: %{?release_number}%{?_timestamp}%{?_commit_id}%{?dist} +#global _phase # To create a tarball from a version tag: # $ git archive \ @@ -31,10 +32,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver # > pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch -Patch0: 0001-Fix-pki-healthcheck-for-clones.patch -Patch1: 0001-Disable-access-to-external-entities-when-parsing-XML.patch -Patch2: 0001-Fix-accidental-renaming-of-factories-in-conflict-res.patch - # md2man isn't available on i686. Additionally, we aren't generally multi-lib # compatible (https://fedoraproject.org/wiki/Packaging:Java) # md2man has now also been dropped in RHEL 8 so exlcude from RHEL 8+ @@ -787,9 +784,9 @@ BuildArch: noarch Obsoletes: pki-console < %{version}-%{release} Provides: pki-console = %{version}-%{release} -BuildRequires: idm-console-framework >= 1.2.0 +BuildRequires: idm-console-framework >= 1.2.0, idm-console-framework < 2.0.0 -Requires: idm-console-framework >= 1.2.0 +Requires: idm-console-framework >= 1.2.0, idm-console-framework < 2.0.0 Requires: %{product_id}-base-java = %{version}-%{release} Requires: %{product_id}-console-theme = %{version}-%{release} @@ -1406,6 +1403,16 @@ fi ################################################################################ %changelog +* Fri Feb 03 2023 Red Hat PKI Team 10.14.3-1 +- Rebase to PKI 10.14.3 +- Bug 1959057 - An error has ocorred (IPA Error 4301:CertificateOperationError) +- Bug 2016164 - IdM Install fails on RHEL 8.5 Beta when DISA STIG is applied +- Bug 2022561 - ipa-healthcheck CADogtagCertsConfigCheck fail to process the scenario of renewed IPA CA certificates ( ipa get_cert_from_db() ) + +* Tue Nov 29 2022 Red Hat PKI Team 10.14.2-1 +- Rebase to PKI 10.14.2 +- Bug 2149253 - Rebase to upstream version v2.14.2 + * Mon Jul 25 2022 Red Hat PKI Team 10.12.0-4 - Bug 2107334 - CVE-2022-2414 access to external entities when parsing XML can lead to XXE - Rename packages to idm-pki