dogtag-pki - Debian Package Tracker

general

source: dogtag-pki (main)
version: 11.2.1-2
maintainer: Debian FreeIPA Team (archive) (DMD)
uploaders: Timo Aaltonen [DMD]
arch: all any
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 10.10.2-3
unstable: 11.2.1-2

versioned links

10.10.2-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
11.2.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

dogtag-pki
dogtag-pki-console-theme
dogtag-pki-server-theme
pki-base
pki-base-java
pki-ca
pki-console
pki-javadoc
pki-kra
pki-ocsp
pki-server (2 bugs: 2, 0, 0, 0)
pki-tks
pki-tools
pki-tps
python3-pki-base

action needed

source package has 1 unsatisfiable build dependency high

Build dependencies in unstable cannot be satisfied on s390x, amd64, mips64el, i386, armhf, arm64, armel, and ppc64el because: unsatisfied dependency on python3-distutils

Created: 2024-07-11 Last update: 2024-11-05 04:02

7 binary packages have unsatisfiable dependencies high

The dependencies of pki-server=11.2.1-2 cannot be satisfied in unstable on s390x, amd64, mips64el, i386, armhf, arm64, armel, and ppc64el because: unsatisfied dependency on tomcat9-user
The dependencies of pki-tks=11.2.1-2 cannot be satisfied in unstable on amd64 because: unsatisfied dependency on tomcat9-user
The dependencies of pki-ocsp=11.2.1-2 cannot be satisfied in unstable on amd64 because: unsatisfied dependency on tomcat9-user
The dependencies of pki-ca=11.2.1-2 cannot be satisfied in unstable on amd64 because: unsatisfied dependency on tomcat9-user
The dependencies of pki-tps=11.2.1-2 cannot be satisfied in unstable on amd64 because: unsatisfied dependency on tomcat9-user
The dependencies of dogtag-pki=11.2.1-2 cannot be satisfied in unstable on amd64 because: unsatisfied dependency on tomcat9-user
The dependencies of pki-kra=11.2.1-2 cannot be satisfied in unstable on amd64 because: unsatisfied dependency on tomcat9-user

Created: 2023-12-22 Last update: 2024-11-05 04:02

Debci reports failed tests high

unstable: fail (log)
The tests ran in an unknown time
Last run: 2024-10-29T14:26:40.000Z
Previous status: unknown

testing: pass (log)
The tests ran in an unknown time
Last run: 2023-05-13T03:37:34.000Z
Previous status: unknown

stable: pass (log)
The tests ran in an unknown time
Last run: 2023-05-25T07:27:21.000Z
Previous status: unknown

Created: 2023-12-26 Last update: 2024-11-05 03:33

A new upstream version is available: 11.5.4 high

A new upstream version 11.5.4 is available, you should consider packaging it.

Created: 2022-03-17 Last update: 2024-11-05 03:00

lintian reports 3 errors and 92 warnings high

Lintian reports 3 errors and 92 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-02-22 Last update: 2024-10-06 08:01

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2020-1696: A flaw was found in the all pki-core 10.x.x versions, where Token Processing Service (TPS) where it did not properly sanitize Profile IDs, enabling a Stored Cross-Site Scripting (XSS) vulnerability when the profile ID is printed. An attacker with sufficient permissions could trick an authenticated victim into executing a specially crafted Javascript code.
CVE-2022-2393: A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to impersonate another user within the scope of the domain, but they would not be able to decrypt message content.
CVE-2023-4727: A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege.
CVE-2019-10178: It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the "Activity" page, enabling a Stored Cross Site Scripting (XSS) vulnerability. An unauthenticated attacker could trick an authenticated victim into creating a specially crafted activity, which would execute arbitrary JavaScript code when viewed in a browser. All versions of pki-core are believed to be vulnerable.
CVE-2019-10180: A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.

Created: 2022-07-04 Last update: 2024-09-27 16:00

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2024-02-25 Last update: 2024-11-05 04:00

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2023-05-27 Last update: 2024-11-05 03:31

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 11.4.3-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit a0080a4b75a42868531c929ca9e90e9631dff823
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Wed Sep 25 14:29:35 2024 +0300

    control: Add python3-six to build-depends.

commit 2c6883e329e268e5030caffff785efd40ceb48d6
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Wed Sep 25 14:20:07 2024 +0300

    fix systemd file location, and patch upstream files instead of shipping our own

commit ab0f9775c5d9557a1019390915c1414d3f9495b7
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Mar 19 14:09:41 2024 +0200

    control: Add dh-sequence-movetousr to build-depends.

commit 9c0048c51524a6c56219d0779e78ad9958ffe303
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Mar 19 13:58:32 2024 +0200

    Install systemd units only once. Thanks, Helmut Grohne! (Closes: #1054480)

commit e3eaf12e7c0f7550dd56dabf6f3e3dceeeb2b2d8
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Mar 19 13:46:47 2024 +0200

    control: Drop python3-distutils from build-depends. (Closes: #1065850)

commit 1346f168e9bc33d4dd26c912b80a87445f69a6ab
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Thu Aug 10 11:03:10 2023 +0300

    version bump

commit 1b7716c7f7404ab6172a2920494c0c37b8e2fe39
Merge: 0af21f5 0982e23
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Thu Aug 10 11:03:00 2023 +0300

