diff --git a/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-19.patch b/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-19.patch
new file mode 100644
index 0000000..5b18ee7
--- /dev/null
+++ b/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-19.patch
@@ -0,0 +1,338 @@
+From b6b624d191a003f273283a1bc00278f534ff41a6 Mon Sep 17 00:00:00 2001
+From: Chris Kelley <ckelley@redhat.com>
+Date: Wed, 19 Oct 2022 16:42:43 +0100
+Subject: [PATCH 1/2] Use internal JAXP implementation.
+
+JAXP will attempt to use xerces if the JAR is installed, so force the
+application to use the internal parsers instead.
+
+(cherry picked from commit ce5876dae1888cae0631f039694762811d6dab94)
+---
+ .../cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+index db341d5..de98f74 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+@@ -43,6 +43,8 @@ import java.util.Vector;
+
+ import javax.servlet.ServletException;
+ import javax.servlet.http.HttpServlet;
++import javax.xml.parsers.DocumentBuilder;
++import javax.xml.parsers.DocumentBuilderFactory;
+
+ import org.apache.commons.lang.StringUtils;
+ import org.apache.xerces.parsers.DOMParser;
+@@ -58,6 +60,7 @@ import org.mozilla.jss.crypto.PrivateKey;
+ import org.mozilla.jss.crypto.Signature;
+ import org.mozilla.jss.crypto.SignatureAlgorithm;
+ import org.mozilla.jss.util.PasswordCallback;
++import org.w3c.dom.Document;
+ import org.w3c.dom.Element;
+ import org.w3c.dom.NodeList;
+
+@@ -618,9 +621,16 @@ public class CMSEngine implements ICMSEngine {
+ try {
+ String instanceRoot = mConfig.getString("instanceRoot");
+ String path = instanceRoot + File.separator + "conf" + File.separator + SERVER_XML;
+- DOMParser parser = new DOMParser();
+- parser.parse(path);
+- NodeList nodes = parser.getDocument().getElementsByTagName("Connector");
++ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(
++ "com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl",
++ this.getClass().getClassLoader());
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++ DocumentBuilder builder = factory.newDocumentBuilder();
++ Document doc = builder.parse(new File(path));
++ doc.getDocumentElement().normalize();
++ NodeList nodes = doc.getElementsByTagName("Connector");
+ String parentName = "";
+ String name = "";
+ String port = "";
+--
+1.8.3.1
+
+
+From 646e4eda892d17236ba67f659292ecfcb7790466 Mon Sep 17 00:00:00 2001
+From: Chris Kelley <ckelley@redhat.com>
+Date: Thu, 20 Oct 2022 15:04:40 +0100
+Subject: [PATCH 2/2] Remove references to Xerces JAR
+
+Requesting use of the internal JAXP DocumentBuilderFactory
+implementation renders the JAR unnecessary (from the perspective of PKI,
+it is still required and installed by dependencies of PKI).
+---
+ base/CMakeLists.txt | 8 --------
+ base/ca/shared/conf/jkconfig.manifest | 2 +-
+ base/common/src/CMakeLists.txt | 10 +---------
+ base/java-tools/src/CMakeLists.txt | 10 +---------
+ base/javadoc/CMakeLists.txt | 2 +-
+ base/kra/shared/conf/jkconfig.manifest | 2 +-
+ base/ocsp/shared/conf/jkconfig.manifest | 2 +-
+ base/server/CMakeLists.txt | 3 +--
+ .../cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 1 -
+ base/server/share/conf/catalina.properties | 2 +-
+ base/server/test/CMakeLists.txt | 2 +-
+ base/test/src/CMakeLists.txt | 2 +-
+ base/tks/shared/conf/jkconfig.manifest | 2 +-
+ base/tps/shared/conf/jkconfig.manifest | 2 +-
+ base/util/src/CMakeLists.txt | 12 ++----------
+ base/util/test/CMakeLists.txt | 2 +-
+ 16 files changed, 15 insertions(+), 49 deletions(-)
+
+diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt
+index 5be5b24..d5548a1 100644
+--- a/base/CMakeLists.txt
++++ b/base/CMakeLists.txt
+@@ -196,14 +196,6 @@ find_file(XALAN_JAR
+ /usr/share/java
+ )
+
+-find_file(XERCES_JAR
+- NAMES
+- xerces-j2.jar
+- PATHS
+- ${JAVA_LIB_INSTALL_DIR}
+- /usr/share/java
+-)
+-
+ # The order is important!
