diff --git a/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-18.patch b/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-18.patch
new file mode 100644
index 0000000..b9fc763
--- /dev/null
+++ b/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-18.patch
@@ -0,0 +1,508 @@
+From 316f4cc1c641018d0855faa2e010d7ebbc8da549 Mon Sep 17 00:00:00 2001
+From: Chris Kelley <ckelley@redhat.com>
+Date: Fri, 10 Jun 2022 17:25:07 +0100
+Subject: [PATCH 1/4] Disable access to external entities when parsing XML
+
+This reduces the vulnerability of XML parsers to XXE (XML external
+entity) injection.
+
+The best way to prevent XXE is to stop using XML altogether, which we do
+plan to do. Until that happens I consider it worthwhile to tighten the
+security here though.
+
+(cherry picked from commit 2ff217fb9b7f66e011df070294c640df2ebf5207)
+---
+ base/common/src/com/netscape/certsrv/client/PKIClient.java | 1 +
+ .../netscape/cms/servlet/csadmin/SecurityDomainProcessor.java | 6 +++++-
+ base/test/src/com/netscape/test/TestListener.java | 5 ++++-
+ base/util/src/com/netscape/cmsutil/xml/XMLObject.java | 9 +++++++++
+ 4 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/client/PKIClient.java b/base/common/src/com/netscape/certsrv/client/PKIClient.java
+index af1636d..10f604f 100644
+--- a/base/common/src/com/netscape/certsrv/client/PKIClient.java
++++ b/base/common/src/com/netscape/certsrv/client/PKIClient.java
+@@ -148,6 +148,7 @@ public class PKIClient {
+ if (verbose) System.out.println("Retrieving CA certificate chain from " + url + ".");
+
+ DocumentBuilderFactory documentFactory = DocumentBuilderFactory.newInstance();
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ DocumentBuilder documentBuilder = documentFactory.newDocumentBuilder();
+
+ Document document = documentBuilder.parse(url.openStream());
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+index 0db1230..7527b58 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+@@ -24,6 +24,7 @@ import java.util.Enumeration;
+ import java.util.Locale;
+ import java.util.Vector;
+
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.ParserConfigurationException;
+ import javax.xml.transform.OutputKeys;
+ import javax.xml.transform.Transformer;
+@@ -389,7 +390,10 @@ public class SecurityDomainProcessor extends CAProcessor {
+ XMLObject xmlObject = convertDomainInfoToXMLObject(before);
+ Document document = xmlObject.getDocument();
+
+- Transformer transformer = TransformerFactory.newInstance().newTransformer();
++ TransformerFactory transformerFactory = TransformerFactory.newInstance();
++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
++ Transformer transformer = transformerFactory.newTransformer();
+ transformer.setOutputProperty(OutputKeys.INDENT, "yes");
+ transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
+
+diff --git a/base/test/src/com/netscape/test/TestListener.java b/base/test/src/com/netscape/test/TestListener.java
+index 96c4c90..1782030 100644
+--- a/base/test/src/com/netscape/test/TestListener.java
++++ b/base/test/src/com/netscape/test/TestListener.java
+@@ -10,6 +10,7 @@ import java.text.SimpleDateFormat;
+ import java.util.Date;
+ import java.util.TimeZone;
+
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
+ import javax.xml.transform.OutputKeys;
+@@ -22,7 +23,6 @@ import org.junit.runner.Description;
+ import org.junit.runner.Result;
+ import org.junit.runner.notification.Failure;
+ import org.junit.runner.notification.RunListener;
+-
+ import org.w3c.dom.Document;
+ import org.w3c.dom.Element;
+ import org.w3c.dom.Text;
+@@ -64,9 +64,12 @@ public class TestListener extends RunListener {
+ dateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
+
+ docBuilderFactory = DocumentBuilderFactory.newInstance();
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ docBuilder = docBuilderFactory.newDocumentBuilder();
+
+ transFactory = TransformerFactory.newInstance();
++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ trans = transFactory.newTransformer();
+ trans.setOutputProperty(OutputKeys.INDENT, "yes");
+
+diff --git a/base/util/src/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
+index a7715ec..d8e0f41 100644
+--- a/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
++++ b/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
+@@ -25,6 +25,7 @@ import java.io.OutputStream;
+ import java.io.StringWriter;
+ import java.util.Vector;
+
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
+ import javax.xml.parsers.ParserConfigurationException;
+@@ -56,6 +57,7 @@ public class XMLObject {
+ public XMLObject(InputStream s)