    Merge branch 'upstream-next' into master-next

commit 0982e23079279131794ecbb67475c4a8bd18cc6b
Author: Chris Kelley <ckelley@redhat.com>
Date:   Fri Jun 16 13:50:18 2023 +0100

    Updating version to v11.4.3

commit 7ce96c1feacc929ff5ab12858ede2d9784c5cad5
Author: Chris Kelley <ckelley@redhat.com>
Date:   Fri Jun 16 13:49:54 2023 +0100

    Introduce Packit config and upstream some spec updates

commit d7656b8bc1d6b1d04a809d17fe6e3bc7bf63dd61
Author: Chris Kelley <ckelley@redhat.com>
Date:   Mon Jun 5 11:22:56 2023 +0100

    Upstream some spec file changes to reduce diff

commit eda90d5f27a666a98dd43f30b18b44e893fe3efa
Author: Chris Kelley <ckelley@redhat.com>
Date:   Mon Jun 5 10:54:17 2023 +0100

    Updating version to v11.4.2

commit e5a606a4a3c10796acbb8ad6c2bd8112e26e87b0
Author: Christina Fu <cfu@redhat.com>
Date:   Fri May 26 14:52:53 2023 -0700

    Bug2190283-part2_LdapSimpleMap_Invalid_cast_warning
    
    This patch was part of the patch that was taken out earlier.
    It fixes a frivilous WARNING message:
    
    [CRLIssuingPoint-MasterCRL] WARNING: LdapSimpleMap: crl issuer dn:...
    org.mozilla.jss.netscape.security.x509.X509CRLImpl cannot be cast to java.security.cert.X509Certificate
    It did not attribute to the CI break so I'm putting it back.
    
    fixes (part2) https://bugzilla.redhat.com/show_bug.cgi?id=2190283

commit 0af21f5f41d28d22c0ae8a2bbddb4082602d8210
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue May 16 17:18:57 2023 +0300

    install: Updated.

commit 2bcfe4489e2ef2868fcce7fb7225c66da5da79c9
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue May 16 17:11:56 2023 +0300

    control: Bump depends on jss, tomcatjss, ldapjdk.

commit 6dacb1d15085ab9da7a19497ee30c714bd7e936d
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue May 16 16:54:13 2023 +0300

    patches: Refreshed

commit c11a4f49467bd7ccadd11cb311a0901512a37c73
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue May 16 15:10:12 2023 +0300

    version bump

commit ae9db9822654103a268fb2d181f0b27a4ea6d846
Merge: cbc8032 23c8df0
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue May 16 15:09:57 2023 +0300

    Merge branch 'master-next' into m-n

commit cbc8032bf693cc9d09530ef52de8e1902bef4638
Merge: 4418546 0f07aa4
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue May 16 15:09:52 2023 +0300

    Merge tag 'v11.3.0' into m-n

commit 4b2fe9306925b5aca1dd3185f98a1d2a88979301
Author: Chris Kelley <ckelley@redhat.com>
Date:   Mon May 15 10:02:50 2023 +0100

    Revert "Bug2190283-AddCRLServlet-SEVERE-NOT-SUPPORTED-messages"
    
    This reverts commit bcffbf80a13d020f3c2edbf012855275be0bca6b.

commit c4f03fcc05b452b0cab3308d4468cb818ac0a251
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Mon May 15 11:30:39 2023 +0200

    Revert "Disable OCSP direct pushing during upgrade"
    
    This revert commit e6066a59bd7c2cff4108ace2c73177615ace4bd9.

commit 228b98b6bae7bbd44f17a689b0f77bdbe7443a5d
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Thu May 11 17:45:47 2023 +0200

    Fix upgrade script version

commit e6066a59bd7c2cff4108ace2c73177615ace4bd9
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Wed May 10 15:54:27 2023 +0200

    Disable OCSP direct pushing during upgrade
    
    The direct publishing to OCSP is not working properly and a previous
    commit has change the default value for the `ca.publish.rule.instance.ocsprule-<instance-<port>.enable` attribute to false. This commit add the upgrade script to set false for the existing instances during the upgrade.
    
    There are no problems with existing instances because the communication
    with OCSP was not properly working and other mechanism were in place.
    
    Close the issue: RHCS-4085

commit bcffbf80a13d020f3c2edbf012855275be0bca6b
Author: Christina Fu <cfu@redhat.com>
Date:   Thu Apr 27 16:44:29 2023 -0700

    Bug2190283-AddCRLServlet-SEVERE-NOT-SUPPORTED-messages
    
    This patch fixes the following issue:
    It appears that the following parameter in ca's CS.cfg is set to true
    by default:
    ca.publish.rule.instance.ocsprule-ccrsa-1-rhcs10-example-com-32443.enable
    which triggers the CA to attempt publishing of its CRLs directly
    from CA->OCSP and causing the following SEVERE error messages:
    
    SEVERE: CRL issuing point CN=CA Signing Certificate, nott found.
    