+ if (APPLICATION_FLAVOR_PKI_CORE OR
+ APPLICATION_FLAVOR_PKI_CONSOLE)
+diff --git a/base/ca/shared/conf/jkconfig.manifest b/base/ca/shared/conf/jkconfig.manifest
+index 3ba1f2e..5731b47 100644
+--- a/base/ca/shared/conf/jkconfig.manifest
++++ b/base/ca/shared/conf/jkconfig.manifest
+@@ -1,2 +1,2 @@
+ Main-Class: org.apache.jk.config.WebXml2Jk
+-Class-Path: tomcat-jk2.jar commons-logging.jar crimson.jar xercesImpl.jar xmlApis.jar tomcat-util.jar log4j.jar log4j-core.jar
++Class-Path: tomcat-jk2.jar commons-logging.jar crimson.jar xmlApis.jar tomcat-util.jar log4j.jar log4j-core.jar
+diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
+index 705d62c..85b3a4c 100644
+--- a/base/common/src/CMakeLists.txt
++++ b/base/common/src/CMakeLists.txt
+@@ -53,14 +53,6 @@ find_file(XALAN_JAR
+ /usr/share/java
+ )
+
+-find_file(XERCES_JAR
+- NAMES
+- xerces-j2.jar
+- PATHS
+- ${JAVA_LIB_INSTALL_DIR}
+- /usr/share/java
+-)
+-
+ find_file(RESTEASY_JAXRS_JAR
+ NAMES
+ resteasy-jaxrs.jar
+@@ -102,7 +94,7 @@ javac(pki-certsrv-classes
+ *.java
+ CLASSPATH
+ ${SLF4J_API_JAR}
+- ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
++ ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR}
+ ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR} ${COMMONS_IO_JAR}
+ ${APACHE_COMMONS_LANG_JAR}
+ ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR} ${SYMKEY_JAR}
+diff --git a/base/java-tools/src/CMakeLists.txt b/base/java-tools/src/CMakeLists.txt
+index 7c57eaa..527aff2 100644
+--- a/base/java-tools/src/CMakeLists.txt
++++ b/base/java-tools/src/CMakeLists.txt
+@@ -45,14 +45,6 @@ find_file(XALAN_JAR
+ /usr/share/java
+ )
+
+-find_file(XERCES_JAR
+- NAMES
+- xerces-j2.jar
+- PATHS
+- ${JAVA_LIB_INSTALL_DIR}
+- /usr/share/java
+-)
+-
+ find_file(RESTEASY_JAXRS_JAR
+ NAMES
+ resteasy-jaxrs.jar
+@@ -87,7 +79,7 @@ javac(pki-tools-classes
+ *.java
+ CLASSPATH
+ ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR} ${PKI_CERTSRV_JAR}
+- ${XALAN_JAR} ${XERCES_JAR}
++ ${XALAN_JAR}
+ ${JSS_JAR} ${LDAPJDK_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_IO_JAR}
+ ${APACHE_COMMONS_CLI_JAR} ${APACHE_COMMONS_LANG_JAR}
+ ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR}
+diff --git a/base/javadoc/CMakeLists.txt b/base/javadoc/CMakeLists.txt
+index c477a33..8e00141 100644
+--- a/base/javadoc/CMakeLists.txt
++++ b/base/javadoc/CMakeLists.txt
+@@ -89,7 +89,7 @@ javadoc(pki-javadoc
+ org.dogtagpki
+ CLASSPATH
+ ${SLF4J_API_JAR}
+- ${XALAN_JAR} ${XERCES_JAR}
++ ${XALAN_JAR}
+ ${APACHE_COMMONS_CLI_JAR} ${APACHE_COMMONS_LANG_JAR}
+ ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR} ${COMMONS_IO_JAR}
+ ${LDAPJDK_JAR} ${VELOCITY_JAR}
+diff --git a/base/kra/shared/conf/jkconfig.manifest b/base/kra/shared/conf/jkconfig.manifest
+index 3ba1f2e..5731b47 100644
+--- a/base/kra/shared/conf/jkconfig.manifest
++++ b/base/kra/shared/conf/jkconfig.manifest
+@@ -1,2 +1,2 @@
+ Main-Class: org.apache.jk.config.WebXml2Jk
+-Class-Path: tomcat-jk2.jar commons-logging.jar crimson.jar xercesImpl.jar xmlApis.jar tomcat-util.jar log4j.jar log4j-core.jar
++Class-Path: tomcat-jk2.jar commons-logging.jar crimson.jar xmlApis.jar tomcat-util.jar log4j.jar log4j-core.jar
