dogtag-pki - Debian Package Tracker

general

source: dogtag-pki (main)
version: 10.10.2-3
maintainer: Debian FreeIPA Team (archive) (DMD)
uploaders: Timo Aaltonen [DMD]
arch: all any
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

testing: 10.10.2-2
unstable: 10.10.2-3

versioned links

10.10.2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
10.10.2-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

dogtag-pki
dogtag-pki-console-theme
dogtag-pki-server-theme
libsymkey-java
libsymkey-jni
pki-base
pki-base-java
pki-ca
pki-console
pki-javadoc
pki-kra
pki-ocsp
pki-server
pki-tks
pki-tools
pki-tps
pki-tps-client
python3-pki-base

action needed

Marked for autoremoval on 04 May: #985340, #986080 high

Version 10.10.2-2 of dogtag-pki is marked for autoremoval from testing on Tue 04 May 2021. It is affected by #985340, #986080. You should try to prevent the removal by fixing these RC bugs.

Created: 2021-03-23 Last update: 2021-04-19 17:34

A new upstream version is available: 10.10.5 high

A new upstream version 10.10.5 is available, you should consider packaging it.

Created: 2021-01-17 Last update: 2021-04-19 16:32

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2019-10178: It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the "Activity" page, enabling a Stored Cross Site Scripting (XSS) vulnerability. An unauthenticated attacker could trick an authenticated victim into creating a specially crafted activity, which would execute arbitrary JavaScript code when viewed in a browser. All versions of pki-core are believed to be vulnerable.
CVE-2019-10180: A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.
CVE-2020-1696: A flaw was found in the all pki-core 10.x.x versions, where Token Processing Service (TPS) where it did not properly sanitize Profile IDs, enabling a Stored Cross-Site Scripting (XSS) vulnerability when the profile ID is printed. An attacker with sufficient permissions could trick an authenticated victim into executing a specially crafted Javascript code.
CVE-2020-25715:

Created: 2021-02-19 Last update: 2021-04-14 23:31

4 security issues in bullseye high

There are 4 open security issues in bullseye.

2 important issues:

CVE-2020-1696: A flaw was found in the all pki-core 10.x.x versions, where Token Processing Service (TPS) where it did not properly sanitize Profile IDs, enabling a Stored Cross-Site Scripting (XSS) vulnerability when the profile ID is printed. An attacker with sufficient permissions could trick an authenticated victim into executing a specially crafted Javascript code.
CVE-2020-25715:

2 issues postponed or untriaged:

CVE-2019-10178: (needs triaging) It was found that the Token Processing Service (TPS) did not properly sanitize the Token IDs from the "Activity" page, enabling a Stored Cross Site Scripting (XSS) vulnerability. An unauthenticated attacker could trick an authenticated victim into creating a specially crafted activity, which would execute arbitrary JavaScript code when viewed in a browser. All versions of pki-core are believed to be vulnerable.
CVE-2019-10180: (needs triaging) A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service (TPS) did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting (XSS) vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user into executing arbitrary JavaScript code.

Created: 2021-02-19 Last update: 2021-04-14 23:31

lintian reports 1 error and 52 warnings high

Lintian reports 1 error and 52 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-01-27 Last update: 2021-01-27 03:01

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 10.10.5-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 86fb1f0b45aeeaf5b504ce30e682da28764d5961
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Fri Mar 5 16:44:16 2021 +0200

    bump the version

commit 639e59e357cdaec61586f19a7b23f08702fcc982
Merge: d6ddc1746 5b5ddd5d7
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Fri Mar 5 16:43:54 2021 +0200

    Merge branch 'upstream'

commit 5b5ddd5d736fd719cc94a159af392fff91a734c7
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Feb 23 09:15:40 2021 -0600

    Update version number to 10.10.5

commit d9e8b3ed798f0671904d1db61eead1b5e5741bb5
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Feb 17 09:12:14 2021 -0600

    Update doc for installing PostgreSQL JDBC driver

commit 445b3816ab916275629af5b6f6537e98e65b23cf
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Thu Feb 18 21:20:44 2021 +0000