    The CA->OCSP direct push of CRLs appears to not be working.
    CA->ldap publishing (and ocsp pulling from ldap) is working and
     should be used instead.
    
    In addition, this patch also fixes it so that the following will no
    longer appear (it has no reason to. See bug description for explanation):
    [CRLIssuingPoint-MasterCRL] WARNING: LdapSimpleMap: crl issuer dn:...
    org.mozilla.jss.netscape.security.x509.X509CRLImpl cannot be cast to java.security.cert.X509Certificate
    
    fixes https://bugzilla.redhat.com/show_bug.cgi?id=2190283

commit 44185469b7a8a9adbc3e7c88296ebc4976b00d8d
Author: Chris Kelley <ckelley@redhat.com>
Date:   Fri Apr 28 22:20:17 2023 +0100

    Updating version to v11.4.1

commit 2217bf6676f13512ab734e9c3d6ab0db47e968ee
Author: Chris Kelley <ckelley@redhat.com>
Date:   Fri Apr 21 09:43:52 2023 +0100

    Fix pylint failures in upstream CI.
    
    The new version of pylint (pylint-2.17.2-1.fc38) in F38 causes failures
    due to containing a configuration setting that will become invalid in
    pylint 3. The pylintrc file is future-proofed to work with pylint 3.
    
    overgeneral-exceptions now causes test failure rather than a warning, it
    has been disabled for now as there are many failures and it could take
    some time to go through them all individually and catch less general
    exceptions.

commit e277607048d1850784f9996e13dfc2de02777524
Author: Chris Kelley <ckelley@redhat.com>
Date:   Thu Apr 27 14:58:17 2023 +0100

    Update paths for jaxb and jakarta-activation JARs

commit fd405cb468d0d83caf4dd8c40d525edca9003417
Author: Chris Kelley <ckelley@redhat.com>
Date:   Thu Apr 27 11:47:40 2023 +0100

    Only BuildRequires xmvn-tools on distros that have it

commit 415d7b67c8cf5d042104ca811b4ec5f4b086853e
Author: Chris Kelley <ckelley@redhat.com>
Date:   Mon Apr 24 19:01:37 2023 +0100

    Make use of xmvn-resolve conditional on it being installed
    
    Drops the distro-specific code and relies only on whether xmvn is
    present. The spec is updated to explicitly BuildRequires: xmvn-tools so
    xmvn-resolve is there at build time for JAR resolution.
    
    Resolves: #2188716

commit 58730a52732224a1fc28a0919d7007cc39f50261
Author: Chris Kelley <ckelley@redhat.com>
Date:   Wed Apr 19 22:31:53 2023 +0100

    Updating version to v11.4.0

commit 1c49e9983f65a23db7c7ccf2c0b77f0c4e10022c
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 19 09:48:20 2023 -0500

    Publish to GitHub Maven registry
    
    A new job has been added to build PKI with Maven and publish
    the artifacts to GitHub Maven registry. Currently the tests
    have to be disabled due to missing JSS shared libraries. The
    group ID and artifact ID have been renamed to follow a more
    commonly used pattern.

commit 123f0cd93d896a9aafcd7886a88ce018e81bf422
Author: Chris Kelley <ckelley@redhat.com>
Date:   Wed Apr 19 15:04:54 2023 +0100

    Fix adding user in TPS UI
    
    Various things were not displaying correctly as well due to incorrect
    JSON mappings, so that is fixed too.
    
    Resolves: #2027712

commit ad927437a0c77529169e5db656550c071fd51cf4
Author: Chris Kelley <ckelley@redhat.com>
Date:   Thu Apr 13 23:44:30 2023 +0100

    Restore certificate search functionality to the TPS UI
    
    With bug #2008162 the newly enforced token profile separation breaks the
    Home -> Certificates page as it does not provide a tokenID to the
    server.
    
    Now, if the server receives no tokenID, we return all certs that match
    the search filter that are allowed for the authorised profiles.
    
    Resolves: #2049901

commit b6a9338fd7f9aa2be14e6991160927f93dc335a4
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Apr 18 16:44:00 2023 -0500

    Add DirAclAuthz.loadACLs()
    
    The code that loads ACL resources from LDAP into memory
    in DirAclAuthz has been moved into loadACLs().

commit da188dc2bc46485c12c619f2dc674b1b4737dbbe
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Apr 18 18:01:56 2023 -0500

    Convert AAclAuthz.mACLs into Map

commit b22f12e934f31c0af21165a10fdb5581220d24b7
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Apr 18 18:00:11 2023 -0500

    Replace AAclAuthz.aclResElements() with getACLs()

commit 8493927137b1a6127582c22d346347d27665a2f5
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Apr 18 17:57:14 2023 -0500

    Update AAclAuthz.getTargetNames() to return Set

commit b85bcc47d06b2085e534976313c2a71965ea5713
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Apr 18 17:53:06 2023 -0500

    Update AuthzManager.getACLs() to return Collection

commit 7a5ace604763b6e547156f6dc90717624dfa1dac
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Apr 18 17:40:54 2023 -0500