+diff --git a/base/ocsp/shared/conf/jkconfig.manifest b/base/ocsp/shared/conf/jkconfig.manifest
+index 3ba1f2e..5731b47 100644
+--- a/base/ocsp/shared/conf/jkconfig.manifest
++++ b/base/ocsp/shared/conf/jkconfig.manifest
+@@ -1,2 +1,2 @@
+ Main-Class: org.apache.jk.config.WebXml2Jk
+-Class-Path: tomcat-jk2.jar commons-logging.jar crimson.jar xercesImpl.jar xmlApis.jar tomcat-util.jar log4j.jar log4j-core.jar
++Class-Path: tomcat-jk2.jar commons-logging.jar crimson.jar xmlApis.jar tomcat-util.jar log4j.jar log4j-core.jar
+diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt
+index ec2d37b..09ded9c 100644
+--- a/base/server/CMakeLists.txt
++++ b/base/server/CMakeLists.txt
+@@ -46,7 +46,7 @@ javac(pki-server-classes
+ ${HTTPCORE_JAR} ${HTTPCLIENT_JAR}
+ ${JSS_JAR} ${SYMKEY_JAR}
+ ${LDAPJDK_JAR}
+- ${XALAN_JAR} ${XERCES_JAR}
++ ${XALAN_JAR}
+ ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR}
+ ${TOMCATJSS_JAR} ${VELOCITY_JAR}
+ ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR}
+@@ -130,7 +130,6 @@ add_custom_command(
+ COMMAND /usr/bin/ln -sf /usr/lib/java/symkey.jar ${CMAKE_CURRENT_BINARY_DIR}/common/lib/symkey.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/tomcatjss.jar common/lib/tomcatjss.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/velocity.jar common/lib/velocity.jar
+- COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xerces-j2.jar common/lib/xerces-j2.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xml-commons-apis.jar common/lib/xml-commons-apis.jar
+ COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xml-commons-resolver.jar common/lib/xml-commons-resolver.jar
+ )
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+index de98f74..23beb96 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+@@ -47,7 +47,6 @@ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
+
+ import org.apache.commons.lang.StringUtils;
+-import org.apache.xerces.parsers.DOMParser;
+ import org.dogtagpki.legacy.core.policy.GeneralNameUtil;
+ import org.dogtagpki.legacy.policy.IGeneralNameAsConstraintsConfig;
+ import org.dogtagpki.legacy.policy.IGeneralNamesAsConstraintsConfig;
+diff --git a/base/server/share/conf/catalina.properties b/base/server/share/conf/catalina.properties
+index 2199a78..f7edc01 100644
+--- a/base/server/share/conf/catalina.properties
++++ b/base/server/share/conf/catalina.properties
+@@ -108,7 +108,7 @@ jstl.jar,\
+ geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\
+ ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\
+ jmx-tools.jar,jta*.jar,log4j*.jar,mail*.jar,slf4j*.jar,\
+-xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\
++xmlParserAPIs.jar,xml-apis.jar,\
+ dnsns.jar,ldapsec.jar,localedata.jar,sunjce_provider.jar,sunmscapi.jar,\
+ sunpkcs11.jar,jhall.jar,tools.jar,\
+ sunec.jar,zipfs.jar,\
+diff --git a/base/server/test/CMakeLists.txt b/base/server/test/CMakeLists.txt
+index 707493f..ea24f86 100644
+--- a/base/server/test/CMakeLists.txt
++++ b/base/server/test/CMakeLists.txt
+@@ -36,7 +36,7 @@ javac(pki-server-test-classes
+ CLASSPATH
+ ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR}
+ ${PKI_CERTSRV_JAR} ${PKI_CMS_JAR} ${PKI_CMSCORE_JAR} ${PKI_CMSBUNDLE_JAR}
+- ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
++ ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR}
+ ${JSS_JAR} ${COMMONS_CODEC_JAR} ${SYMKEY_JAR}
+ ${HAMCREST_JAR} ${JUNIT_JAR}
+ ${CMAKE_BINARY_DIR}/test/classes
+diff --git a/base/test/src/CMakeLists.txt b/base/test/src/CMakeLists.txt
+index 24e72aa..4a8355a 100644
+--- a/base/test/src/CMakeLists.txt
++++ b/base/test/src/CMakeLists.txt
+@@ -6,7 +6,7 @@ javac(pki-test-classes
+ SOURCES
+ *.java
+ CLASSPATH
+- ${XALAN_JAR} ${XERCES_JAR}
++ ${XALAN_JAR}
+ ${HAMCREST_JAR} ${JUNIT_JAR}
+ OUTPUT_DIR
+ ${CMAKE_BINARY_DIR}/test/classes
+diff --git a/base/tks/shared/conf/jkconfig.manifest b/base/tks/shared/conf/jkconfig.manifest
+index 3ba1f2e..5731b47 100644
+--- a/base/tks/shared/conf/jkconfig.manifest
++++ b/base/tks/shared/conf/jkconfig.manifest
+@@ -1,2 +1,2 @@
+ Main-Class: org.apache.jk.config.WebXml2Jk
+-Class-Path: tomcat-jk2.jar commons-logging.jar crimson.jar xercesImpl.jar xmlApis.jar tomcat-util.jar log4j.jar log4j-core.jar
++Class-Path: tomcat-jk2.jar commons-logging.jar crimson.jar xmlApis.jar tomcat-util.jar log4j.jar log4j-core.jar
+diff --git a/base/tps/shared/conf/jkconfig.manifest b/base/tps/shared/conf/jkconfig.manifest
+index 3ba1f2e..5731b47 100644
+--- a/base/tps/shared/conf/jkconfig.manifest
++++ b/base/tps/shared/conf/jkconfig.manifest
+@@ -1,2 +1,2 @@
+ Main-Class: org.apache.jk.config.WebXml2Jk
+-Class-Path: tomcat-jk2.jar commons-logging.jar crimson.jar xercesImpl.jar xmlApis.jar tomcat-util.jar log4j.jar log4j-core.jar
++Class-Path: tomcat-jk2.jar commons-logging.jar crimson.jar xmlApis.jar tomcat-util.jar log4j.jar log4j-core.jar
+diff --git a/base/util/src/CMakeLists.txt b/base/util/src/CMakeLists.txt
+index a2269b2..883ead0 100644
+--- a/base/util/src/CMakeLists.txt
++++ b/base/util/src/CMakeLists.txt
+@@ -52,14 +52,6 @@ find_file(XALAN_JAR
+ /usr/share/java
+ )
+
+-find_file(XERCES_JAR
+- NAMES
+- xerces-j2.jar
+- PATHS
+- ${JAVA_LIB_INSTALL_DIR}
+- /usr/share/java
+-)
+-
+ find_file(NUXWDOG_JAR
+ NAMES
+ nuxwdog.jar
+@@ -73,7 +65,7 @@ javac(pki-nsutil-classes
+ SOURCES
+ netscape/*.java
+ CLASSPATH
+- ${APACHE_COMMONS_LANG_JAR} ${LDAPJDK_JAR} ${XALAN_JAR} ${XERCES_JAR}
++ ${APACHE_COMMONS_LANG_JAR} ${LDAPJDK_JAR} ${XALAN_JAR}
+ ${JSS_JAR} ${COMMONS_CODEC_JAR}
+ ${SLF4J_API_JAR}
+ OUTPUT_DIR
+@@ -118,7 +110,7 @@ javac(pki-cmsutil-classes
+ com/netscape/cmsutil/*.java
+ CLASSPATH
+ ${APACHE_COMMONS_LANG_JAR} ${HTTPCORE_JAR} ${HTTPCLIENT_JAR}
+- ${LDAPJDK_JAR} ${XALAN_JAR} ${XERCES_JAR}
++ ${LDAPJDK_JAR} ${XALAN_JAR}
+ ${JSS_JAR} ${COMMONS_CODEC_JAR} ${NUXWDOG_JAR}
+ ${SLF4J_API_JAR}
+ OUTPUT_DIR
+diff --git a/base/util/test/CMakeLists.txt b/base/util/test/CMakeLists.txt
+index cc5c07a..3267c66 100644
+--- a/base/util/test/CMakeLists.txt
++++ b/base/util/test/CMakeLists.txt
+@@ -7,7 +7,7 @@ javac(pki-util-test-classes
+ *.java
+ CLASSPATH
+ ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR}
+- ${JSS_JAR} ${LDAPJDK_JAR} ${COMMONS_CODEC_JAR} ${XALAN_JAR} ${XERCES_JAR}
++ ${JSS_JAR} ${LDAPJDK_JAR} ${COMMONS_CODEC_JAR} ${XALAN_JAR}
+ ${HAMCREST_JAR} ${JUNIT_JAR}
+ OUTPUT_DIR
+ ${CMAKE_BINARY_DIR}/test/classes
