rpms
/
pki-core
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import pki-core-10.14.3-1.module+el8.8.0+18059+6d4394a9

This commit is contained in:
CentOS Sources 2023-05-16 06:08:01 +00:00 committed by root
parent 0da6891e35
commit 79539eae10
6 changed files with 18 additions and 520 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/pki-10.12.0.tar.gz
SOURCES/pki-10.14.3.tar.gz

2
.pki-core.metadata
View File

@ -1 +1 @@
14942c7bda42ccd0f57ea5b2e538eb13a559572f SOURCES/pki-10.12.0.tar.gz
0508d8fa638b11f309d958338afc71e4c9f24f8d SOURCES/pki-10.14.3.tar.gz

145
SOURCES/0001-Disable-access-to-external-entities-when-parsing-XML.patch
View File

@ -1,145 +0,0 @@
From 039b3453d17bb5666d4b7a4eacc6a014703416c7 Mon Sep 17 00:00:00 2001
From: Chris Kelley <ckelley@redhat.com>
Date: Fri, 10 Jun 2022 17:25:07 +0100
Subject: [PATCH] Disable access to external entities when parsing XML
This reduces the vulnerability of XML parsers to XXE (XML external
entity) injection.
The best way to prevent XXE is to stop using XML altogether, which we do
plan to do. Until that happens I consider it worthwhile to tighten the
security here though.
---
.../cms/servlet/csadmin/SecurityDomainProcessor.java | 6 +++++-
.../main/java/com/netscape/cmscore/apps/ServerXml.java | 1 +
.../main/java/com/netscape/cmsutil/xml/XMLObject.java | 9 +++++++++
.../src/test/java/com/netscape/test/TestListener.java | 5 ++++-
4 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
index bdd485e89a..07fae1ad50 100644
--- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
@@ -24,6 +24,7 @@ import java.util.Enumeration;
import java.util.Locale;
import java.util.Vector;
+import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
@@ -697,7 +698,10 @@ public class SecurityDomainProcessor extends Processor {
XMLObject xmlObject = convertDomainInfoToXMLObject(before);
Document document = xmlObject.getDocument();
- Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
index 2a02d722a1..d9ac572747 100644
--- a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
+++ b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
@@ -41,6 +41,7 @@ public class ServerXml {
ServerXml serverXml = new ServerXml();
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(filename);
diff --git a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
index 81fdbf4b2e..1043bcb477 100644
--- a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
+++ b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
@@ -25,6 +25,7 @@ import java.io.OutputStream;
import java.io.StringWriter;
import java.util.Vector;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -56,6 +57,7 @@ public class XMLObject {
public XMLObject(InputStream s)
throws SAXException, IOException, ParserConfigurationException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
mDoc = docBuilder.parse(s);
}
@@ -63,6 +65,7 @@ public class XMLObject {
public XMLObject(File f)
throws SAXException, IOException, ParserConfigurationException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder docBuilder = factory.newDocumentBuilder();
mDoc = docBuilder.parse(f);
}
@@ -159,6 +162,8 @@ public class XMLObject {
public byte[] toByteArray() throws TransformerConfigurationException, TransformerException {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
TransformerFactory tranFactory = TransformerFactory.newInstance();
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer aTransformer = tranFactory.newTransformer();
Source src = new DOMSource(mDoc);
Result dest = new StreamResult(bos);
@@ -169,6 +174,8 @@ public class XMLObject {
public void output(OutputStream os)
throws TransformerConfigurationException, TransformerException {
TransformerFactory tranFactory = TransformerFactory.newInstance();
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer aTransformer = tranFactory.newTransformer();
Source src = new DOMSource(mDoc);
Result dest = new StreamResult(os);
@@ -177,6 +184,8 @@ public class XMLObject {
public String toXMLString() throws TransformerConfigurationException, TransformerException {
TransformerFactory tranFactory = TransformerFactory.newInstance();
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = tranFactory.newTransformer();
Source src = new DOMSource(mDoc);
StreamResult dest = new StreamResult(new StringWriter());
diff --git a/base/util/src/test/java/com/netscape/test/TestListener.java b/base/util/src/test/java/com/netscape/test/TestListener.java
index 3181d53dc8..ac5d6e0f42 100644
--- a/base/util/src/test/java/com/netscape/test/TestListener.java
+++ b/base/util/src/test/java/com/netscape/test/TestListener.java
@@ -10,6 +10,7 @@ import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.TimeZone;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -22,7 +23,6 @@ import org.junit.runner.Description;
import org.junit.runner.Result;
import org.junit.runner.notification.Failure;
import org.junit.runner.notification.RunListener;
-
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Text;
@@ -64,9 +64,12 @@ public class TestListener extends RunListener {
dateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
docBuilderFactory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
docBuilder = docBuilderFactory.newDocumentBuilder();
transFactory = TransformerFactory.newInstance();
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
trans = transFactory.newTransformer();
trans.setOutputProperty(OutputKeys.INDENT, "yes");
--
2.35.1