+ throws SAXException, IOException, ParserConfigurationException {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ DocumentBuilder docBuilder = factory.newDocumentBuilder();
+ mDoc = docBuilder.parse(s);
+ }
+@@ -63,6 +65,7 @@ public class XMLObject {
+ public XMLObject(File f)
+ throws SAXException, IOException, ParserConfigurationException {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ DocumentBuilder docBuilder = factory.newDocumentBuilder();
+ mDoc = docBuilder.parse(f);
+ }
+@@ -159,6 +162,8 @@ public class XMLObject {
+ public byte[] toByteArray() throws TransformerConfigurationException, TransformerException {
+ ByteArrayOutputStream bos = new ByteArrayOutputStream();
+ TransformerFactory tranFactory = TransformerFactory.newInstance();
++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Transformer aTransformer = tranFactory.newTransformer();
+ Source src = new DOMSource(mDoc);
+ Result dest = new StreamResult(bos);
+@@ -169,6 +174,8 @@ public class XMLObject {
+ public void output(OutputStream os)
+ throws TransformerConfigurationException, TransformerException {
+ TransformerFactory tranFactory = TransformerFactory.newInstance();
++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Transformer aTransformer = tranFactory.newTransformer();
+ Source src = new DOMSource(mDoc);
+ Result dest = new StreamResult(os);
+@@ -177,6 +184,8 @@ public class XMLObject {
+
+ public String toXMLString() throws TransformerConfigurationException, TransformerException {
+ TransformerFactory tranFactory = TransformerFactory.newInstance();
++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Transformer transformer = tranFactory.newTransformer();
+ Source src = new DOMSource(mDoc);
+ StreamResult dest = new StreamResult(new StringWriter());
+--
+1.8.3.1
+
+
+From 4ef4c7722d5519a8099ad8f9aa0c87a645d26c8b Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Mon, 16 May 2022 12:06:31 -0400
+Subject: [PATCH 2/4] Bug2070766-caServerKeygen_DirUserCert subject constraints
+
+This patch replaces input of cert subject to that of the auth token.
+
+fixes https://bugzilla.redhat.com/show_bug.cgi?id=2070766
+
+(cherry picked from commit 3548bdf814ad32e1745b701b8ec5f71eebd376cf)
+---
+ base/ca/shared/profiles/ca/caServerKeygen_DirUserCert.cfg | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/base/ca/shared/profiles/ca/caServerKeygen_DirUserCert.cfg b/base/ca/shared/profiles/ca/caServerKeygen_DirUserCert.cfg
+index ea1acfb..1ff6898 100644
+--- a/base/ca/shared/profiles/ca/caServerKeygen_DirUserCert.cfg
++++ b/base/ca/shared/profiles/ca/caServerKeygen_DirUserCert.cfg
+@@ -4,10 +4,8 @@ enable=true
+ enableBy=admin
+ name=Directory-authenticated User Dual-Use Certificate Enrollment using server-side Key generation
+ auth.instance_id=UserDirEnrollment
+-input.list=i1,i2,i3
++input.list=i1
+ input.i1.class_id=serverKeygenInputImpl
+-input.i2.class_id=subjectNameInputImpl
+-input.i3.class_id=submitterInfoInputImpl
+ output.list=o1
+ output.o1.class_id=pkcs12OutputImpl
+ policyset.list=userCertSet
+@@ -16,7 +14,7 @@ policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
+ policyset.userCertSet.1.constraint.name=Subject Name Constraint
+ policyset.userCertSet.1.constraint.params.pattern=UID=.*
+ policyset.userCertSet.1.constraint.params.accept=true
+-policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl
++policyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
+ policyset.userCertSet.1.default.name=Subject Name Default
+ policyset.userCertSet.1.default.params.name=
+ policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
+@@ -93,7 +91,7 @@ policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
+ policyset.userCertSet.8.default.name=Subject Alt Name Constraint
+ policyset.userCertSet.8.default.params.subjAltNameExtCritical=false
+ policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name
+-policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
++policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.auth_token.mail[0]$
+ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
+ policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
+ policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
+--
+1.8.3.1
+
+
+From 40c0f7f4150c00e4c26c475b09e5f196d2b893bd Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@cfu-rhel84-nonfips-3.sjc.redhat.com>
+Date: Wed, 27 Jul 2022 19:33:04 -0400
+Subject: [PATCH 3/4] Bug2070766 - upgrade-caServerKeygen_DirUserCert-profile
+
+This patch provides the upgrade script to change the profile
+ caServerKeygen_DirUserCert.cfg in an existing ca instance.
