.gitignore

@@ -1,2 +1,3 @@
-SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
-SOURCES/p11-kit-0.23.22.tar.xz
+SOURCES/p11-kit-0.25.3.tar.xz
+SOURCES/p11-kit-0.25.3.tar.xz.sig
+SOURCES/p11-kit-release-keyring.gpg

.p11-kit.metadata

@@ -1,2 +1,3 @@
-526f07b62624739ba318a171bab3352af91d0134 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
-339e5163ed50a9984a74739b9207ea8cd77fa7e2 SOURCES/p11-kit-0.23.22.tar.xz
+796f3b69cad054a52e04f520459beaaab936b99f SOURCES/p11-kit-0.25.3.tar.xz
+4133131840ef3f9609403fe391ce414878bcb9f1 SOURCES/p11-kit-0.25.3.tar.xz.sig
+6fecd5be3ee12d07f6f61a65e18523ee03e0f925 SOURCES/p11-kit-release-keyring.gpg

SOURCES/001-static-analysis.patch

@@ -0,0 +1,298 @@
+From 58cd1c05e001a4fe250c15f3599e79974bc509e3 Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Thu, 16 Nov 2023 10:12:14 +0100
+Subject: [PATCH] Fix issues found by static analysis
+
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+---
+ common/frob-getprogname.c  |  4 ++--
+ common/test.c              |  4 +---
+ p11-kit/generate-keypair.c | 25 +++++++++----------------
+ p11-kit/import-object.c    | 22 +++++-----------------
+ p11-kit/lists.c            |  1 +
+ p11-kit/print-config.c     |  4 +++-
+ p11-kit/rpc-client.c       |  6 ++++--
+ p11-kit/test-uri.c         |  4 ++--
+ trust/test-trust.c         |  2 +-
+ 9 files changed, 28 insertions(+), 44 deletions(-)
+
+diff --git a/common/frob-getprogname.c b/common/frob-getprogname.c
+index ead658cc8..46e3b7fd3 100644
+--- a/common/frob-getprogname.c
++++ b/common/frob-getprogname.c
+@@ -76,14 +76,14 @@ main (int argc,
+ 			execv (BUILDDIR "/common/frob-getprogname" EXEEXT, args);
+ 		} else {
+ 			int status;
+-			char buffer[1024];
++			char buffer[1024] = { 0 };
+ 			size_t offset = 0;
+ 			ssize_t nread;
+ 			char *p;
+ 
+ 			close (pfds[1]);
+ 			while (1) {
+-				nread = read (pfds[0], buffer + offset, sizeof(buffer) - offset);
++				nread = read (pfds[0], buffer + offset, sizeof(buffer) - offset - 1);
+ 				if (nread < 0) {
+ 					perror ("read");
+ 					exit (EXIT_FAILURE);
+diff --git a/common/test.c b/common/test.c
+index 3ed98da01..6cdbd1fa2 100644
+--- a/common/test.c
++++ b/common/test.c
+@@ -272,7 +272,6 @@ p11_testx (void (* function) (void *),
+ 	test_item item = { TEST, };
+ 	va_list va;
+ 
+-	item.type = TEST;
+ 	item.x.test.func = function;
+ 	item.x.test.argument = argument;
+ 
+@@ -287,9 +286,8 @@ void
+ p11_fixture (void (* setup) (void *),
+              void (* teardown) (void *))
+ {
+-	test_item item;
++	test_item item = { FIXTURE, };
+ 
+-	item.type = FIXTURE;
+ 	item.x.fix.setup = setup;
+ 	item.x.fix.teardown = teardown;
+ 
+diff --git a/p11-kit/generate-keypair.c b/p11-kit/generate-keypair.c
+index 49dc11830..695103d1d 100644
+--- a/p11-kit/generate-keypair.c
++++ b/p11-kit/generate-keypair.c
+@@ -351,7 +351,7 @@ int
+ p11_kit_generate_keypair (int argc,
+ 			  char *argv[])
+ {
+-	int opt, ret = 2;
++	int opt, ret;