32
SOURCES/0001-Fix-accidental-renaming-of-factories-in-conflict-res.patch
View File

@ -1,32 +0,0 @@
From af9d5ee1e57b128603974595e26feb3effe05c87 Mon Sep 17 00:00:00 2001
From: Chris Kelley <ckelley@redhat.com>
Date: Thu, 14 Jul 2022 16:49:25 +0100
Subject: [PATCH] Fix accidental renaming of factories in conflict resolution.
---
base/util/src/test/java/com/netscape/test/TestListener.java | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/base/util/src/test/java/com/netscape/test/TestListener.java b/base/util/src/test/java/com/netscape/test/TestListener.java
index ac5d6e0f42..56b7793f61 100644
--- a/base/util/src/test/java/com/netscape/test/TestListener.java
+++ b/base/util/src/test/java/com/netscape/test/TestListener.java
@@ -64,12 +64,12 @@ public class TestListener extends RunListener {
dateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
docBuilderFactory = DocumentBuilderFactory.newInstance();
- factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
docBuilder = docBuilderFactory.newDocumentBuilder();
transFactory = TransformerFactory.newInstance();
- tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
- tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
trans = transFactory.newTransformer();
trans.setOutputProperty(OutputKeys.INDENT, "yes");
--
2.35.1

332
SOURCES/0001-Fix-pki-healthcheck-for-clones.patch
View File

@ -1,332 +0,0 @@
From 7d62105c676fc79e0c32766c41cd034655a524ff Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 25 Jan 2022 16:29:53 -0600
Subject: [PATCH] Fix pki-healthcheck for clones
Previously the ClonesConnectivyAndDataCheck.check_kra_clones()
was trying to check KRA clone status by retrieving a key using
the subsystem cert. This operation did not work since the user
associated with the cert did not have access to the keys. The
code has been changed to get the status from GetStatus service
instead. The original code might be moved into IPA later so it
could run with IPA's RA agent credentials which would allow
access to the keys.
Previously the ClonesPlugin.contact_subsystem_using_sslget()
used sslget to call GetStatus service and returned the entire
output which was then incorrectly processed in XML format. The
method has been renamed to get_status() and changed to use
PKIConnection and process the response in either JSON or XML
format, then only return the subsystem status. All callers
have been updated accordingly.
The ClonesPlugin.contact_subsystem_using_pki() is no longer
used so it has been removed.
---
.../clones/connectivity_and_data.py | 130 ++++++++----------
.../pki/server/healthcheck/clones/plugin.py | 75 ++++------
base/server/python/pki/server/__init__.py | 8 +-
3 files changed, 91 insertions(+), 122 deletions(-)
diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
index ca5d6dae48..d9bb480f7f 100644
--- a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
+++ b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
@@ -46,93 +46,83 @@ class ClonesConnectivyAndDataCheck(ClonesPlugin):
def check_kra_clones(self):
for host in self.clone_kras:
- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
- # Reach out and get some keys or requests , to serve as a data and connectivity check
+
+ url = 'https://' + host.Hostname + ':' + host.SecurePort
+
try:
- client_nick = self.security_domain.config.get('ca.connector.KRA.nickName')
-
- output = self.contact_subsystem_using_pki(
- host.SecurePort, host.Hostname, client_nick,
- self.passwd, self.db_dir, 'kra-key-show', ['0x01'])
-
- # check to see if we either got a key or a key not found exception
- # of which either will imply a successful connection
- if output is not None:
- key_found = output.find('Key ID:')
- key_not_found = output.find('KeyNotFoundException:')
- if key_found >= 0:
- logger.info('Key material found from kra clone.')
-
- if key_not_found >= 0:
- logger.info('key not found, possibly empty kra')