+
+fix 2 for bug https://bugzilla.redhat.com/show_bug.cgi?id=2070766
+
+(cherry picked from commit fc7d0612eb29fa4f9263c1f2fc5d4b1c21f386e6)
+---
+ .../10.5.18/02-FixSSKDirUserCertProfileAuth.py | 44 ++++++++++++++++++++++
+ 1 file changed, 44 insertions(+)
+ create mode 100644 base/server/upgrade/10.5.18/02-FixSSKDirUserCertProfileAuth.py
+
+diff --git a/base/server/upgrade/10.5.18/02-FixSSKDirUserCertProfileAuth.py b/base/server/upgrade/10.5.18/02-FixSSKDirUserCertProfileAuth.py
+new file mode 100644
+index 0000000..3792cd3
+--- /dev/null
++++ b/base/server/upgrade/10.5.18/02-FixSSKDirUserCertProfileAuth.py
+@@ -0,0 +1,44 @@
++# Authors:
++# Christina Fu <cfu@redhat.com>
++#
++# Copyright Red Hat, Inc.
++#
++# SPDX-License-Identifier: GPL-2.0-or-later
++
++from __future__ import absolute_import
++import logging
++import os
++
++import pki
++
++logger = logging.getLogger(__name__)
++
++
++class FixSSKDirUserCertProfileAuth(pki.server.upgrade.PKIServerUpgradeScriptlet):
++
++ def __init__(self):
++ super(FixSSKDirUserCertProfileAuth, self).__init__()
++ self.message = 'Fix the authentication for caServerKeygen_UserCert profile'
++
++ def upgrade_subsystem(self, instance, subsystem):
++
++ if subsystem.name != 'ca':
++ return
++
++ path = os.path.join(subsystem.base_dir, 'profiles', 'ca', 'caServerKeygen_UserCert.cfg')
++ self.backup(path)
++
++ config = {}
++
++ logger.info('Loading %s', path)
++ pki.util.load_properties(path, config)
++
++ config['input.list'] = 'i1'
++ config.pop('input.i2.class_id', None)
++ config.pop('input.i3.class_id', None)
++ config['policyset.userCertSet.1.default.class_id'] = 'authTokenSubjectNameDefaultImpl'
++ config['policyset.userCertSet.8.default.params.subjAltExtPattern_0'] = \
++ '$request.auth_token.mail[0]$'
++
++ logger.info('Storing %s', path)
++ pki.util.store_properties(path, config)
+--
+1.8.3.1
+
+
+From 82d407d0a31cc1c55766cf83fc05b9a80c3c07e3 Mon Sep 17 00:00:00 2001
+From: Chris Kelley <ckelley@redhat.com>
+Date: Fri, 5 Aug 2022 19:43:10 +0100
+Subject: [PATCH 4/4] Drop erroneous *.py extension from backported upgrade
+ script. (cherry picked from commit 652410871ebc379c05dd8306b1f9a47678322def)
+
+---
+ .../10.5.18/02-FixSSKDirUserCertProfileAuth | 44 ++++++++++++++++++++++
+ .../10.5.18/02-FixSSKDirUserCertProfileAuth.py | 44 ----------------------
+ 2 files changed, 44 insertions(+), 44 deletions(-)
+ create mode 100644 base/server/upgrade/10.5.18/02-FixSSKDirUserCertProfileAuth
+ delete mode 100644 base/server/upgrade/10.5.18/02-FixSSKDirUserCertProfileAuth.py
+
+diff --git a/base/server/upgrade/10.5.18/02-FixSSKDirUserCertProfileAuth b/base/server/upgrade/10.5.18/02-FixSSKDirUserCertProfileAuth
+new file mode 100644
+index 0000000..3792cd3
+--- /dev/null
++++ b/base/server/upgrade/10.5.18/02-FixSSKDirUserCertProfileAuth
+@@ -0,0 +1,44 @@
++# Authors:
++# Christina Fu <cfu@redhat.com>
++#
++# Copyright Red Hat, Inc.