+ 	char *label = NULL;
+ 	CK_ULONG bits = 0;
+ 	const uint8_t *ec_params = NULL;
+@@ -396,31 +396,27 @@ p11_kit_generate_keypair (int argc,
+ 	while ((opt = p11_tool_getopt (argc, argv, options)) != -1) {
+ 		switch (opt) {
+ 		case opt_label:
+-			label = strdup (optarg);
+-			if (label == NULL) {
+-				p11_message (_("failed to allocate memory"));
+-				goto cleanup;
+-			}
++			label = optarg;
+ 			break;
+ 		case opt_type:
+ 			mechanism = get_mechanism (optarg);
+ 			if (mechanism.mechanism == CKA_INVALID) {
+ 				p11_message (_("unknown mechanism type: %s"), optarg);
+-				goto cleanup;
++				return 2;
+ 			}
+ 			break;
+ 		case opt_bits:
+ 			bits = strtol (optarg, NULL, 10);
+ 			if (bits == 0) {
+ 				p11_message (_("failed to parse bits value: %s"), optarg);
+-				goto cleanup;
++				return 2;
+ 			}
+ 			break;
+ 		case opt_curve:
+ 			ec_params = get_ec_params (optarg, &ec_params_len);
+ 			if (ec_params == NULL) {
+ 				p11_message (_("unknown curve name: %s"), optarg);
+-				goto cleanup;
++				return 2;
+ 			}
+ 			break;
+ 		case opt_login:
+@@ -434,10 +430,9 @@ p11_kit_generate_keypair (int argc,
+ 			break;
+ 		case opt_help:
+ 			p11_tool_usage (usages, options);
+-			ret = 0;
+-			goto cleanup;
++			return 0;
+ 		case '?':
+-			goto cleanup;
++			return 2;
+ 		default:
+ 			assert_not_reached ();
+ 			break;
+@@ -449,11 +444,11 @@ p11_kit_generate_keypair (int argc,
+ 
+ 	if (argc != 1) {
+ 		p11_tool_usage (usages, options);
+-		goto cleanup;
++		return 2;
+ 	}
+ 
+ 	if (!check_args (mechanism.mechanism, bits, ec_params))
+-		goto cleanup;
++		return 2;
+ 
+ #ifdef OS_UNIX
+ 	/* Register a fallback PIN callback that reads from terminal.
+@@ -464,11 +459,9 @@ p11_kit_generate_keypair (int argc,
+ 
+ 	ret = generate_keypair (*argv, label, mechanism, bits, ec_params, ec_params_len, login);
+ 
+-cleanup:
+ #ifdef OS_UNIX
+ 	p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
+ #endif
+-	free (label);
+ 
+ 	return ret;
+ }
+diff --git a/p11-kit/import-object.c b/p11-kit/import-object.c
+index 270a0e027..feee07659 100644
+--- a/p11-kit/import-object.c
++++ b/p11-kit/import-object.c
+@@ -500,7 +500,7 @@ int
+ p11_kit_import_object (int argc,
+ 		       char *argv[])
+ {
+-	int opt, ret = 2;
++	int opt, ret;
+ 	char *label = NULL;
+ 	char *file = NULL;
+ 	bool login = false;
+@@ -536,18 +536,10 @@ p11_kit_import_object (int argc,
+ 	while ((opt = p11_tool_getopt (argc, argv, options)) != -1) {
+ 		switch (opt) {
+ 		case opt_label:
+-			label = strdup (optarg);
+-			if (label == NULL) {
+-				p11_message (_("failed to allocate memory"));
+-				goto cleanup;
+-			}
++			label = optarg;
+ 			break;
+ 		case opt_file:
+-			file = strdup (optarg);
+-			if (file == NULL) {
+-				p11_message (_("failed to allocate memory"));
+-				goto cleanup;
+-			}
++			file = optarg;
+ 			break;
+ 		case opt_login:
+ 			login = true;
+@@ -574,12 +566,12 @@ p11_kit_import_object (int argc,
+ 
+ 	if (argc != 1) {