    Bump jackson-databind from 2.10.1 to 2.10.5.1
    
    Bumps [jackson-databind](https://github.com/FasterXML/jackson) from 2.10.1 to 2.10.5.1.
    - [Release notes](https://github.com/FasterXML/jackson/releases)
    - [Commits](https://github.com/FasterXML/jackson/commits)
    
    Signed-off-by: dependabot[bot] <support@github.com>

commit 21735b429228bef5e4d56ad154685d4942e9fe25
Author: jmagne <jmagne@redhat.com>
Date:   Mon Feb 22 13:44:20 2021 -0800

    pkispawn fails against 389-ds 1.4.3.19 #3458 (#3465)
    
    Add suggested patch from stanislavlevin to solve this issue.
    Also add f34 to the ipa tests,this time really add the tests.
    Upon further review, back out of f34 tests until the infractructure
    supports it.
    
    Also hardcode tomcat app setting in spec file for the moment to
    avoid possible glitches on certain platform.
    
    Co-authored-by: Jack Magne <jmagne@localhost.localdomain>

commit 16e6338a63af330620908724a61cb813f2f88886
Author: Christina Fu <cfu@redhat.com>
Date:   Mon Feb 22 09:41:26 2021 -0800

    userOAEP erronously enabled in ServerKeygenUserKeyDefault.java
    
    This patch fixes an error in ServerKeygenUserKeyDefault.java where
    userOAEP is erronously enabled regardless of the CS.cfg config setting
    for keyWrap.useOAEP

commit bea5ea36b00689b6932bd61dcf824eac9ebed184
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Feb 18 13:52:11 2021 -0600

    Fix COPR repo for TPS cloning test

commit 758b64889ad81231fe44242aa6baaf9523403f96
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Feb 17 10:34:33 2021 -0600

    Add --no-ntp in IPA tests
    
    NTP is not necessary for testing IPA in containers
    so it has been disabled.

commit 19326dddca75cec72e239dedd65ec48ac8fd9a2f
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Feb 15 14:12:21 2021 -0600

    Add test for tpsclient
    
    The TPS test has been modified to verify token format and
    token enrollment operations using tpsclient.

commit a36739aca0460d7b0502653c4c715d613376db12
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Feb 16 09:25:44 2021 -0600

    Add pki <subsystem>-deploy/undeploy
    
    The ACMEDeployCLI and ACMEUndeployCLI have been converted
    into generic SubsystemDeployCLI and SubsystemUndeployCLI
    that can be used by all subsystems.

commit a01d3bad7807de3949d008d1f6b3724cf06473f7
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Feb 16 09:25:42 2021 -0600

    Fix exception message in PKIServer.webapp_undeploy()

commit 22ab633b355c2465456e2e4080449d85c775dbc1
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Feb 11 16:06:28 2021 -0600

    Clean up tools tests

commit 7ae88d5ba7918bf01dd6d5deee6109129456a77d
Author: Alexander Scheel <ascheel@redhat.com>
Date:   Mon Feb 8 09:35:01 2021 -0500

    Add OAEP support to pki client-cert-request
    
    Signed-off-by: Alexander Scheel <ascheel@redhat.com>

commit 25e0dc007d0533f219fcdb16eb2be8562ffff562
Author: Alexander Scheel <ascheel@redhat.com>
Date:   Thu Feb 4 16:44:59 2021 -0500

    Make CryptoUtil respect FIPS Status
    
    Signed-off-by: Alexander Scheel <ascheel@redhat.com>

commit c10d9655ffe87487477de6d04fe3f9a029c7c475
Author: Alexander Scheel <ascheel@redhat.com>
Date:   Thu Feb 4 11:15:01 2021 -0500

    Add RSA-OAEP support to SecurityDataProcessor
    
    org.mozilla.jss.netscape.security.util.WrappingParams in JSS has an
    shortcoming that it believes all RSA is RSA-PKCS1v1.5 and additionally,
    that anything that isn't a EC key is RSA. :-)
    
    Read the value of keyWrap.useOAEP to determine whether to override the
    secret key wrapping algorithm with OAEP, prior to using and storing the
    wrapping parameters.
    
