diff --git a/freeipa.spec b/freeipa.spec index b153a5a..9abc088 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -61,13 +61,15 @@ %global python_netaddr_version 0.7.16 # Require 4.7.0 which brings Python 3 bindings %global samba_version 4.7.0 -%global selinux_policy_version 3.14.1-14 +%global selinux_policy_version 3.14.3-21 %global slapi_nis_version 0.56.1-4 %global python_ldap_version 3.1.0-1 # python3-lib389 # Fix for "Installation fails: Replica Busy" # https://pagure.io/389-ds-base/issue/49818 %global ds_version 1.4.0.16 +# Fix for TLS 1.3 PHA, RHBZ#1775158 +%global httpd_version 2.4.37-21 %else # Fedora @@ -80,8 +82,8 @@ %global python_netaddr_version 0.7.16 # Require 4.7.0 which brings Python 3 bindings %global samba_version 2:4.9.0 -# DNSSEC AVC violation, RHBZ#1537971 -%global selinux_policy_version 3.13.1-283.24 +# SELinux context for /etc/named directory, RHBZ#1759495 +%global selinux_policy_version 3.14.3-52 %global slapi_nis_version 0.56.1 # fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324 @@ -90,6 +92,13 @@ # https://pagure.io/389-ds-base/issue/49984 %global ds_version 1.4.1.1 +# Fix for TLS 1.3 PHA, RHBZ#1775146 +%if 0%{?fedora} >= 31 +%global httpd_version 2.4.41-9 +%else +%global httpd_version 2.4.41-6.1 +%endif + # Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet. # Some packages don't provide new dist aliases. # https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ @@ -302,15 +311,15 @@ Requires: krb5-kdb-version = %{krb5_kdb_version} Requires: krb5-pkinit-openssl >= %{krb5_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: chrony -Requires: httpd >= 2.4.6-31 +Requires: httpd >= %{httpd_version} Requires(preun): python3 Requires(postun): python3 Requires: python3-gssapi >= 1.2.0-5 Requires: python3-systemd Requires: python3-mod_wsgi Requires: mod_auth_gssapi >= 1.5.0 -Requires: mod_ssl -Requires: mod_session +Requires: mod_ssl >= %{httpd_version} +Requires: mod_session >= %{httpd_version} # 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3 Requires: mod_lookup_identity >= 0.9.9 Requires: acl @@ -385,6 +394,13 @@ Requires: python3-pki >= %{pki_version} Requires: python3-pyasn1 >= 0.3.2-2 Requires: python3-sssdconfig >= %{sssd_version} Requires: rpm-libs +# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support +%if 0%{?rhel} +Requires: python3-urllib3 >= 1.24.2-3 +%else +Requires: python3-urllib3 >= 1.25.7 +%endif + %description -n python3-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -399,7 +415,7 @@ If you are installing an IPA server, you need to install this package. Summary: Common files used by IPA server BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} -Requires: httpd >= 2.4.6-31 +Requires: httpd >= %{httpd_version} Requires: systemd-units >= 38 Requires: custodia >= 0.3.1 @@ -960,6 +976,10 @@ if [ $1 -gt 1 ] ; then if [ $restore -ge 2 ]; then %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1 fi + + if [ $restore -ge 2 ]; then + sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config + fi fi