++#
++# SPDX-License-Identifier: GPL-2.0-or-later
++
++from __future__ import absolute_import
++import logging
++import os
++
++import pki
++
++logger = logging.getLogger(__name__)
++
++
++class FixSSKDirUserCertProfileAuth(pki.server.upgrade.PKIServerUpgradeScriptlet):
++
++ def __init__(self):
++ super(FixSSKDirUserCertProfileAuth, self).__init__()
++ self.message = 'Fix the authentication for caServerKeygen_UserCert profile'
++
++ def upgrade_subsystem(self, instance, subsystem):
++
++ if subsystem.name != 'ca':
++ return
++
++ path = os.path.join(subsystem.base_dir, 'profiles', 'ca', 'caServerKeygen_UserCert.cfg')
++ self.backup(path)
++
++ config = {}
++
++ logger.info('Loading %s', path)
++ pki.util.load_properties(path, config)
++
++ config['input.list'] = 'i1'
++ config.pop('input.i2.class_id', None)
++ config.pop('input.i3.class_id', None)
++ config['policyset.userCertSet.1.default.class_id'] = 'authTokenSubjectNameDefaultImpl'
++ config['policyset.userCertSet.8.default.params.subjAltExtPattern_0'] = \
++ '$request.auth_token.mail[0]$'
++
++ logger.info('Storing %s', path)
++ pki.util.store_properties(path, config)
+diff --git a/base/server/upgrade/10.5.18/02-FixSSKDirUserCertProfileAuth.py b/base/server/upgrade/10.5.18/02-FixSSKDirUserCertProfileAuth.py
+deleted file mode 100644
+index 3792cd3..0000000
+--- a/base/server/upgrade/10.5.18/02-FixSSKDirUserCertProfileAuth.py
++++ /dev/null
+@@ -1,44 +0,0 @@
+-# Authors:
+-# Christina Fu <cfu@redhat.com>
+-#
+-# Copyright Red Hat, Inc.
+-#
+-# SPDX-License-Identifier: GPL-2.0-or-later
+-
+-from __future__ import absolute_import
+-import logging
+-import os
+-
+-import pki
+-
+-logger = logging.getLogger(__name__)
+-
+-
+-class FixSSKDirUserCertProfileAuth(pki.server.upgrade.PKIServerUpgradeScriptlet):
+-
+- def __init__(self):
+- super(FixSSKDirUserCertProfileAuth, self).__init__()
+- self.message = 'Fix the authentication for caServerKeygen_UserCert profile'
+-
+- def upgrade_subsystem(self, instance, subsystem):
+-
+- if subsystem.name != 'ca':
+- return
+-
+- path = os.path.join(subsystem.base_dir, 'profiles', 'ca', 'caServerKeygen_UserCert.cfg')
+- self.backup(path)
+-
+- config = {}
+-
+- logger.info('Loading %s', path)
+- pki.util.load_properties(path, config)
+-
+- config['input.list'] = 'i1'
+- config.pop('input.i2.class_id', None)
+- config.pop('input.i3.class_id', None)
+- config['policyset.userCertSet.1.default.class_id'] = 'authTokenSubjectNameDefaultImpl'
+- config['policyset.userCertSet.8.default.params.subjAltExtPattern_0'] = \
+- '$request.auth_token.mail[0]$'
+-
+- logger.info('Storing %s', path)
+- pki.util.store_properties(path, config)
+--
+1.8.3.1
+
+From b1195c73badd2a4aae9adac52c02a0b075db5e63 Mon Sep 17 00:00:00 2001
+From: Matthew Harmsen <mharmsen@redhat.com>
+Date: Mon, 22 Aug 2022 22:10:55 -0600
+Subject: [PATCH] Fixed various variable name typos for:
+
+Disable access to external entities when parsing XML
+
+This reduces the vulnerability of XML parsers to XXE (XML external
+entity) injection.
+
+The best way to prevent XXE is to stop using XML altogether, which we do
+plan to do. Until that happens I consider it worthwhile to tighten the
+security here though.