    Signed-off-by: Alexander Scheel <ascheel@redhat.com>

commit 1a8de83c3c6ca0e60396c2a7e13ff9a960fe9748
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Feb 4 14:03:21 2021 -0600

    Add ACME indexes for DS
    
    Currently ACME indexes are defined in the CA's index.ldif so
    when the CA is created the ACME indexes will be created as
    well in the same DS backend. However, if later the ACME is
    installed on a different DS backend, the ACME indexes need to
    be created in that backend instead.
    
    To simplify the installation process a new index.ldif has been
    added to define the ACME indexes for DS. A new indextask.ldif
    has been added as well to reindex an existing database.
    
    In the future the ACME indexes may be removed from the CA's
    index.ldif.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1916686

commit 6ee1f01dff4818d3149f89c2e1c0d9f49c2ad8cd
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Feb 4 12:17:36 2021 -0600

    Add SessionAuthentication for acmeServerCert
    
    The acmeServerCert profile has been modified to use
    SessionAuthentication instead of manual agent approval
    to improve ACME cert enrollment performance.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1916686

commit 2856e5a7d902f0b93997724eab3ac3fc06ea6552
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Feb 4 12:17:34 2021 -0600

    Fix PKIClient usage in PKIIssuer
    
    The PKIIssuer has been modified to close PKIClient objects
    explicitly using try-with-resources to avoid excessive open
    connections.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1916686

commit 042e2b704d27924590b86d776fae19b4eb65fa19
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Feb 8 14:09:22 2021 -0600

    Move FixChallengePasswordClassPath.py
    
    The FixChallengePasswordClassPath.py upgrade script has
    been moved into base/server/upgrade/10.10.4 folder.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1664435

commit b2cec1cb2fdf4dd622b405aaf4079baffe94e544
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Feb 8 13:02:04 2021 -0600

    Update version number to 10.10.4

commit 7ee9c4357aa0c4637b0320ade17dd71ef9a5941e
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Feb 2 10:24:39 2021 -0600

    Add test for installing TPS clone

commit a88a97bad4a0d65bfcae4d64f0c4d2759e585483
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Feb 2 10:23:07 2021 -0600

    Fix TPS clone installation
    
    The TPS clone installation has been fixed by adding
    the GetConfigEntries servlet into TPS's web.xml.
    
    Resolves: https://github.com/dogtagpki/pki/issues/1841

commit a72d8d146ed0b71fe1ed6282e2af99f2c81e3f24
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Feb 3 13:17:53 2021 -0600

    Add doc for ACME performance test

commit beb615b704f07b383ca8b69656af67a53a9eaf2d
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Feb 3 13:14:55 2021 -0600

    Add doc for CA performance test

commit a3fa35e30a8bc5b06806f6a228e8d27a9bc68962
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Feb 3 13:52:56 2021 -0600

    Add performance tests scripts into pki-tests

commit 8d2835c68c85a29647be9991d4669c6b1b738d64
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Feb 3 11:48:27 2021 -0600

    Update log messages in test_acme_cert_enrollment.py
    
    The test_acme_cert_enrollment.py has been modified to provide
    a --verbose and a --debug options to show the test progress and
    some debugging information.

commit 0475ff1b7cba84bee767077292c4159c53b41226
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Feb 3 11:36:37 2021 -0600

    Add default values for test_acme_cert_enrollment.py parameters
    
    The parameters for test_acme_cert_enrollment.py have been
    modified to provide a default value to make it easier to use.

commit 5bad7101120c668eba6f3b40875c41f02bf007d3
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Feb 3 12:36:38 2021 -0600

    Fix calculation in test_acme_cert_enrollment.py
    
    The test_acme_cert_enrollment.py has been modified to use
    float instead of int when calculating the elapsed time for
    better accuracy.

commit 507af7bdeda181ca4b523d0e46c9b747108ee932
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Feb 3 11:29:32 2021 -0600

    Update log messages in test_cert_enrollment.py
    
    The test_cert_enrollment.py has been modified to provide
    a --verbose and a --debug options to show the test progress
    and some debugging information.

commit c57a03911d9651cdc7844a3ace1e9b40b0657dca
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Feb 3 11:17:41 2021 -0600

    Add default values for test_cert_enrollment.py parameters
    
    Some parameters for test_cert_enrollment.py have been modified
    to provide a default value to make it easier to use.

commit 91f25b906f4f07e275d8bf8fdc1da8de93cc1410
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Feb 3 11:18:06 2021 -0600

    Fix calculation in test_cert_enrollment.py
    
    The test_cert_enrollment.py has been modified to use float
    instead of int when calculating the elapsed time for better
    accuracy.

commit 877751b91858600cc504145b46ed4ffbc08c60eb
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Feb 2 10:20:43 2021 -0600

    Add pki securitydomain-join --install-token option

commit 26b29c389669abb2e9b4b6d645a2f71765970090
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Feb 2 10:20:37 2021 -0600

    Add pki <subsystem>-config-export --install-token option

commit 5ec94e61789b32913a93d3f178bc54a20b71556e
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Feb 2 10:20:30 2021 -0600

    Add pki <subsystem>-range-request --install-token option

commit 0fc92476add5398205d737a618af4bb210cef026
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Feb 1 16:48:16 2021 -0600

    Update KRA clone doc

commit 8913e3158bbf14c2db06dafcd1003818ab74e2af
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Feb 1 16:48:14 2021 -0600

    Update CA clone doc

commit 0b5620b6e16e6eccc433169a5bf1da6a55f33a3c
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Feb 1 16:20:54 2021 -0600

    Fix COPR repo for ACME test

commit 6d7aa2b34f90a1a219270c70f0d6c09e3257da4c
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Feb 1 09:56:30 2021 -0600

    Add test for installing TKS clone of clone

commit 09177132c206342ed05adfb3416b1209a405d9c9
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Feb 1 10:54:54 2021 -0600

    Add test for installing OCSP clone of clone

commit 5987987466e989d9aa457a881f69476cdd3434dd
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Feb 1 09:56:28 2021 -0600

    Add test for installing OCSP clone

commit 514741c27930659e27dfdc49cf93698b37c3602d
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Feb 1 09:56:15 2021 -0600

    Fixed error handling during replica setup
    
    Originally the LDAPConfigurator.createReplicaObject() would
    return true if it managed to add a new replica object. If the
    object already existed, it would only add the new replica bind
    DN and return false. If an error happened it would get ignored
    and the method would return false as well.
    
    In 4abfdc77508545fb90ef127fbbf373ae1609d705 the behavior of
    accidentally got changed return true if the replica object
    already exists and this caused OCSP and TKS clone of clone
    installation to fail.
    
    To fix the problem the behavior has been reverted except that
    now any error will be reported as an exception.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1912418

commit a52e4b5c8df2492da2ca999bf1166df08d16d4a9
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Jan 21 17:40:00 2021 -0600

    Add ACME server switchover test

commit 9900c46dd8a65defc8492e67c57b1684b2d0481c
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Fri Jan 15 11:27:08 2021 -0600

    Add ACME base URL parameter
    
    By default the ACME directory will return ACME service URLs
    with the same hostname that the client uses to access the
    directory. If the hostname is load-balanced, the client might
    get redirected to different servers, which could trigger other
    issues.
    
    A new parameter has been added into engine.conf to override
    the base URL of ACME services. This mechanism can be used to
    pin the client to the current server.

commit 705aa5e82a451d237a1f49bba5086dd9c92be8db
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Fri Jan 29 19:08:00 2021 -0600

    Clean up KRA test

commit f86773ab81db822a396e203cea90be1add18ecb2
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Fri Jan 29 19:36:09 2021 -0600

    Clean up CA test

commit bd83211d4965e71c1d76d84ba22a929929d6ffaa
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Fri Jan 29 14:23:41 2021 -0600

    Add test for installing KRA clone of clone

commit 02a375dec1404584877a321b5d5965ba510750ed
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Fri Jan 29 13:54:16 2021 -0600

    Add test for installing CA clone of clone

commit c61c5ee6ab25d15ba59cf422361c18c13264beb2
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Fri Jan 29 13:25:16 2021 -0600

    Fix clone of clone installation
    
    In commit e0b249636e2ea24d3d0633e65bf1d6e0a3dbd35f the
    CMSEngine.configurePorts() invocation was moved later
    during server startup process. It's not clear how, but
    apparently the cert number range assignment depends on
    this code so it failed when installing a clone of an
    existing clone.
    
    To fix the problem the invocation has been moved back
    into its original position.
    
    Resolves: https://github.com/dogtagpki/pki/issues/3330

commit 22897930148b86743883950af1c16cb999da5fa4
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Fri Jan 29 18:00:33 2021 -0600

    Fix COPR repo for TKS test

commit 6fbbbf90e9521967959a4737ae5cc9c605cc3a09
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Jan 20 13:20:09 2021 -0600

    Add test for installing TKS clone

commit d6ddc17460b058ebfca02e0b828db721d4e9689d
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Thu Jan 28 13:10:34 2021 +0200

    bump the version

commit cacd0353e0304662b03efd92de5427fa00ca8096
Merge: c8191cc9f 6e3ad8768
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Thu Jan 28 13:05:36 2021 +0200

    Merge branch 'upstream'

commit 5f40860218aad64838bb4dc063653c7939499b12
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Jan 27 10:20:42 2021 -0600

    Update release number to 10.10.3-4

commit 1de07c2256ebe422bfe879935b33598a0cbc05de
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Jan 25 13:05:03 2021 -0600

    Add ACME tests for IPA
    
    The IPA test has been modified to perform ACME tests
    using certbot.

commit 8b769282ad5354cddfba04cf38bf2233e370dc57
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Jan 25 13:05:01 2021 -0600

    Fix profile auth in PKIIssuer.issueCertificate()
    
    In commit 1b6b426ad4724e2f9595340027482a0a36fc3655 the
    PKIClient.login() was removed from PKIIssuer.issueCertificate()
    and that caused enrollments with a profile that requires
    authentication to fail.
    
    To fix the problem the PKIClient.login() has been restored.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1919282

commit 15f051b3fe195daa47d66496e5a096a68eb5a9f7
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Jan 20 10:08:08 2021 -0600

    Add test for standalone OCSP

commit 07d5ec9283cf28851a052ce81a928493607add8f
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Jan 20 10:08:06 2021 -0600

    Add test for standalone KRA

commit 7d513eb40078e112858380baf1128a46a4709759
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Jan 20 10:08:04 2021 -0600

    Fix PKIDeployer.setup_admin()
    
    The PKIDeployer.setup_admin() has been modified to use
    the proper admin groups for CA, KRA, and OCSP.

commit 76fbee5005e4b794975c43bb3ad244de7599926a
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Jan 20 10:08:05 2021 -0600

    Fix security domain tools
    
    The pki-server sd-* commands have been moved into
    pki-server <ca/kra/ocsp>-* such that it can be used to
    create the security domain properly in CA, KRA, and OCSP.

commit 36d13fd61950f96c468d01ac7bf53e66dab2fd45
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Jan 25 10:47:14 2021 -0600

    Clean up IPA test
    
    The code that installs and uninstalls IPA server has been
    moved from ipa-test.sh to ipa-tests.yml.

commit 966d7d38ba7f5d3147756fe2f65db789d393c20c
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Jan 21 11:39:36 2021 -0600

    Add ACME test using certbot
    
    The ACME test has been modified to perform certificate enrollment,
    certificate revocation, and account management using certbot.

commit 40dab3937f60e0516f9a351ba13cea4f87fdc5d6
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Jan 21 10:45:47 2021 -0600

    Add pki-server acme-deploy/undeploy --wait option
    
    A new option has been added to pki-server acme-deploy/undeploy
    commands to wait until ACME web application is actually
    deployed/undeployed on the server. This option can be used to
    prevent the subsequent command from executing before the ACME
    deployment/undeployment is complete. The CI test has been updated
    to use this option to improve its reliability.

commit 2315c0db808975ae8a0892abb3cf5e9f35626e8b
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Jan 14 14:45:29 2021 -0600

    Consolidate CI runner container build
    
    The GitHub workflows have been modified to build the CI runner
    container in the build job instead of test jobs.

commit f4ce0d401934f409c1c786af23754d1156d1c78d
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Fri Jan 15 10:56:14 2021 -0600

    Add persistent option for ACME nonces
    
    Previously ACME nonces were stored in ACME database, which
    could generate a lot of database traffic and might not work
    well in clustered environment due to replication latency.
    
    To address the performance issue, the ACME engine has been
    modified to store the nonces in memory by default, and provide
    an option to store the nonces in the database if necessary.
    
    The replication latency issue should be addressed using other
    mechanisms (e.g. using static base URL in ACME directory).

commit 81bdb81c7a1c5b38bb7bfb9ef68c36caa923ebe1
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Jan 19 11:23:37 2021 -0600

    Update upload/download actions in qe-tests.yml

commit 3148d31c45f844c7a413ae615a1c1a0a1b563051
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Jan 19 11:23:35 2021 -0600

    Fix indentations in qe-tests.yml

commit 6e3ad8768fa855416a1ba402ee5aab47956192c5
Author: Alexander Scheel <ascheel@redhat.com>
Date:   Thu Jan 14 10:20:43 2021 -0500

    Remove additional lines from CRMFPopClient usage
    
    Resolves: rh-bz#1584550
    
    Signed-off-by: Alexander Scheel <ascheel@redhat.com>

commit eff1d9cdc7d98300591a2a2b84b12978dd643966
Author: root <root@pki1.example.com>
Date:   Wed Dec 9 21:28:20 2020 -0500

    Modify PKI to use RSA-OAEP wrapping alg for RSA keys.
    
    This first cut is a simple reworking any instances of
    RSA wrapping in the code to use RSA-OAEP.
    
    Code tested to work in software. Using an hsm, several
    issues occur with respect to wrapping using AES sym keys
    to wrap and unwrap RSA private keys.
    
    This first attempt is to get the basic code out for review.
    Subsequently, we can refine some of this code to allow things
    to work better with the hardware hsm.
    
    Make oeap configurable.

commit 3005be0e88ad5897b4dc7e95d71c286201f3f687
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Jan 14 09:29:23 2021 -0600

    Update version number to 10.10.3

commit 895ab300c38445015c9ac136718ca3f690b0455d
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Jan 13 16:48:24 2021 -0600

    Clean up IPA clone test

commit e05be3b83af483e2decbcf7de6493ecdb8a9358e
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Jan 13 14:59:32 2021 -0600

    Clean up KRA clone test

commit ef0f79dab0709f41e837a2e9657ad9d978881bb6
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Jan 13 14:59:21 2021 -0600

    Clean up CA clone test

commit 0d6b3207c2847bb04b24ab4b02949e4067cbbcdd
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Jan 13 16:25:49 2021 -0600

    Fix COPR repository for PKI 10.10

commit 11156292ebf806326c811ecb21563d10661ca1dd
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Jan 4 09:32:35 2021 -0600

    Add test for installing KRA clone

commit 3e81e61b7be42a317cb8619a9c6a4d79c0413da1
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Jan 7 18:27:38 2021 -0600

    Add test for installing ACME

commit 2cbf67157a6789f018c2db80cb5976511d173a06
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Jan 5 16:03:59 2021 -0600

    Add test for installing OCSP with external certs

commit 155ac655ac6afa7199a0dd14198ce2093f2d4e12
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Dec 17 12:38:51 2020 -0600

    Add test for PKI NSS CLI with and without HSM

commit 8e39e0eb7dda420b9efcf97855230d55ca56ea74
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Dec 17 12:38:50 2020 -0600

    Add HSM support for pki nss-cert-import

commit fd3e0d8e52805b2f49dde58c402c14cbc0da6bf7
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Dec 17 12:38:49 2020 -0600

    Add HSM support for pki nss-cert-issue

commit 062df9fb8c647801cf78ed9ac333e936ad88eebf
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Dec 17 12:38:48 2020 -0600

    Add HSM support for pki nss-cert-request

commit 567aa651dd73d3a6b42d6ba9317be9e4b670798f
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Jan 7 19:52:06 2021 -0600

    Clean up CA clone test

commit 62ebb7025b95164cb8864fc2109165313446860a
Author: Alexander Scheel <ascheel@redhat.com>
Date:   Thu Jan 7 11:37:28 2021 -0500

    Fix usage for CMCResponse -d
    
    Signed-off-by: Alexander Scheel <ascheel@redhat.com>

commit ef8ee5f9dd2db0458be5b6372dba05322aae3912
Author: Alexander Scheel <ascheel@redhat.com>
Date:   Thu Jan 7 11:31:26 2021 -0500

    Update usage for CRMFPopClient -y option
    
    Signed-off-by: Alexander Scheel <ascheel@redhat.com>

commit da395ab90da75fbdb5fa16ec213b13030cd3f954
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Jan 6 21:40:29 2021 -0600

    Fix COPR repository for PKI 10.10

commit 387f99685eb63949f20fa21d1dc9b59e9ced709d
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Jan 6 13:50:50 2021 -0600

    Fix KRA/OCSP installation with external certs on HSM
    
    Previously pkispawn did not update serverCertNick.conf during
    KRA or OCSP installation with external certs or standalone
    installation. If the SSL server cert was stored in HSM the file
    would not have the token name so the installation would fail.
    
    To fix the problem the deployment scriptlet has been modified
    to store the SSL server cert nickname and token name in
    serverCertNick.conf in all installation cases.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1890639

commit 337d8a95dec25361f3c9fde8f7875c3f47f7a97c
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Jan 6 17:29:02 2021 -0600

    Disable GPG check in CI
    
    The GPG check has been disabled due to the following issue
    during build dependency installation on F32:
    
    Package libuv-1.40.0-1.fc32.x86_64.rpm is not signed
    The downloaded packages were saved in cache until the next successful transaction.
    You can remove cached packages by executing 'dnf clean packages'.
    Error: GPG check FAILED

commit 49207adfbe350a325a05bf7c773de54c10f0b170
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Jan 5 17:21:03 2021 -0600

    Fix preop.ca.pkcs7 for external and standalone installations

commit 0459b00dedb6d6feed936524cb9a2741eb903b02
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Jan 5 10:42:46 2021 -0600

    Add test for installing IPA clone

commit 4382948e978a4ee465b7e9564226e18f9a7746d4
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Dec 15 08:44:45 2020 -0600

    Add test for installing KRA with external certs

commit 57c5318fdba87f7f24511730462358ec065bdc01
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Dec 15 08:44:43 2020 -0600

    Add cert extension configs for KRA certs

commit 1f70a0ac5fda9055bdbcc2348243e755fae9d21d
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Dec 15 08:44:42 2020 -0600

    Add support for emailProtection extended key usage in pki nss-cert

commit c9d46c06784f5c84f39185169fe96cf7f0280cef
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Dec 15 12:16:47 2020 -0600

    Fix issuing CA configuration during installation
    
    The configuration.py has been modified to store the issuing CA
    parameters in all cases except when installing CA with external
    certs and standalone KRA/OCSP. This is necessary to fix KRA
    installation with external certs.

commit a20ba28d1afd019d12a224ac01001fd29fe59116
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Jan 4 15:47:49 2021 -0600

    Clean up ipa-tests.yml

commit d75d0152b5217be428bf20bb10e1b858b5e13f74
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Jan 4 10:07:17 2021 -0600

    Disable ipa-healtcheck test
    
    The ipa-healthcheck has been failing due to this issue:
    https://github.com/freeipa/freeipa-healthcheck/issues/163
    
    The ipa-healthcheck test has temporarily been disabled to
    allow other IPA tests to pass.

commit b0298def61ca81532254da1f2d70d4f33681210b
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Dec 17 09:46:21 2020 -0600

    Fix python3-pki dependency
    
    The python3-pki package has been modified to depend on
    python3-ldap since it is needed by pki Python module.

commit c2b2267669518343ad401761712d089c38a5529f
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Dec 16 08:54:13 2020 -0600

    Clean up CI tests

commit ea3c907c9b2975772b7672934ac89fefb724d2f7
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Dec 8 14:49:43 2020 -0600

    Add test for installing CA with existing certs

commit a0883837abe40cd339fa648110595aad069851c1
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Dec 8 14:49:41 2020 -0600

    Add cert extension configs for CA certs

commit 924d2d045589bd53ef22e1180b46ad28aad8fc7e
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Dec 9 16:18:06 2020 -0600

    Add --serial parameter for pki nss-cert-issue
    
    The pki nss-cert-issue has been modified to provide an
    optional parameter to specify a serial number for the
    new certificate.

Created: 2021-03-05 Last update: 2021-04-14 22:38

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 4.5.0).

Created: 2020-11-17 Last update: 2021-04-14 22:38

testing migrations

excuses:
- Migration status for dogtag-pki (10.10.2-2 to 10.10.2-3): Waiting for test results, another package or too young (no action required now - check later)
- Issues preventing migration:
- Too young, only 4 of 9 days old
- Additional info:
- Updating dogtag-pki fixes old bugs: #985340, #986080
- Piuparts tested OK - https://piuparts.debian.org/sid/source/d/dogtag-pki.html
- autopkgtest for dogtag-pki/10.10.2-3: amd64: Pass, arm64: Pass, armhf: Pass, i386: Pass, ppc64el: Pass
- Overriding age needed from 9 days to 9 by ivodd
- not blocked: has successful autopkgtest
- Not considered

news

[rss feed]

[2021-04-14] Accepted dogtag-pki 10.10.2-3 (source) into unstable (Timo Aaltonen)
[2021-03-18] dogtag-pki 10.10.2-2 MIGRATED to testing (Debian testing watch)
[2021-03-12] Accepted dogtag-pki 10.10.2-2 (source) into unstable (Timo Aaltonen)
[2020-12-20] dogtag-pki 10.10.2-1 MIGRATED to testing (Debian testing watch)
[2020-12-20] dogtag-pki 10.10.2-1 MIGRATED to testing (Debian testing watch)
[2020-12-16] Accepted dogtag-pki 10.10.2-1 (source) into unstable (Timo Aaltonen)
[2020-12-09] dogtag-pki 10.10.1-1 MIGRATED to testing (Debian testing watch)
[2020-12-06] Accepted dogtag-pki 10.10.1-1 (source) into unstable (Timo Aaltonen)
[2020-11-07] dogtag-pki 10.10.0-1 MIGRATED to testing (Debian testing watch)
[2020-11-02] Accepted dogtag-pki 10.10.0-1 (source) into unstable (Timo Aaltonen)
[2020-09-23] dogtag-pki 10.9.4-1 MIGRATED to testing (Debian testing watch)
[2020-09-17] Accepted dogtag-pki 10.9.4-1 (source) into unstable (Timo Aaltonen)
[2020-08-24] Accepted dogtag-pki 10.9.2-1 (source) into unstable (Timo Aaltonen)
[2020-08-14] Accepted dogtag-pki 10.9.1-2 (source) into unstable (Timo Aaltonen)
[2020-08-14] Accepted dogtag-pki 10.9.1-1 (source) into unstable (Timo Aaltonen)
[2020-06-17] Accepted dogtag-pki 10.9.0~a2-2 (source) into experimental (Timo Aaltonen)
[2020-06-16] Accepted dogtag-pki 10.9.0~a2-1 (source) into experimental (Timo Aaltonen)
[2020-05-27] Accepted dogtag-pki 10.9.0~a1-1 (source) into experimental (Timo Aaltonen)
[2020-03-30] Accepted dogtag-pki 10.8.3-2 (source) into unstable (Timo Aaltonen)
[2020-03-17] Accepted dogtag-pki 10.8.3-1 (source) into unstable (Timo Aaltonen)
[2020-02-08] Accepted dogtag-pki 10.7.4-2 (source) into unstable (Timo Aaltonen)
[2020-02-06] Accepted dogtag-pki 10.7.4-1 (source) into unstable (Timo Aaltonen)
[2019-09-17] Accepted dogtag-pki 10.7.3-4 (source) into unstable (Timo Aaltonen)
[2019-09-13] Accepted dogtag-pki 10.7.3-3 (source) into unstable (Timo Aaltonen)
[2019-09-11] Accepted dogtag-pki 10.7.3-2 (source) into unstable (Timo Aaltonen)
[2019-08-09] Accepted dogtag-pki 10.7.3-1 (source) into experimental (Timo Aaltonen)
[2019-07-29] Accepted dogtag-pki 10.6.10-2 (source) into unstable (Timo Aaltonen)
[2019-07-19] Accepted dogtag-pki 10.6.10-1 (source) into unstable (Timo Aaltonen)
[2019-03-15] dogtag-pki REMOVED from testing (Debian testing watch)
[2019-01-09] dogtag-pki 10.6.8-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 0

links

homepage
lintian (1, 52)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 10.10.2-1
2 bugs