+ 		p11_tool_usage (usages, options);
+-		goto cleanup;
++		return 2;
+ 	}
+ 
+ 	if (file == NULL) {
+ 		p11_message (_("no file specified"));
+-		goto cleanup;
++		return 2;
+ 	}
+ 
+ #ifdef OS_UNIX
+@@ -595,10 +587,6 @@ p11_kit_import_object (int argc,
+ 	p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL);
+ #endif
+ 
+-cleanup:
+-	free (label);
+-	free (file);
+-
+ 	return ret;
+ }
+ 
+diff --git a/p11-kit/lists.c b/p11-kit/lists.c
+index df58beb3f..007bb0f12 100644
+--- a/p11-kit/lists.c
++++ b/p11-kit/lists.c
+@@ -295,6 +295,7 @@ print_modules (void)
+ 		if (rv != CKR_OK) {
+ 			p11_message (_("couldn't load module info: %s"),
+ 				     p11_kit_strerror (rv));
++			p11_kit_modules_finalize_and_release (module_list);
+ 			return 1;
+ 		}
+ 
+diff --git a/p11-kit/print-config.c b/p11-kit/print-config.c
+index 173b55feb..29daf3871 100644
+--- a/p11-kit/print-config.c
++++ b/p11-kit/print-config.c
+@@ -74,8 +74,10 @@ print_config (void)
+ 					       P11_PACKAGE_CONFIG_MODULES,
+ 					       P11_SYSTEM_CONFIG_MODULES,
+ 					       P11_USER_CONFIG_MODULES);
+-	if (modules_conf == NULL)
++	if (modules_conf == NULL) {
++		p11_dict_free (global_conf);
+ 		return 1;
++	}
+ 
+ 	printf ("[global]\n");
+ 	p11_dict_iterate (global_conf, &i);
+diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c
+index fb39103eb..19b628b1a 100644
+--- a/p11-kit/rpc-client.c
++++ b/p11-kit/rpc-client.c
+@@ -173,6 +173,8 @@ call_done (rpc_client *module,
+            p11_rpc_message *msg,
+            CK_RV ret)
+ {
++	p11_buffer *buf;
++
+ 	assert (module != NULL);
+ 	assert (msg != NULL);
+ 
+@@ -189,9 +191,9 @@ call_done (rpc_client *module,
+ 
+ 	/* We used the same buffer for input/output, so this frees both */
+ 	assert (msg->input == msg->output);
+-	p11_rpc_buffer_free (msg->input);
+-
++	buf = msg->input;
+ 	p11_rpc_message_clear (msg);
++	p11_rpc_buffer_free (buf);
+ 
+ 	return ret;
+ }
+diff --git a/p11-kit/test-uri.c b/p11-kit/test-uri.c
+index 32e8da703..18b7a108a 100644
+--- a/p11-kit/test-uri.c
++++ b/p11-kit/test-uri.c
+@@ -1019,7 +1019,7 @@ test_uri_get_set_unrecognized (void)
+ static void
+ test_uri_match_token (void)
+ {
+-	CK_TOKEN_INFO token;
++	CK_TOKEN_INFO token = { 0 };
+ 	P11KitUri *uri;
+ 	int ret;
+ 
+@@ -1056,7 +1056,7 @@ test_uri_match_token (void)
+ static void
+ test_uri_match_module (void)
+ {
+-	CK_INFO info;
++	CK_INFO info = { 0 };
+ 	P11KitUri *uri;
+ 	int ret;
+ 
+diff --git a/trust/test-trust.c b/trust/test-trust.c
+index 29b2797b5..3b27a1f31 100644
+--- a/trust/test-trust.c
++++ b/trust/test-trust.c
+@@ -258,7 +258,7 @@ test_check_symlink_msg (const char *file,
+ 	if (asprintf (&filename, "%s/%s", directory, name) < 0)
+ 		assert_not_reached ();
+ 
+-	if (readlink (filename, buf, sizeof (buf)) < 0)
++	if (readlink (filename, buf, sizeof (buf) - 1) < 0)
+ 		p11_test_fail (file, line, function, "Couldn't read symlink: %s", filename);
+ 
+ 	if (strcmp (destination, buf) != 0)