    Merge ServletUtils into CAProcessor

commit 6b2f3c9a68c8de5ff728cad6da0e5a32bc097fe1
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Apr 18 17:31:05 2023 -0500

    Add AuthorizationConfig.getSourceType()
    
    The code that returns authz.sourceType config param has been
    merged into AuthorizationConfig.getSourceType().

commit f84e44495d0b7267f7e36a6766fc5f0eaaa83725
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Apr 18 17:06:36 2023 -0500

    Add AuthzSubsystem.addACLInfo()
    
    The code that adds ACL info into authorization manager has been
    merged into AuthzSubsystem.addACLInfo().

commit eff9bfe633143e51bebd5742aa3233ed8092cd10
Author: Chris Kelley <ckelley@redhat.com>
Date:   Fri Apr 14 16:41:46 2023 +0100

    Code clean up in CryptoUtil
    
    * Access static method in a static fashion
    * Hide implicit public constructor
    * Combine identical catch blocks
    * Use try-with-resources where appropriate
    * Don't create variables just to return them
    * Put array designator on the type
    * Remove unnecessary boolean literal and logical jumps
    * Reorder modifiers to match the JLS
    * Remove double-brace initialization

commit 3517d4d5d0791afd411e728f10fb9446d02870d9
Author: Chris Kelley <ckelley@redhat.com>
Date:   Fri Apr 14 15:17:14 2023 +0100

    Remove code in web UI to retrieve Links from requests
    
    Some time ago we removed the Link objects from server-side classes.
    Therefore, there is nothing to retrieve so these redundant methods can
    also be removed.

commit 0270f3aa981970014574429d4abc50907110830d
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Thu Apr 13 15:27:46 2023 +0200

    Fix maven compile
    
    The commit incluide:
    - update JSS version
    - modify the tomcatjss dependecy to the correct module
    - add flatten plugin to fix the installation phase using the `revision`
      property
    
    If the dependency are installed (**jss**, **tomcatjss** and
    **ldap-sdk**) with `mvn install` then `pki` can be compiled with maven.
    
    The only problem is that the test are not correctly configured so for
    now the compile has been executed with the option `mvn package
    -Dmaven.test.skip=true`.

commit 65d2796d740e4760c5b41c2befdb7f04f19c6d51
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Apr 13 12:52:17 2023 -0500

    Remove obsolete references to jss-symkey.jar
    
    The jss-symkey.jar has been merged into jss.jar in JSS 5.4
    so all references to the file needs to be removed.

commit 7b9c3ad98f799e0b76f9b4a9e47d7d5a97813d15
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Apr 13 12:51:14 2023 -0500

    Remove obsolete references to pki-symkey

commit af67477e95b80b60277bd68f87d766e1382fb1df
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 17:45:21 2023 -0500

    Update ListCerts to use @WebServlet

commit 7d6e23f617e33ac406430d5fec71e55ccaac8205
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 17:43:16 2023 -0500

    Update ListCertsAgent to use @WebServlet

commit ce8d0f8ddab090509d1384941fb573bbb91d71d8
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 17:33:51 2023 -0500

    Update SrchCerts to use @WebServlet

commit 5095dfaf6010ff5e2cd60e60be0a63ff46d3d2f7
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 17:31:38 2023 -0500

    Update SrchCertsAgent to use @WebServlet

commit b714a90a751d98ed5e145d1fb4cff2a0d1621435
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 17:26:16 2023 -0500

    Update CAGetStats to use @WebServlet

commit 6b9c014edfe19f34b38a530178e1b374db6d081f
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 17:07:47 2023 -0500

    Update ProfileSelectServlet to use @WebServlet

commit 751d92066e694935494547dd6afba176a0fc2008
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 17:04:28 2023 -0500

    Update ProfileSelectAgentServlet to use @WebServlet

commit d508088f774d4b3f9cae1e92126679530d4c8f89
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 16:56:21 2023 -0500

    Update GetCertFromRequest to use @WebServlet

commit 9ebe43bcbc7ef029bcf39a0755f007155ca955fb
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 16:52:04 2023 -0500

    Update GetCertFromRequestAgent to use @WebServlet

commit ba6df570eb74e33963ad8d31dd9cb713993826b4
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 16:48:12 2023 -0500

    Update DisplayCertFromRequest to use @WebServlet

commit b73c611313fd645f41fcef64604189a0b3a9b81a
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 16:45:29 2023 -0500

    Update DisplayCertFromRequestAgent to use @WebServlet

commit 788f65b790ed1a27981ca4f8cc1fde675614611e
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 16:35:27 2023 -0500

    Update UpdateDir to use @WebServlet

commit 2b0248e0dea1b15ab4d01d88e51161ca32072a6b
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 16:35:26 2023 -0500

    Update CAGetOCSPInfo to use @WebServlet

commit 357b6728303963cfde8446cd0dcde002d5560c30
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 16:35:24 2023 -0500

    Update EnrollServlet to use @WebServlet

commit 8b66b7170ab61bf807e569d4be49076c3369457e
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 16:35:22 2023 -0500