-
- if key_not_found == -1 and key_found == -1:
- logger.info('Failure to get key material from kra')
- raise BaseException('KRA clone problem detected ' + cur_clone_msg)
- else:
- raise BaseException('No data obtained from KRA clone.' + cur_clone_msg)
+ status = self.get_status(
+ host.Hostname,
+ host.SecurePort,
+ '/kra/admin/kra/getStatus')
- except BaseException as e:
- logger.error("Internal error testing KRA clone. %s", e)
- raise BaseException('Internal error testing KRA clone.' + cur_clone_msg)
+ logger.info('KRA at %s is %s', url, status)
- return
+ if status != 'running':
+ raise Exception('KRA at %s is %s' % (url, status))
+
+ except Exception as e:
+ logger.error('Unable to reach KRA at %s: %s', url, e)
+ raise Exception('Unable to reach KRA at %s: %s' % (url, e))
def check_ocsp_clones(self):
for host in self.clone_ocsps:
- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
- # Reach out to the ocsp clones
+
+ url = 'https://' + host.Hostname + ':' + host.SecurePort
+
try:
- output = self.contact_subsystem_using_sslget(
- host.SecurePort, host.Hostname, None,
- self.passwd, self.db_dir, None, '/ocsp/admin/ocsp/getStatus')
-
- good_status = output.find('<State>1</State>')
- if good_status == -1:
- raise BaseException('OCSP clone problem detected.' + cur_clone_msg)
- logger.info('good_status %s ', good_status)
- except BaseException as e:
- logger.error("Internal error testing OCSP clone. %s", e)
- raise BaseException('Internal error testing OCSP clone.' + cur_clone_msg)
+ status = self.get_status(
+ host.Hostname,
+ host.SecurePort,
+ '/ocsp/admin/ocsp/getStatus')
- return
+ logger.info('OCSP at %s is %s', url, status)
+
+ if status != 'running':
+ raise Exception('OCSP at %s is %s' % (url, status))
+
+ except Exception as e:
+ logger.error('Unable to reach OCSP at %s: %s', url, e)
+ raise Exception('Unable to reach OCSP at %s: %s' % (url, e))
def check_tks_clones(self):
for host in self.clone_tkss:
- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
- # Reach out to the tks clones
+
+ url = 'https://' + host.Hostname + ':' + host.SecurePort
+
try:
- output = self.contact_subsystem_using_sslget(
- host.SecurePort, host.Hostname, None,
- self.passwd, self.db_dir, None, '/tks/admin/tks/getStatus')
-
- good_status = output.find('<State>1</State>')
- if good_status == -1:
- raise BaseException('TKS clone problem detected.' + cur_clone_msg)
- logger.info('good_status %s ', good_status)
- except BaseException as e:
- logger.error("Internal error testing TKS clone. %s", e)
- raise BaseException('Internal error testing TKS clone.' + cur_clone_msg)
+ status = self.get_status(
+ host.Hostname,
+ host.SecurePort,
+ '/tks/admin/tks/getStatus')
- return
+ logger.info('TKS at %s is %s', url, status)
+
+ if status != 'running':
+ raise Exception('TKS at %s is %s' % (url, status))
+
+ except Exception as e:
+ logger.error('Unable to reach TKS at %s: %s', url, e)
+ raise Exception('Unable to reach TKS at %s: %s' % (url, e))
def check_tps_clones(self):
for host in self.clone_tpss:
- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
- # Reach out to the tps clones
+
+ url = 'https://' + host.Hostname + ':' + host.SecurePort
+
try:
- output = self.contact_subsystem_using_sslget(
- host.SecurePort, host.Hostname, None,
- self.passwd, self.db_dir, None, '/tps/admin/tps/getStatus')
-
- good_status = output.find('<State>1</State>')
- if good_status == -1:
- raise BaseException('TPS clone problem detected.' + cur_clone_msg)
- logger.info('good_status %s ', good_status)
- except BaseException as e:
- logger.error("Internal error testing TPS clone. %s", e)
- raise BaseException('Internal error testing TPS clone.' + cur_clone_msg)
- return
+ status = self.get_status(
+ host.Hostname,
+ host.SecurePort,
+ '/tps/admin/tps/getStatus')
+
+ logger.info('TPS at %s is %s', url, status)
+
+ if status != 'running':