SOURCES/p11-kit-dt-needed.patch

@@ -1,42 +0,0 @@
-From a91266ef087532e2332c75c4fd9244df66f30b64 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Fri, 18 Dec 2020 13:37:10 +0100
-Subject: [PATCH] meson: Link trust/client modules explicitly to -ldl
-
-This adds the -ldl link flag missing in the meson build, but present
-in the autotools build.  Although the use-case is unlikely, this
-allows those modules to be linked as a normal shared library to a
-program.
----
- p11-kit/meson.build | 1 +
- trust/meson.build   | 2 +-
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/p11-kit/meson.build b/p11-kit/meson.build
-index 7d57cd7..02147a9 100644
---- a/p11-kit/meson.build
-+++ b/p11-kit/meson.build
-@@ -92,6 +92,7 @@ if host_system != 'windows'
-                 'client.c', 'client-init.c',
-                 name_prefix: '',
-                 include_directories: [configinc, commoninc],
-+                dependencies: dlopen_deps,
-                 link_args: p11_module_ldflags,
-                 link_depends: [p11_module_symbol_map,
-                                p11_module_symbol_def],
-diff --git a/trust/meson.build b/trust/meson.build
-index 482a3c1..d4a8e15 100644
---- a/trust/meson.build
-+++ b/trust/meson.build
-@@ -56,7 +56,7 @@ shared_module('p11-kit-trust',
-               'module-init.c',
-               name_prefix: '',
-               c_args: p11_kit_trust_c_args,
--              dependencies: [asn_h_dep, libp11_library_dep] + libtasn1_deps,
-+              dependencies: [asn_h_dep, libp11_library_dep] + dlopen_deps + libtasn1_deps,
-               link_args: p11_module_ldflags,
-               link_depends: [p11_module_symbol_map,
-                              p11_module_symbol_def],
--- 
-2.29.2
-

SPECS/p11-kit.spec

@@ -1,22 +1,21 @@
 # This spec file has been automatically updated
-Version:	0.23.22
-Release: 1%{?dist}
+Version:        0.25.3
+Release:        2%{?dist}
 Name:           p11-kit
 Summary:        Library for loading and sharing PKCS#11 modules
 
-License:        BSD
+License:        BSD-3-Clause
 URL:            http://p11-glue.freedesktop.org/p11-kit.html
 Source0:        https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz
 Source1:        https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz.sig
-Source2:        gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
+Source2:        https://p11-glue.github.io/p11-glue/p11-kit/p11-kit-release-keyring.gpg
 Source3:        trust-extract-compat
 Source4:        p11-kit-client.service
 
-Patch1:         p11-kit-dt-needed.patch
+Patch0:         001-static-analysis.patch
 
 BuildRequires:  gcc
 BuildRequires:  libtasn1-devel >= 2.3
-BuildRequires:  libtasn1-tools
 BuildRequires:  libffi-devel
 BuildRequires:  gettext
 BuildRequires:  gtk-doc
@@ -26,6 +25,7 @@ BuildRequires:  bash-completion
 # Work around for https://bugzilla.redhat.com/show_bug.cgi?id=1497147
 # Remove this once it is fixed
 BuildRequires:  pkgconfig(glib-2.0)
+BuildRequires:  pkgconfig(systemd)
 BuildRequires:  gnupg2
 BuildRequires:  /usr/bin/xsltproc
 
@@ -47,13 +47,13 @@ developing applications that use %{name}.
 %package trust
 Summary:            System trust module from %{name}
 Requires:           %{name}%{?_isa} = %{version}-%{release}
-Requires(post):     %{_sbindir}/update-alternatives
-Requires(postun):   %{_sbindir}/update-alternatives
+Requires(post):     %{_sbindir}/alternatives
+Requires(postun):   %{_sbindir}/alternatives
 Conflicts:          nss < 3.14.3-9
 
 %description trust
 The %{name}-trust package contains a system trust PKCS#11 module which
-contains certificate anchors and black lists.
+contains certificate anchors and blocklists.
 