    Update CertBasedEnrollServlet to use @WebServlet

commit 2d264a68590f84054dc11155f0b8ccd92dae17ff
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 16:35:21 2023 -0500

    Update BulkIssuanceServlet to use @WebServlet

commit 504c3cde6fdbd8578cdecbc9a9051cff9ac03b3f
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 16:35:20 2023 -0500

    Update AdminEnrollServlet to use @WebServlet

commit abc290a2022d247a319ea3c3caa2e1ce38b9c793
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 16:35:19 2023 -0500

    Update CAJobsAdminServlet to use @WebServlet

commit 03c15fe4130b1c142fba510f7b460bb3428bbd52
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 14:43:07 2023 -0500

    Update IPA tests
    
    The IPA test workflow has been modified to build ipa-runner
    image separately from the main build workflow. This way the
    non-IPA test workflows can start the test earlier because
    they don't need to wait for ipa-runner to be built anymore.

commit 1915f3b4b9f697b2f67ccc55963040a39d026940
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Apr 12 16:34:01 2023 -0500

    Add new servlets for CA
    
    Some new servlets have been added to provide a separate class
    for each servlet in CA's web.xml.

commit 23c8df0bfc4bd1b276a9bd4a5117f14e67bcad8f
Merge: ba5fd4b 88281b3
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Wed Feb 15 16:55:40 2023 +0200

    Merge branch 'master' into m

commit 88281b363e2ffc1816b4213fa051c4529b80f118
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Fri Feb 10 08:59:02 2023 +0200

    releasing package dogtag-pki version 11.2.1-2

commit ba5fd4b3b01f5d84862425a5e81aea0468fc5a2c
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Fri Feb 10 08:55:00 2023 +0200

    install: Updated.

commit 698ef361dd837d6b3780820727f8f8ac2c2518bf
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Fri Feb 10 08:54:16 2023 +0200

    Add pki-est.

commit 7a3254665e682f96d2d691c05a0f51d78a821d54
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Feb 7 11:46:38 2023 +0200

    rules: Drop setting nssdb type, the default is sql now.

commit 8e80076570bd9d5907adddffa2c2b9b08db7250e
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Feb 7 11:40:46 2023 +0200

    patches: Drop an upstreamed patch.

commit c413afedb17f0145da4a5f30260315a6a5eab894
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Feb 7 11:40:21 2023 +0200

    patches: Refreshed.

commit b070122c9274abe7f31436a167a5408c0297c014
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Feb 7 10:55:24 2023 +0200

    version bump

commit d6ff48051792f495b16d20ef0df0a3a552c22fd4
Merge: c0352a1 e9df9ee
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Feb 7 10:54:59 2023 +0200

    Merge branch 'master-next' into m

commit c0352a12b779715dccbb5dcf7492cd2fe75bba20
Merge: 0f07aa4 6beb1bd
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Feb 7 10:54:50 2023 +0200

    Merge tag 'v11.2.1' into m

commit 0f07aa4f11479f1a914d13640c35e43697a2c812
Author: Chris Kelley <ckelley@redhat.com>
Date:   Mon Jan 30 09:08:35 2023 +0000

    Updating version to v11.3.0

commit e855211c39b42926e0f70bb1e51c55a1891e771c
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Thu Jan 19 20:03:21 2023 +0100

    Add fapolicy rules to allow execution of generated java code
    
    When fapolicy daemon is running the default rules deny the execution of
    java code from not trusted sources. This deny also the execution of some
    code generated inside the instance `work` folder.
    
    This is the case when FIPS is enabled and DISA STIG profile is applied.
    
    To solve the problem a custom rule is applied during the installation.
    
    Solve the  Bug 2091993

commit b725efe74ce818e7fdecbc256274f3cf223f4ee6
Author: Christina Fu <cfu@redhat.com>
Date:   Thu Jan 19 10:16:23 2023 +0000

    Add authorization to limit setTokenStatus to allowed admins
    
    This patch adds authorization to limit setTokenStatus to admins
    allowed for the token type in question.
    If a token is not associated with a keyType/profile, then the admin
    must have the ALL_PROFILES prvilege.
    
    fixes https://bugzilla.redhat.com/show_bug.cgi?id=2106153

commit ab1806b968a3254c37648479714d8af9f0fb5d78
Author: Chris Kelley <ckelley@redhat.com>
Date:   Wed Jan 11 14:46:28 2023 +0000

    Modify csconfig.py checks to allow for N certs with same nickname
    
    Currently the base64 blob from nssdb is directly compared with a
    cert from the CA subsystem, this fails if their are multiple certs
    with the same nickname. As this is an allowable state, the tests
    are modified to break the base64 blob into individual certs.

commit cc845b189dd08a8cda64c8a00d4fd850b38dccb1
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Tue Dec 20 17:57:50 2022 +0100

    Remove XML from CAInfo and KRAInfo, and move OAEP config to subsystem

commit 34a176f27f9f852b17d9b2d22a43729a3a1d02e0
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Mon Dec 19 19:34:11 2022 +0100

    Add CI test for KRA started with OAEP
    
    The new pkispawn parameter `pki_use_oaep_rsa_keywrap` allows to create
    `CA` and `KRA` subsystems with `RSA_OAEP` padding enabled.
    