+---
+ base/common/src/com/netscape/certsrv/client/PKIClient.java | 2 +-
+ base/test/src/com/netscape/test/TestListener.java | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/client/PKIClient.java b/base/common/src/com/netscape/certsrv/client/PKIClient.java
+index 10f604f..c5f413e 100644
+--- a/base/common/src/com/netscape/certsrv/client/PKIClient.java
++++ b/base/common/src/com/netscape/certsrv/client/PKIClient.java
+@@ -148,7 +148,7 @@ public class PKIClient {
+ if (verbose) System.out.println("Retrieving CA certificate chain from " + url + ".");
+
+ DocumentBuilderFactory documentFactory = DocumentBuilderFactory.newInstance();
+- factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ documentFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ DocumentBuilder documentBuilder = documentFactory.newDocumentBuilder();
+
+ Document document = documentBuilder.parse(url.openStream());
+diff --git a/base/test/src/com/netscape/test/TestListener.java b/base/test/src/com/netscape/test/TestListener.java
+index 1782030..d554587 100644
+--- a/base/test/src/com/netscape/test/TestListener.java
++++ b/base/test/src/com/netscape/test/TestListener.java
+@@ -64,12 +64,12 @@ public class TestListener extends RunListener {
+ dateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
+
+ docBuilderFactory = DocumentBuilderFactory.newInstance();
+- factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ docBuilder = docBuilderFactory.newDocumentBuilder();
+
+ transFactory = TransformerFactory.newInstance();
+- tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+- tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
++ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ trans = transFactory.newTransformer();
+ trans.setOutputProperty(OutputKeys.INDENT, "yes");
+
+--
+1.8.3.1
+
+From 9507cb23edcfc0c7c7f873171a6c696f6ca24fc5 Mon Sep 17 00:00:00 2001
+From: Chris Kelley <ckelley@redhat.com>
+Date: Wed, 5 Oct 2022 16:20:58 +0100
+Subject: [PATCH] Add additional XXE protection for DocumentBuilderFactory
+
+The parser configuration changes backported from master were insufficient.
+Older JDKs have known vulnerabilities with JAXB, and the original changes
+were insufficient protection.
+
+(cherry picked from commit 94e7885c1993d6b5d0a28c9b6810d5f52fe5c91c)
+---
+ base/common/src/com/netscape/certsrv/client/PKIClient.java | 3 +++
+ base/util/src/com/netscape/cmsutil/xml/XMLObject.java | 10 ++++++++++
+ pki.spec | 2 +-
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/client/PKIClient.java b/base/common/src/com/netscape/certsrv/client/PKIClient.java
+index c5f413e..8b6ae30 100644
+--- a/base/common/src/com/netscape/certsrv/client/PKIClient.java
++++ b/base/common/src/com/netscape/certsrv/client/PKIClient.java
+@@ -149,6 +149,9 @@ public class PKIClient {
+
+ DocumentBuilderFactory documentFactory = DocumentBuilderFactory.newInstance();
+ documentFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ documentFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++ documentFactory.setXIncludeAware(false);
++ documentFactory.setExpandEntityReferences(false);
+ DocumentBuilder documentBuilder = documentFactory.newDocumentBuilder();
+
+ Document document = documentBuilder.parse(url.openStream());
+diff --git a/base/util/src/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
+index d8e0f41..f3388ae 100644
+--- a/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
++++ b/base/util/src/com/netscape/cmsutil/xml/XMLObject.java
+@@ -50,6 +50,10 @@ public class XMLObject {
+
+ public XMLObject() throws ParserConfigurationException {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++ factory.setXIncludeAware(false);
++ factory.setExpandEntityReferences(false);
+ DocumentBuilder docBuilder = factory.newDocumentBuilder();
+ mDoc = docBuilder.newDocument();
+ }
+@@ -58,6 +62,9 @@ public class XMLObject {
+ throws SAXException, IOException, ParserConfigurationException {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++ factory.setXIncludeAware(false);
++ factory.setExpandEntityReferences(false);
+ DocumentBuilder docBuilder = factory.newDocumentBuilder();
+ mDoc = docBuilder.parse(s);
+ }
+@@ -66,6 +73,9 @@ public class XMLObject {
+ throws SAXException, IOException, ParserConfigurationException {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++ factory.setXIncludeAware(false);
++ factory.setExpandEntityReferences(false);
+ DocumentBuilder docBuilder = factory.newDocumentBuilder();
+ mDoc = docBuilder.parse(f);
+ }
+--
+1.8.3.1
+
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index 69f759e..9f64b5b 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -65,13 +65,13 @@
Name: pki-core
%if 0%{?rhel}
Version: 10.5.18
-%define redhat_release 21
+%define redhat_release 23
%define redhat_stage 0
#%define default_release %{redhat_release}.%{redhat_stage}
%define default_release %{redhat_release}
%else
Version: 10.5.18
-%define fedora_release 21
+%define fedora_release 23
%define fedora_stage 0
#%define default_release %{fedora_release}.%{fedora_stage}
%define default_release %{fedora_release}
@@ -226,6 +226,8 @@ Patch16: pki-core-rhel-7-9-rhcs-9-7-bu-10.patch
Patch17: pki-core-rhel-7-9-rhcs-9-7-bu-11.patch
#Patch18: pki-core-rhel-7-9-rhcs-9-7-bu-14.patch
Patch19: pki-core-rhel-7-9-rhcs-9-7-bu-15.patch
+#Patch20: pki-core-rhel-7-9-rhcs-9-7-bu-17.patch
+Patch21: pki-core-rhel-7-9-rhcs-9-7-bu-18.patch
# Obtain version phase number (e. g. - used by "alpha", "beta", etc.)
#
@@ -846,6 +848,8 @@ This package is a part of the PKI Core used by the Certificate System.
%patch17 -p1
#%patch18 -p1
%patch19 -p1
+#%patch20 -p1
+%patch21 -p1
%clean
%{__rm} -rf %{buildroot}
@@ -1383,6 +1387,44 @@ fi
%endif # %{with server}
%changelog
+* Mon Oct 10 2022 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-23
+- ##########################################################################
+- # RHEL 7.9 (Batch Update 18):
+- ##########################################################################
+- Bugzilla Bug #2107329 - CVE-2022-2414 pki-core: access to external
+ entities when parsing XML can lead to XXE [rhel-7.9.z] (ckelley, mharmsen)
+- Bugzilla Bug #2111514 - CVE-2022-2393 pki-core: When using the
+ caServerKeygen_DirUserCert profile, user can get certificates for other
+ UIDs by entering name in Subject field [rhel-7.9] (cfu, ckelley)
+- ##########################################################################
+- # RHCS 9.7 (Batch Update 18):
+- ##########################################################################
+- Bugzilla Bug #2107325 - CVE-2022-2414 pki-core: access to external
+ entities when parsing XML can lead to XXE [certificate_system_9.7.z]
+ (ckelley, mharmsen)
+- Bugzilla Bug #2111493 - CVE-2022-2393 pki-core: When using the
+ caServerKeygen_DirUserCert profile, user can get certificates for other
+ UIDs by entering name in Subject field [rhcs_9.7] (cfu, ckelley)
+
+* Mon Aug 22 2022 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-22
+- ##########################################################################
+- # RHEL 7.9 (Batch Update 17):
+- ##########################################################################
+- Bugzilla Bug #2107329 - CVE-2022-2414 pki-core: access to external
+ entities when parsing XML can lead to XXE [rhel-7.9.z] (ckelley, mharmsen)
+- Bugzilla Bug #2111514 - CVE-2022-2393 pki-core: When using the
+ caServerKeygen_DirUserCert profile, user can get certificates for other
+ UIDs by entering name in Subject field [rhel-7.9] (cfu, ckelley)
+- ##########################################################################
+- # RHCS 9.7 (Batch Update 17):
+- ##########################################################################
+- Bugzilla Bug #2107325 - CVE-2022-2414 pki-core: access to external
+ entities when parsing XML can lead to XXE [certificate_system_9.7.z]
+ (ckelley, mharmsen)
+- Bugzilla Bug #2111493 - CVE-2022-2393 pki-core: When using the
+ caServerKeygen_DirUserCert profile, user can get certificates for other
+ UIDs by entering name in Subject field [rhcs_9.7] (cfu, ckelley)
+
* Tue May 31 2022 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-21
- ##########################################################################
- # RHEL 7.9 (Batch Update 15):