 
 %package server
@@ -102,13 +102,12 @@ install -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_userunitdir}
 
 
 %post trust
-%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
-        %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
+%{_sbindir}/alternatives --install %{_libdir}/libnssckbi.so %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
 
 %postun trust
 if [ $1 -eq 0 ] ; then
         # package removal
-        %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
+        %{_sbindir}/alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
 fi
 
 
@@ -155,40 +154,239 @@ fi
 
 
 %changelog
-* Mon Jan 11 2021 Daiki Ueno <dueno@redhat.com> - 0.23.22-1
-- Rebase to 0.23.22 to fix memory safety issues (CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363)
-- Preserve DT_NEEDED information from the previous version, flagged by rpmdiff
-- Add xsltproc to BR
+* Thu Nov 23 2023 Zoltan Fridrich <zfridric@redhat.com> - 0.25.3-2
+- Fix issues found by static analysis
+  Related: RHEL-14834
 
-* Tue Nov 10 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-4
-- Fix realloc usage on proxy cleanup (#1894979)
-- Make 'trust anchor --store' preserve all attributes from .p11-kit files
+* Wed Nov 15 2023 Zoltan Fridrich <zfridric@redhat.com> - 0.25.3-1
+- Update to new upstream release 0.25.3
+  Resolves: RHEL-14834
 
-* Tue Nov  3 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-3
-- Restore clobbered changelog entry
+* Wed Nov 8 2023 Zoltan Fridrich <zfridric@redhat.com> - 0.25.2-1
+- Update to new upstream release 0.25.2
+  Resolves: RHEL-14834
+- Add IBM specific mechanisms and attributes
+  Resolves: RHEL-10570
 
-* Mon Nov  2 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-2
-- Update p11-kit-invalid-config.patch to be more thorough (thanks to
-  Alexander Sosedkin)
+* Tue Feb  1 2022 Daiki Ueno <dueno@redhat.com> - 0.24.1-2
+- Replace "black list" with "blocklist" in -trust subpackage description (#2026457)
 
-* Tue Oct 20 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-1
-- Update to upstream 0.23.21 release
+* Mon Jan 17 2022 Packit Service <user-cont-team+packit-service@redhat.com> - 0.24.1-1
+- Release 0.24.1 (Daiki Ueno)
+- common: Support copying attribute array recursively (Daiki Ueno)
+- common: Add assert_ptr_cmp (Daiki Ueno)
+- gtkdoc: remove dependencies on custom target files (Eli Schwartz)
+- doc: Replace occurrence of black list with blocklist (Daiki Ueno)
+- build: Suppress cppcheck false-positive on array bounds (Daiki Ueno)
+- ci: Use Docker image from the same repository (Daiki Ueno)
+- ci: Integrate Docker image building to GitHub workflow (Daiki Ueno)
+- rpc: Fallback to version 0 if server does not support negotiation (Daiki Ueno)
+- build: Port e850e03be65ed573d0b69ee0408e776c08fad8a3 to meson (Daiki Ueno)
+- Link libp11-kit so that it cannot unload (Emmanuel Dreyfus)
+- trust: Use dngettext for plurals (Daiki Ueno)
+- rpc: Support protocol version negotiation (Daiki Ueno)
+- rpc: Separate authentication step from transaction (Daiki Ueno)
+- Meson: p11_system_config_modules instead of p11_package_config_modules (Issam E. Maghni)
+- shell: test -a|o is not POSIX (Issam E. Maghni)
+- Meson: Add libtasn1 to trust programs (Issam E. Maghni)
+- meson: optionalise glib's development files for gtk_doc (Đoàn Trần Công Danh)
 
-* Fri Mar 29 2019 Daiki Ueno <dueno@redhat.com> - 0.23.14-5
-- Fix crash on unloading the library, when it is both linked and dlopen'ed
+* Wed Aug 18 2021 DJ Delorie <dj@redhat.com> - 0.24.0-4
+- Rebuilt for libffi 3.4.2 SONAME transition.
+  Related: rhbz#1891914
 