    This CI test verify that OAEP is enabled according to the parameter and
    additionally performs all the basic tests for `KRA` subsystem but with
    `RSA_OAEP` enabled.

commit 7f47c90785a0df0f9a74602361a8b48eff02b043
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Thu Dec 15 11:12:28 2022 +0100

    Fix keyWrap.useOAEP configuration and other improvement
    
    Complete the management of the 'OAEP' configuration in pkispawn and
    solve several SonarClous issue

commit 6b603f4358b19ed0e94c2ad8dc90b98cf4f14e7d
Author: Jack Magne <jmagne@localhost.localdomain>
Date:   Wed Sep 21 11:00:28 2022 -0700

    Fix: Bug 2122409 - pki-tomcat/kra unable to decrypt when using RSA-OAEP padding in RHEL9 with FIPS enabled
    
    The purpose of this patch is to continue the improvement of this bug in 2 ways:
    
    1. Create a pikspawn variable to cause pkispawn to create a subsystem configured for oaep
    
    pki_use_oaep_rsa_keywrap=True, the default is False.
    
    2. Improve the rest calls for kra info and ca info to provide info on whether the ca or kra is using OAEP.
    
    For the Ca, we print out oaep info for both the local CA config and the CA's corresponding KRA.
    
    Ex:
    
    KRA info:
    
    https://localhost.localdomain:28443/kra/rest/info
    
    <KRAInfo>
    <Attributes/>
    <ArchivalMechanism>keywrap</ArchivalMechanism>
    <RecoveryMechanism>keywrap</RecoveryMechanism>
    <EncryptionAlgorithm>AES/CBC/PKCS5Padding</EncryptionAlgorithm>
    <WrapAlgorithm>AES KeyWrap/Padding</WrapAlgorithm>
    <RsaPublicKeyWrapAlgorithm>RSA_OAEP</RsaPublicKeyWrapAlgorithm>
    </KRAInfo>
    
    Note the new value for RsaPublicKeyWrapAlgorithm.
    
    CA info:
    
    https://localhost.localdomain:8443/ca/rest/info
    
    <CAInfo>
    <Attributes/>
    <ArchivalMechanism>keywrap</ArchivalMechanism>
    <EncryptionAlgorithm>AES/CBC/PKCS5Padding</EncryptionAlgorithm>
    <WrapAlgorithm>AES KeyWrap/Padding</WrapAlgorithm>
    <RsaPublicKeyWrapAlgorithm>RSA_OAEP</RsaPublicKeyWrapAlgorithm>
    <CaRsaPublicKeyWrapAlgorithm>RSA_OAEP</CaRsaPublicKeyWrapAlgorithm>
    </CAInfo>
    
    The value CARsaPublicKeyWrapAlgorithm simply relfects the CA's CS.cfg oaep value.
    The value RsaPublicKeyWrapAlgorithm is part of the info obtained from this CS's KRA subsystem.
    
    This info can be used by interested clients to see if OAEP is in use with the givne KRA or CA.

commit 597653d62a0d807bf9a66c8ba03fadf1549c9fc0
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Dec 7 21:27:58 2022 +0700

    Call apt-get update before apt-get install
    
    Some tests were failing during apt-get install:
    
    $ sudo apt-get -y install libxml2-utils
    Reading package lists...
    Building dependency tree...
    Reading state information...
    The following NEW packages will be installed:
      libxml2-utils
    0 upgraded, 1 newly installed, 0 to remove and 9 not upgraded.
    Need to get 40.2 kB of archives.
    After this operation, 206 kB of additional disk space will be used.
    Ign:1 http://azure.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libxml2-utils amd64 2.9.13+dfsg-1ubuntu0.1
    Err:1 http://azure.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libxml2-utils amd64 2.9.13+dfsg-1ubuntu0.1
      404  Not Found [IP: 52.147.219.192 80]
    E: Failed to fetch http://azure.archive.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.9.13%2bdfsg-1ubuntu0.1_amd64.deb  404  Not Found [IP: 52.147.219.192 80]
    E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
    
    The tests have been updated to call apt-get update first.

commit 075ef3c8e3e787b39de5712b9ddc122f65d07f32
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Dec 6 09:30:05 2022 +0700

    Add test for lightweight CA
    
    A new test has been added to test basic lightweight CA
    operations. The test will install a CA, then create a
    lightweight CA, and perform an enrollment against it.
    The issued cert should be signed by the lightweight CA.

commit dc9b536da6b72fc5000244793399f48f482934f0
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Dec 6 02:23:24 2022 +0700

    Update COPR repo to @pki/11.3

commit 182400a58cce0c313c55f6fb30bbde01a1c677ce
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Dec 5 14:11:45 2022 +0700

    Add test for CA clone with HSM
    
    A new test has been added to verify CA cloning with HSM.
    In this case the HSM will be cloned first, then the CA
    clone will be installed with the certs and keys already
    existing in the HSM clone.
    