+--
+1.8.3.1
+
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index 9f64b5b..a1cb8c2 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -65,13 +65,13 @@
Name: pki-core
%if 0%{?rhel}
Version: 10.5.18
-%define redhat_release 23
+%define redhat_release 24
%define redhat_stage 0
#%define default_release %{redhat_release}.%{redhat_stage}
%define default_release %{redhat_release}
%else
Version: 10.5.18
-%define fedora_release 23
+%define fedora_release 24
%define fedora_stage 0
#%define default_release %{fedora_release}.%{fedora_stage}
%define default_release %{fedora_release}
@@ -121,7 +121,6 @@ BuildRequires: python-lxml
BuildRequires: python-sphinx
BuildRequires: velocity
BuildRequires: xalan-j2
-BuildRequires: xerces-j2
%if 0%{?rhel} && 0%{?rhel} <= 7
# 'resteasy-base' is a subset of the complete set of
@@ -228,6 +227,7 @@ Patch17: pki-core-rhel-7-9-rhcs-9-7-bu-11.patch
Patch19: pki-core-rhel-7-9-rhcs-9-7-bu-15.patch
#Patch20: pki-core-rhel-7-9-rhcs-9-7-bu-17.patch
Patch21: pki-core-rhel-7-9-rhcs-9-7-bu-18.patch
+Patch22: pki-core-rhel-7-9-rhcs-9-7-bu-19.patch
# Obtain version phase number (e. g. - used by "alpha", "beta", etc.)
#
@@ -429,7 +429,6 @@ Requires: resteasy-jackson-provider >= 3.0.17-1
%endif
Requires: xalan-j2
-Requires: xerces-j2
Requires: xml-commons-apis
Requires: xml-commons-resolver
@@ -850,6 +849,7 @@ This package is a part of the PKI Core used by the Certificate System.
%patch19 -p1
#%patch20 -p1
%patch21 -p1
+%patch22 -p1
%clean
%{__rm} -rf %{buildroot}
@@ -996,7 +996,6 @@ if [ -f /etc/debian_version ]; then
ln -sf /usr/share/java/jackson-xc.jar %{buildroot}%{_datadir}/pki/server/common/lib/jackson-xc.jar
ln -sf /usr/share/java/jss4.jar %{buildroot}%{_datadir}/pki/server/common/lib/jss4.jar
ln -sf /usr/share/java/symkey.jar %{buildroot}%{_datadir}/pki/server/common/lib/symkey.jar
- ln -sf /usr/share/java/xercesImpl.jar %{buildroot}%{_datadir}/pki/server/common/lib/xerces-j2.jar
ln -sf /usr/share/java/xml-apis.jar %{buildroot}%{_datadir}/pki/server/common/lib/xml-commons-apis.jar
ln -sf /usr/share/java/xml-resolver.jar %{buildroot}%{_datadir}/pki/server/common/lib/xml-commons-resolver.jar
fi
@@ -1387,6 +1386,19 @@ fi
%endif # %{with server}
%changelog
+* Wed Oct 26 2022 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-24
+- ##########################################################################
+- # RHEL 7.9 (Batch Update 19):
+- ##########################################################################
+- Bugzilla Bug #2107329 - CVE-2022-2414 pki-core: access to external
+ entities when parsing XML can lead to XXE [rhel-7.9.z] (ckelley, mharmsen)
+- ##########################################################################
+- # RHCS 9.7 (Batch Update 19):
+- ##########################################################################
+- Bugzilla Bug #2107325 - CVE-2022-2414 pki-core: access to external
+ entities when parsing XML can lead to XXE [certificate_system_9.7.z]
+ (ckelley, mharmsen)
+
* Mon Oct 10 2022 Dogtag Team <devel@lists.dogtagpki.org> 10.5.18-23
- ##########################################################################
- # RHEL 7.9 (Batch Update 18):