-* Mon Oct 29 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-4
-- Prefer fixed closures to libffi closures
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.24.0-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Wed Oct 17 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-3
-- Update p11-kit-coverity.patch
+* Tue Jul 13 2021 Daiki Ueno <dueno@redhat.com> - 0.24.0-2
+- Rebuild with newer GCC to fix annocheck failures
 
-* Tue Oct 16 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-2
-- Fix issues spotted by coverity
+* Thu Jun 03 2021 Packit Service <user-cont-team+packit-service@redhat.com> - 0.24.0-1
+- common: Only check strndup behavior when replacement is used (Daiki Ueno)
+- Release 0.24.0 (Daiki Ueno)
+- Release 0.23.22 (Daiki Ueno)
+- rpc: Tighten attribute array check with manual enumeration (Daiki Ueno)
+- Check for SUN_LEN and provide fallback (Claes Nästén)
+- Do not define _XOPEN_SOURCE in compat.c on Solaris (Claes Nästén)
+- make autogen.sh a bit more portable (Claes Nästén)
+- rpc-server: Disable parsing CKF_ARRAY_ATTRIBUTE (Daiki Ueno)
+- Update README.md (Daiki Ueno)
+- README.md: Suggest using only meson sub-commands instead of ninja (Daiki Ueno)
+- p11-kit: Add missing <limits.h> include for SIZE_MAX (Daiki Ueno)
+- packit: drop synced_files (Tomas Tomecek)
+- packit: fedora renamed master branch to rawhide (Tomas Tomecek)
+- Fix minor typo (Yuri Chornoivan)
+- po: Add trust/trust.c to POTFILES.in (Daiki Ueno)
+- po: Update POTFILES.in (Daiki Ueno)
+- trust: Make more strings translatable (Daiki Ueno)
+- p11-kit: Make more strings translatable (Daiki Ueno)
+- common: Enable message translation in p11_tool_main (Daiki Ueno)
+- meson: Make sure to set PROJECT_NAME and ENABLE_NLS for 'nls' option (Daiki Ueno)
+- build: Add fuzz/meson.build in the distribution (Daiki Ueno)
+- fuzz: Move the directory out of build/ (Daiki Ueno)
+- Release all library/mock resources before exit (David Cook)
+- Add separate oss-fuzz Makefile target (David Cook)
+- Add build targets for future additional fuzzers (David Cook)
+- Build fuzzer target from meson/ninja (David Cook)
+- Explicit dependency for virtual-fixed-generated.h (David Cook)
+- Build fuzzer target from automake (David Cook)
+- rpc_fuzzer: Clean up buffer before exit (David Cook)
+- New set of fuzzer seeds (David Cook)
+- github: Remove unnecessary SRCDIR envvar (Daiki Ueno)
+- github: Use runuser instead of su for building and testing (Daiki Ueno)
+- github: Use composite action to simplify the main recipe (Daiki Ueno)
+- github: Use pre-built container image for building (Daiki Ueno)
+- README.md: Add GitHub workflow status (Daiki Ueno)
+- travis: Remove configurations other than FreeBSD (Daiki Ueno)
+- autotools: Fix for VPATH build (Daiki Ueno)
+- github actions: Initial CI setup (Anderson Toshiyuki Sasaki)
+- modules: p11_kit_initialize_module: Remove redundant module unref (Daiki Ueno)
+- server: Account for NUL byte at the end of Unix domain socket path (Daiki Ueno)
+- compat: Expose FreeBSD specific issetugid, getresuid, and getresgid (Daiki Ueno)
+- compat: Remove <unistd.h> inclusion from compat.h (Daiki Ueno)
+- compat: Avoid unused variables warning in fdwalk emulation (Daiki Ueno)
+- compat: Pacify ASan complaints on intentionally leaked buffer (Daiki Ueno)
+- meson: Link trust/client modules explicitly to -ldl (Daiki Ueno)
+- p11-kit/lists.c: Add stdint.h to fix compilation (Daniel Engberg)
+- Follow-up to arithmetic overflow fix (David Cook)
+- Check for arithmetic overflows before allocating (David Cook)
+- Check attribute length against buffer size (David Cook)
+- Fix bounds check in p11_rpc_buffer_get_byte_array (David Cook)
+- Fix buffer overflow in log_token_info (David Cook)
+- common: Don't assume __STDC_VERSION__ is always defined (Daiki Ueno)
+- compat: getauxval: correct compiler macro for FreeBSD (Daiki Ueno)
+- compat: fdwalk: add guard for Linux specific local variables (Daiki Ueno)
+- meson: Add missing libtasn1 dependency (Daiki Ueno)
+- travis: Add freebsd build (Daiki Ueno)
+- anchor: Prefer persistent format when storing anchor (Daiki Ueno)
+- travis: Run "make check" along with "make distcheck" for coverage (Daiki Ueno)
+- travis: Use python3 as the default Python interpreter (Daiki Ueno)
+- travis: Route to Ubuntu 20.04 base image (Daiki Ueno)
+- meson: Set -fstack-protector for MinGW64 cross build (Daiki Ueno)
+- meson: expand ternary operator in function call for compatibility (Daiki Ueno)
+- meson: Use custom_target for generating external XML entities (Daiki Ueno)
+- meson: Allow building manpages without gtk-doc (Jan Alexander Steffens (heftig))
+- Rename is_path_component to is_path_separator (Alexander Sosedkin)
+- Use is_path_component in one more place (Alexander Sosedkin)
+- Remove more duplicate separators in p11_path_build (Alexander Sosedkin)
+- common: Fix infloop in p11_path_build (Daiki Ueno)
+- Use inclusive language on certificate distrust (Daiki Ueno)
+- proxy: C_CloseAllSessions: Make sure that calloc args are non-zero (Daiki Ueno)
+- build: Use calloc in a consistent manner (Daiki Ueno)
+- meson: Allow override of default bashcompdir. Fixes meson regression (issue #322).  Pass -Dbashcompdir=/xxx to meson. (John Hein)
+- common: Check for a NULL locale before freeing it (Tavian Barnes)
+- p11_test_copy_setgid: Skip setgid tests on nosuid filesystems (Anders Kaseorg)
+- unix-peer: replace incorrect include1 (Rosen Penev)
+- test-compat: Skip getprogname test if BUILDDIR contains a symlink (Daiki Ueno)
+- add trust-extract-compat into EXTRA-DIST (Xℹ Ruoyao)
+- meson: install trust-extract-compat (Xℹ Ruoyao)
+- rename trust-extract-compat.in to trust-extract-compat (Xℹ Ruoyao)
 