    Currently there is a discrepancy between the primary CA
    and the clones on number of certs in the internal token,
    but it doesn't seem to be affecting the functionality.
    This will require further investigation.

commit a5294ffc0f84099cb92d8ce2e3f8fc506ae9578a
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Dec 5 09:09:51 2022 +0700

    Update cloning examples and tests
    
    The cloning examples have been updated to no longer include the
    PKCS #12 params by default such that they can be used with other
    methods which do not use a PKCS #12 file. The cloning tests with
    PKCS #12 file have been modified to provide the required params
    for this method.

commit db21c5b8c4a3264487252434020b0f19228dece4
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Dec 1 12:41:26 2022 +0700

    Use DS container in CI tests
    
    The ds-container-create.sh has been modified such that most
    tests will use a DS container which is about 30-60 seconds
    faster to create than a regular DS server.
    
    For now tests for secure DS connection will continue to use
    a regular DS server, but in the future they may be updated
    to use a DS container as well.

commit ed0946252840b6a0d44c1b781d1aa15a5aaef9cb
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Dec 1 14:32:34 2022 +0700

    Update basic TPS test
    
    The basic TPS test has been updated to run ldapadd in PKI
    container instead of in DS container since the input files
    are provided by PKI.

commit ca90e3238cc1a3999b9e5557f68d6d00e6e7f3e5
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Nov 30 22:25:31 2022 +0700

    Fix pki.spec to allow optional theme

commit e80920e79afe83c06e576acdd50566c169b5e3c0
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Thu Nov 24 13:50:17 2022 +0100

    Fix padding for the unwrap

commit 0b2423f4cd139dce9813bc712cf1ae8d7628f28d
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Tue Nov 22 19:07:01 2022 +0100

    Replace the SymKey clone with wrap and unwrap

commit 042ca7a4aa078edbb4dc1295aa5cf4cd72880d85
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Wed Nov 9 10:57:06 2022 +0100

    Fix SonarCloud several code smell

commit 38e36d27f6e9c3654bf7cd76899756621f6fe223
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Tue Nov 8 18:48:18 2022 +0100

    Move the symmetric key to wrap the reponse

commit 27acea80205fc2b4e113d82ac492b14fbbaed6b1
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Wed Nov 2 12:44:55 2022 +0100

    In case of OAEP move the secret key instead of clone

commit 31068a42450ba4142c12d996801bc792d9f7f145
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Thu Oct 27 17:49:45 2022 +0200

    Fix key length for padding algorithms

commit 0c6398ae7f52e65babda6195c11dc994f06fff81
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Thu Sep 15 15:05:35 2022 +0200

    Fix key length

commit 2ffc5e4dd75c41e0f847fdd47d068ebaab6d4145
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Wed Sep 7 15:32:56 2022 +0200

    ADd rsaes_oaep among the key wrapping algorithms

commit 1d7827c3976e0f344fe73a3223bc564a3419a1fc
Author: Marco Fargetta <mfargett@redhat.com>
Date:   Fri Sep 2 10:57:57 2022 +0200

    Tidyup CRSEnrollment

Created: 2023-02-03 Last update: 2024-10-30 04:34

piuparts found (un)installation error(s) normal

Piuparts stresses package installation, uninstallation, upgrade, ... While doing such tests, one or more errors were found for the following suites:

sid - piuparts

You should fix them.

Created: 2024-02-18 Last update: 2024-02-18 09:30

debian/patches: 15 patches to forward upstream low

Among the 15 debian patches available in version 11.2.1-2 of the package, we noticed the following issues:

15 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-02-26 15:54

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.0 instead of 4.5.0).