+ raise Exception('TPS at %s is %s' % (url, status))
+
+ except Exception as e:
+ logger.error('Unable to reach TPS at %s: %s', url, e)
+ raise Exception('Unable to reach TPS at %s: %s' % (url, e))
@duration
def check(self):
diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
index 2472f35b5b..824c36a1a9 100644
--- a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
+++ b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
@@ -6,6 +6,10 @@
# SPDX-License-Identifier: GPL-2.0-or-later
#
+import json
+import logging
+import xml.etree.ElementTree as ET
+
from ipahealthcheck.core.plugin import Plugin, Registry
from pki.server.instance import PKIInstance
from pki.client import PKIConnection
@@ -13,9 +17,6 @@ from pki.system import SecurityDomainClient
from pki.server.healthcheck.core.main import merge_dogtag_config
-import logging
-import subprocess
-
logger = logging.getLogger(__name__)
# Temporary workaround to skip VERBOSE data. Fix already pushed to upstream
@@ -46,60 +47,36 @@ class ClonesPlugin(Plugin):
self.instance = PKIInstance(self.config.instance_name)
- def contact_subsystem_using_pki(
- self, subport, subhost, subsystemnick,
- token_pwd, db_path, cmd, exts=None):
- command = ["/usr/bin/pki",
- "-p", str(subport),
- "-h", subhost,
- "-n", subsystemnick,
- "-P", "https",
- "-d", db_path,
- "-c", token_pwd,
- cmd]
-
- if exts is not None:
- command.extend(exts)
-
- output = None
- try:
- output = subprocess.check_output(command, stderr=subprocess.STDOUT)
- except subprocess.CalledProcessError as e:
- output = e.output.decode('utf-8')
- return output
+ def get_status(self, host, port, path):
- output = output.decode('utf-8')
+ self.instance.export_ca_cert()
- return output
+ connection = PKIConnection(
+ protocol='https',
+ hostname=host,
+ port=port,
+ cert_paths=self.instance.ca_cert)
- def contact_subsystem_using_sslget(
- self, port, host, subsystemnick,
- token_pwd, db_path, params, url):
+ response = connection.get(path)
- command = ["/usr/bin/sslget"]
+ content_type = response.headers['Content-Type']
+ content = response.text
+ logger.info('Content:\n%s', content)
- if subsystemnick is not None:
- command.extend(["-n", subsystemnick])
+ # https://github.com/dogtagpki/pki/wiki/GetStatus-Service
+ if content_type == 'application/json':
+ json_response = json.loads(content)
+ status = json_response['Response']['Status']
- command.extend(["-p", token_pwd, "-d", db_path])
-
- if params is not None:
- command.extend(["-e", params])
-
- command.extend([
- "-r", url, host + ":" + port])
-
- logger.info(' command : %s ', command)
- output = None
- try:
- output = subprocess.check_output(command, stderr=subprocess.STDOUT)
- except subprocess.CalledProcessError as e:
- output = e.output.decode('utf-8')
- return output
+ elif content_type == 'application/xml':
+ root = ET.fromstring(content)
+ status = root.findtext('Status')
- output = output.decode('utf-8')
+ else:
+ raise Exception('Unsupported content-type: %s' % content_type)
- return output
+ logger.info('Status: %s', status)
+ return status
def get_security_domain_data(self, host, port):
domain_data = None
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 4fbb74684b..0515bbb197 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -241,6 +241,10 @@ class PKIServer(object):
def jss_conf(self):
return os.path.join(self.conf_dir, 'jss.conf')
+ @property
+ def ca_cert(self):
+ return os.path.join(self.nssdb_dir, 'ca.crt')
+
def is_valid(self):
return self.exists()
@@ -259,8 +263,6 @@ class PKIServer(object):
def export_ca_cert(self):
- ca_path = os.path.join(self.nssdb_dir, 'ca.crt')
-
token = pki.nssdb.INTERNAL_TOKEN_NAME
nickname = self.get_sslserver_cert_nickname()
@@ -272,7 +274,7 @@ class PKIServer(object):
nssdb = self.open_nssdb(token=token)
try:
- nssdb.extract_ca_cert(ca_path, nickname)
+ nssdb.extract_ca_cert(self.ca_cert, nickname)
finally:
nssdb.close()
--
2.33.1

25
SPECS/pki-core.spec
View File

@ -12,9 +12,10 @@ License: GPLv2 and LGPLv2
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
Version: 10.12.0
Release: 4%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -alpha1
%global release_number 1
Version: 10.14.3
Release: %{?release_number}%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase
# To create a tarball from a version tag:
# $ git archive \
@ -31,10 +32,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# > pki-VERSION-RELEASE.patch
# Patch: pki-VERSION-RELEASE.patch
Patch0: 0001-Fix-pki-healthcheck-for-clones.patch
Patch1: 0001-Disable-access-to-external-entities-when-parsing-XML.patch
Patch2: 0001-Fix-accidental-renaming-of-factories-in-conflict-res.patch
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
# md2man has now also been dropped in RHEL 8 so exlcude from RHEL 8+
@ -787,9 +784,9 @@ BuildArch: noarch
Obsoletes: pki-console < %{version}-%{release}
Provides: pki-console = %{version}-%{release}
BuildRequires: idm-console-framework >= 1.2.0
BuildRequires: idm-console-framework >= 1.2.0, idm-console-framework < 2.0.0
Requires: idm-console-framework >= 1.2.0
Requires: idm-console-framework >= 1.2.0, idm-console-framework < 2.0.0
Requires: %{product_id}-base-java = %{version}-%{release}
Requires: %{product_id}-console-theme = %{version}-%{release}
@ -1406,6 +1403,16 @@ fi
################################################################################
%changelog
* Fri Feb 03 2023 Red Hat PKI Team <rhcs-maint@redhat.com> 10.14.3-1
- Rebase to PKI 10.14.3
- Bug 1959057 - An error has ocorred (IPA Error 4301:CertificateOperationError)
- Bug 2016164 - IdM Install fails on RHEL 8.5 Beta when DISA STIG is applied
- Bug 2022561 - ipa-healthcheck CADogtagCertsConfigCheck fail to process the scenario of renewed IPA CA certificates ( ipa get_cert_from_db() )
* Tue Nov 29 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.14.2-1
- Rebase to PKI 10.14.2
- Bug 2149253 - Rebase to upstream version v2.14.2
* Mon Jul 25 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.12.0-4
- Bug 2107334 - CVE-2022-2414 access to external entities when parsing XML can lead to XXE
- Rename packages to idm-pki