-* Wed Oct 10 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-1
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.23.22-4
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Daiki Ueno <dueno@redhat.com> - 0.23.22-3
+- Suppress intentional memleak in getprogname emulation (#1905581)
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.22-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Dec 11 2020 Packit Service <user-cont-team+packit-service@redhat.com> - 0.23.22-1
+- Release 0.23.22 (Daiki Ueno)
+- Follow-up to arithmetic overflow fix (David Cook)
+- Check for arithmetic overflows before allocating (David Cook)
+- Check attribute length against buffer size (David Cook)
+- Fix bounds check in p11_rpc_buffer_get_byte_array (David Cook)
+- Fix buffer overflow in log_token_info (David Cook)
+- common: Don't assume __STDC_VERSION__ is always defined (Daiki Ueno)
+- compat: getauxval: correct compiler macro for FreeBSD (Daiki Ueno)
+- compat: fdwalk: add guard for Linux specific local variables (Daiki Ueno)
+- meson: Add missing libtasn1 dependency (Daiki Ueno)
+- travis: Add freebsd build (Daiki Ueno)
+- anchor: Prefer persistent format when storing anchor (Daiki Ueno)
+- travis: Run "make check" along with "make distcheck" for coverage (Daiki Ueno)
+- travis: Use python3 as the default Python interpreter (Daiki Ueno)
+- travis: Route to Ubuntu 20.04 base image (Daiki Ueno)
+- meson: Set -fstack-protector for MinGW64 cross build (Daiki Ueno)
+- meson: expand ternary operator in function call for compatibility (Daiki Ueno)
+- meson: Use custom_target for generating external XML entities (Daiki Ueno)
+- meson: Allow building manpages without gtk-doc (Jan Alexander Steffens (heftig))
+- Rename is_path_component to is_path_separator (Alexander Sosedkin)
+- Use is_path_component in one more place (Alexander Sosedkin)
+- Remove more duplicate separators in p11_path_build (Alexander Sosedkin)
+- common: Fix infloop in p11_path_build (Daiki Ueno)
+- proxy: C_CloseAllSessions: Make sure that calloc args are non-zero (Daiki Ueno)
+- build: Use calloc in a consistent manner (Daiki Ueno)
+- meson: Allow override of default bashcompdir. Fixes meson regression (issue #322).  Pass -Dbashcompdir=/xxx to meson. (John Hein)
+- common: Check for a NULL locale before freeing it (Tavian Barnes)
+- p11_test_copy_setgid: Skip setgid tests on nosuid filesystems (Anders Kaseorg)
+- unix-peer: replace incorrect include1 (Rosen Penev)
+- test-compat: Skip getprogname test if BUILDDIR contains a symlink (Daiki Ueno)
+- add trust-extract-compat into EXTRA-DIST (Xℹ Ruoyao)
+- meson: install trust-extract-compat (Xℹ Ruoyao)
+- rename trust-extract-compat.in to trust-extract-compat (Xℹ Ruoyao)
+
+* Thu Nov 12 2020 Alexander Sosedkin <asosedkin@redhat.com> - 0.23.21-3
+- Add an explicit build dependency on xsltproc
+
+* Tue Aug 18 2020 Packit Service <user-cont-team+packit-service@redhat.com> - 0.23.21-2
+- new upstream release: 0.23.21
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.20-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jan 29 2020 Daiki Ueno <dueno@redhat.com> - 0.23.20-1
+- Update to upstream 0.23.20 release
+
+* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 0.23.19-1
+- Update to upstream 0.23.19 release
+- Check archive signature in %%prep
+- Switch to using Meson as the build system
+
+* Mon Sep 30 2019 Daiki Ueno <dueno@redhat.com> - 0.23.18.1-1
+- Update to upstream 0.23.18.1 release
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.16.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu May 23 2019 Daiki Ueno <dueno@redhat.com> - 0.23.16.1-1
+- Update to upstream 0.23.16.1 release
+
+* Thu May 23 2019 Daiki Ueno <dueno@redhat.com> - 0.23.16-1
+- Update to upstream 0.23.16 release
+
+* Mon Feb 18 2019 Daiki Ueno <dueno@redhat.com> - 0.23.15-3
+- trust: Ignore unreadable content in anchors
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.15-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 21 2019 Daiki Ueno <dueno@redhat.com> - 0.23.15-1
+- Update to upstream 0.23.15 release
+
+* Fri Jan 11 2019 Nils Philippsen <nils@tiptoe.de> - 0.23.14-3
+- use spaces instead of tabs consistently
+- prefer fixed closures to libffi closures (#1656245, patch by Daiki Ueno)
+
+* Mon Oct 29 2018 James Antill <james.antill@redhat.com> - 0.23.14-2
+- Remove ldconfig scriptlet, now done via. transfiletrigger in glibc.
+
+* Fri Sep 07 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-1
 - Update to upstream 0.23.14 release
 
+* Wed Aug 15 2018 Daiki Ueno <dueno@redhat.com> - 0.23.13-3
+- Forcibly link with libpthread to avoid regressions (rhbz#1615038)
+
+* Wed Aug 15 2018 Daiki Ueno <dueno@redhat.com> - 0.23.13-2
+- Fix invalid memory access on proxy cleanup
+
+* Fri Aug 10 2018 Daiki Ueno <dueno@redhat.com> - 0.23.13-1
+- Update to upstream 0.23.13 release
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.12-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
 * Wed May 30 2018 Daiki Ueno <dueno@redhat.com> - 0.23.12-1
 - Update to upstream 0.23.11 release