Created: 2020-11-17 Last update: 2024-04-07 13:15

testing migrations

This package will soon be part of the auto-openldap transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migrates after: tomcatjss
- Migration status for dogtag-pki (- to 11.2.1-2): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ pki-server/amd64 has unsatisfiable dependency
- ∙ ∙ pki-server/arm64 has unsatisfiable dependency
- ∙ ∙ pki-server/armel has unsatisfiable dependency
- ∙ ∙ pki-server/armhf has unsatisfiable dependency
- ∙ ∙ pki-server/i386 has unsatisfiable dependency
- ∙ ∙ pki-server/mips64el has unsatisfiable dependency
- ∙ ∙ pki-server/ppc64el has unsatisfiable dependency
- ∙ ∙ pki-server/riscv64 has unsatisfiable dependency
- ∙ ∙ pki-server/s390x has unsatisfiable dependency
- ∙ ∙ Updating dogtag-pki would introduce bugs in testing: #1031815, #1054480, #1065850, #1082868
- ∙ ∙ dogtag-pki unsatisfiable Build-Depends(-Arch) on amd64: python3-distutils
- ∙ ∙ dogtag-pki unsatisfiable Build-Depends(-Arch) on arm64: python3-distutils
- ∙ ∙ dogtag-pki unsatisfiable Build-Depends(-Arch) on armel: python3-distutils
- ∙ ∙ dogtag-pki unsatisfiable Build-Depends(-Arch) on armhf: python3-distutils
- ∙ ∙ dogtag-pki unsatisfiable Build-Depends(-Arch) on i386: python3-distutils
- ∙ ∙ dogtag-pki unsatisfiable Build-Depends(-Arch) on mips64el: python3-distutils
- ∙ ∙ dogtag-pki unsatisfiable Build-Depends(-Arch) on ppc64el: python3-distutils
- ∙ ∙ dogtag-pki unsatisfiable Build-Depends(-Arch) on riscv64: python3-distutils
- ∙ ∙ dogtag-pki unsatisfiable Build-Depends(-Arch) on s390x: python3-distutils
- ∙ ∙ Build-Depends(-Arch): dogtag-pki tomcatjss (not considered)
- Additional info:
- ∙ ∙ Cannot be tested by piuparts (not a blocker) - https://piuparts.debian.org/sid/source/d/dogtag-pki.html
- ∙ ∙ uninstallable on arch amd64, not running autopkgtest there
- ∙ ∙ uninstallable on arch arm64, not running autopkgtest there
- ∙ ∙ uninstallable on arch armel, not running autopkgtest there
- ∙ ∙ uninstallable on arch armhf, not running autopkgtest there
- ∙ ∙ uninstallable on arch i386, not running autopkgtest there
- ∙ ∙ uninstallable on arch ppc64el, not running autopkgtest there
- ∙ ∙ uninstallable on arch riscv64, not running autopkgtest there
- ∙ ∙ uninstallable on arch s390x, not running autopkgtest there
- ∙ ∙ Waiting for reproducibility test results on amd64 - info ♻
- ∙ ∙ Waiting for reproducibility test results on arm64 - info ♻
- ∙ ∙ Waiting for reproducibility test results on i386 - info ♻
- ∙ ∙ 634 days old (needed 5 days)
- Not considered

news

[rss feed]

[2023-05-27] dogtag-pki REMOVED from testing (Debian testing watch)
[2023-02-20] dogtag-pki 11.2.1-2 MIGRATED to testing (Debian testing watch)
[2023-02-10] Accepted dogtag-pki 11.2.1-2 (source) into unstable (Timo Aaltonen)
[2023-02-09] dogtag-pki 11.0.6-2 MIGRATED to testing (Debian testing watch)
[2023-02-07] Accepted dogtag-pki 11.2.1-1 (source) into experimental (Timo Aaltonen)
[2023-02-03] Accepted dogtag-pki 11.0.6-2 (source) into unstable (Timo Aaltonen)
[2023-01-12] Accepted dogtag-pki 11.0.6-1 (source) into unstable (Timo Aaltonen)
[2022-07-28] dogtag-pki REMOVED from testing (Debian testing watch)
[2022-07-28] dogtag-pki REMOVED from testing (Debian testing watch)
[2022-03-23] dogtag-pki 11.0.3-4 MIGRATED to testing (Debian testing watch)
[2022-03-17] Accepted dogtag-pki 11.0.3-4 (source) into unstable (Timo Aaltonen)
[2022-03-17] Accepted dogtag-pki 11.0.3-3 (source) into unstable (Timo Aaltonen)
[2022-03-16] Accepted dogtag-pki 11.0.3-2 (source) into unstable (Timo Aaltonen)
[2022-03-15] Accepted dogtag-pki 11.0.3-1 (source) into unstable (Timo Aaltonen)
[2022-01-16] dogtag-pki REMOVED from testing (Debian testing watch)
[2022-01-16] dogtag-pki REMOVED from testing (Debian testing watch)
[2021-10-25] dogtag-pki 11.0.0-1 MIGRATED to testing (Debian testing watch)
[2021-10-19] Accepted dogtag-pki 11.0.0-1 (source) into unstable (Timo Aaltonen)
[2021-10-13] dogtag-pki 10.10.6-1 MIGRATED to testing (Debian testing watch)
[2021-10-12] dogtag-pki REMOVED from testing (Debian testing watch)
[2021-09-11] dogtag-pki 10.10.6-1 MIGRATED to testing (Debian testing watch)
[2021-09-07] Accepted dogtag-pki 10.10.6-1 (source) into unstable (Timo Aaltonen)
[2021-04-24] dogtag-pki 10.10.2-3 MIGRATED to testing (Debian testing watch)
[2021-04-14] Accepted dogtag-pki 10.10.2-3 (source) into unstable (Timo Aaltonen)
[2021-03-18] dogtag-pki 10.10.2-2 MIGRATED to testing (Debian testing watch)
[2021-03-12] Accepted dogtag-pki 10.10.2-2 (source) into unstable (Timo Aaltonen)
[2020-12-20] dogtag-pki 10.10.2-1 MIGRATED to testing (Debian testing watch)
[2020-12-20] dogtag-pki 10.10.2-1 MIGRATED to testing (Debian testing watch)
[2020-12-16] Accepted dogtag-pki 10.10.2-1 (source) into unstable (Timo Aaltonen)
[2020-12-09] dogtag-pki 10.10.1-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 9
RC: 4
I&N: 5
M&W: 0
F&P: 0
patch: 1

links

homepage
lintian (3, 92)
buildd: logs, debcheck, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci