update version to 6.0.0

2024-11-19 14:48:47 +08:00 · 2024-11-19 14:48:47 +08:00 · 5532974eb0
commit 5532974eb0
parent 165ab57137
24 changed files with 6871 additions and 2531 deletions
--- a/3000-add-sw_64-support.patch
+++ b/3000-add-sw_64-support.patch
--- a/cJSON-1.7.15.tar.gz
+++ b/cJSON-1.7.15.tar.gz
--- a/clonecode.sh
+++ b/clonecode.sh
@ -1,9 +1,12 @@
-version=5.0.1
+current_dir=$(pwd)
 cd $current_dir
 version=6.0.0
 server_repo=https://gitee.com/opengauss/openGauss-server.git
 plugin_repo=https://gitee.com/opengauss/Plugin.git
-git clone $server_repo -b v5.0.1 openGauss-server-$version
+git clone $server_repo -b v6.0.0 openGauss-server-$version
-git clone $plugin_repo -b v5.0.1 Plugin-$version
+git clone $plugin_repo -b v6.0.0 Plugin-$version
 cp -rf Plugin-$version/contrib/* openGauss-server-$version/contrib/
 rm -rf openGauss-server-$version/contrib/datavec
 cd openGauss-server-$version
 gitcommit=$(git log 2>/dev/null | grep commit | head -1 | awk '{print $2}' | cut -b 1-8)
 echo $gitcommit > ../COMMIT
--- a/cmake_compile.patch
+++ b/cmake_compile.patch
@ -1,335 +0,0 @@
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/cmake/src/set_thirdparty_path.cmake openGauss-server-5.0.1-edit/cmake/src/set_thirdparty_path.cmake
 *** openGauss-server-5.0.1/cmake/src/set_thirdparty_path.cmake	2024-05-07 20:16:38.988794109 +0800
 --- openGauss-server-5.0.1-edit/cmake/src/set_thirdparty_path.cmake	2024-05-09 14:15:39.965184154 +0800
 ***************
 *** 158,163 ****
 --- 158,165 ----
  if(${WITH_OPENEULER_OS} STREQUAL "ON")
      set(SECURE_C_CHECK boundscheck)
 + elseif(${ENABLE_OPENEULER_MAJOR} STREQUAL "ON")
 +     set(SECURE_C_CHECK boundscheck)
  else()
      set(SECURE_C_CHECK securec)
  endif()
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/CMakeLists.txt openGauss-server-5.0.1-edit/src/CMakeLists.txt
 *** openGauss-server-5.0.1/src/CMakeLists.txt	2024-05-07 20:16:39.156795348 +0800
 --- openGauss-server-5.0.1-edit/src/CMakeLists.txt	2024-05-09 15:36:33.381689446 +0800
 ***************
 *** 192,198 ****
  endif()
  if("${ENABLE_MULTIPLE_NODES}" STREQUAL "OFF")
 !     install(DIRECTORY ${DCF_LIB_PATH} DESTINATION .)
  endif()
  if(${ENABLE_MULTIPLE_NODES}_${ENABLE_PRIVATEGAUSS} STREQUAL OFF_OFF AND NOT ${ENABLE_LITE_MODE} STREQUAL ON)
      if(EXISTS ${DMS_LIB_PATH})
 --- 192,200 ----
  endif()
  if("${ENABLE_MULTIPLE_NODES}" STREQUAL "OFF")
 !     if(EXISTS ${DCF_LIB_PATH})
 !         install(DIRECTORY ${DCF_LIB_PATH} DESTINATION .)
 !     endif()
  endif()
  if(${ENABLE_MULTIPLE_NODES}_${ENABLE_PRIVATEGAUSS} STREQUAL OFF_OFF AND NOT ${ENABLE_LITE_MODE} STREQUAL ON)
      if(EXISTS ${DMS_LIB_PATH})
 ***************
 *** 206,218 ****
      endif()
  endif()
 - install(DIRECTORY ${ZSTD_LIB_PATH} DESTINATION . PATTERN "*.a" EXCLUDE)
  if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
      install(DIRECTORY ${LIBOBS_LIB_PATH} DESTINATION .)
      install(DIRECTORY ${LIBOBS_INCLUDE_PATH} DESTINATION include/postgresql/server/access/obs)
  endif()
 ! install(DIRECTORY ${CJSON_LIB_PATH} DESTINATION .)
 ! install(DIRECTORY ${CJSON_INCLUDE_PATH}/cjson DESTINATION include/postgresql/server)
  if(NOT ${ENABLE_LITE_MODE} STREQUAL ON)
      install(DIRECTORY ${ETCD_BIN_PATH} DESTINATION .)
      install(DIRECTORY ${IPERF_LIB_PATH} DESTINATION .)
 --- 208,218 ----
      endif()
  endif()
  if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
      install(DIRECTORY ${LIBOBS_LIB_PATH} DESTINATION .)
      install(DIRECTORY ${LIBOBS_INCLUDE_PATH} DESTINATION include/postgresql/server/access/obs)
  endif()
 ! 
  if(NOT ${ENABLE_LITE_MODE} STREQUAL ON)
      install(DIRECTORY ${ETCD_BIN_PATH} DESTINATION .)
      install(DIRECTORY ${IPERF_LIB_PATH} DESTINATION .)
 ***************
 *** 222,242 ****
      install(DIRECTORY ${KMC_LIB_PATH} DESTINATION .)
  endif()
  endif()
 - install(DIRECTORY ${LIBCURL_LIB_PATH} DESTINATION .)
  if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
      install(DIRECTORY ${KERBEROS_SBIN_PATH}/ DESTINATION bin)
      install(DIRECTORY ${KERBEROS_BIN_PATH} DESTINATION .)
      install(DIRECTORY ${KERBEROS_LIB_PATH} DESTINATION .)
  endif()
 ! install(DIRECTORY ${LZ4_LIB_PATH} DESTINATION .)
 ! install(DIRECTORY ${LZ4_BIN_PATH} DESTINATION .)
 ! install(DIRECTORY ${LIBOPENSSL_BIN_PATH} DESTINATION .)
 ! install(DIRECTORY ${LIBOPENSSL_LIB_PATH} DESTINATION . PATTERN "*.a" EXCLUDE )
  install(DIRECTORY ${ZLIB_LIB_PATH} DESTINATION . FILES_MATCHING PATTERN "libz.*")
  list(FIND MACRO_OPTIONS "-D__USE_NUMA" RET_NUMA)
  if(NOT ${RET_NUMA} EQUAL -1)
 !     install(DIRECTORY ${NUMA_LIB_PATH} DESTINATION .)
  endif()
  if("${ENABLE_MOT}" STREQUAL "ON")
 --- 222,240 ----
      install(DIRECTORY ${KMC_LIB_PATH} DESTINATION .)
  endif()
  endif()
  if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
      install(DIRECTORY ${KERBEROS_SBIN_PATH}/ DESTINATION bin)
      install(DIRECTORY ${KERBEROS_BIN_PATH} DESTINATION .)
      install(DIRECTORY ${KERBEROS_LIB_PATH} DESTINATION .)
  endif()
 ! 
  install(DIRECTORY ${ZLIB_LIB_PATH} DESTINATION . FILES_MATCHING PATTERN "libz.*")
  list(FIND MACRO_OPTIONS "-D__USE_NUMA" RET_NUMA)
  if(NOT ${RET_NUMA} EQUAL -1)
 !     if(EXISTS ${NUMA_LIB_PATH})
 !         install(DIRECTORY ${NUMA_LIB_PATH} DESTINATION .)
 !     endif()
  endif()
  if("${ENABLE_MOT}" STREQUAL "ON")
 ***************
 *** 251,261 ****
  install(CODE "message(\"-- Created symlink: libatomic.so.1 -> libatomic.so.1.2.0\")")
  endif()
 - install(FILES ${SECUREDYNAMICLIB_HOME}/libsecurec.so DESTINATION lib)
 - install(FILES ${BUILDTOOLS_PATH}/gcc7.3/gcc/lib64/libgcc_s.so.1 DESTINATION lib)
 - install(FILES ${BUILDTOOLS_PATH}/gcc7.3/gcc/lib64/libgomp.so DESTINATION lib)
 - install(FILES ${BUILDTOOLS_PATH}/gcc7.3/gcc/lib64/libgomp.so.1 DESTINATION lib)
 - install(FILES ${BUILDTOOLS_PATH}/gcc7.3/gcc/lib64/libgomp.so.1.0.0 DESTINATION lib)
  install(FILES ${XGBOOST_LIB_PATH}/libxgboost.so DESTINATION lib)
  if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
      install(FILES ${PLJAVA_HOME}/lib/libpljava.so DESTINATION lib)
 --- 249,254 ----
 ***************
 *** 273,295 ****
      install(DIRECTORY ${GCC_LIB_PATH}/lib64/ DESTINATION lib
          FILES_MATCHING PATTERN "libatomic.so*")
  endif()
 - 
 - install(FILES ${GCC_LIB_PATH}/lib64/libgcc_s.so.1 DESTINATION lib)
 - install(DIRECTORY ${GCC_LIB_PATH}/lib64/ DESTINATION lib
 -     FILES_MATCHING PATTERN "libgomp.so*")
 - 
 - install(CODE "execute_process(
 -      COMMAND cp ${GCC_LIB_PATH}/lib64/libstdc++.so.6.0.24 ${prefix_home}/lib/libstdc++.so.6
 -      WORKING_DIRECTORY ${prefix_home}/lib)"
 - )
 - 
 - # install(DIRECTORY ${LIBCGROUP_LIB_PATH} DESTINATION . FILES_MATCHING PATTERN "libcgroup.so*")
 - install(CODE "execute_process(
 - COMMAND cp ${LIBCGROUP_LIB_PATH}/libcgroup.so.1.0.42 ${prefix_home}/lib/libcgroup.so
 - COMMAND ln -fs libcgroup.so libcgroup.so.1
 - WORKING_DIRECTORY ${prefix_home}/lib)"
 - )
 - install(CODE "message(\"-- Created symlink: libcgroup.so.1 -> libcgroup.so\")")
  # fastcheck part
  install(FILES ${PROJECT_SRC_DIR}/test/regress/stub/roach_api_stub/roach_api_stub.control
 --- 266,271 ----
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/common/interfaces/libpq/CMakeLists.txt openGauss-server-5.0.1-edit/src/common/interfaces/libpq/CMakeLists.txt
 *** openGauss-server-5.0.1/src/common/interfaces/libpq/CMakeLists.txt	2024-05-07 20:16:39.540798180 +0800
 --- openGauss-server-5.0.1-edit/src/common/interfaces/libpq/CMakeLists.txt	2024-05-09 14:15:40.525188303 +0800
 ***************
 *** 118,129 ****
  set(pq_LINK_OPTIONS ${LIB_LINK_OPTIONS})
  add_shared_libtarget(pq TGT_pq_SRC TGT_pq_INC "${pq_DEF_OPTIONS}" "${pq_COMPILE_OPTIONS}" "${pq_LINK_OPTIONS}")
  if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
 !     target_link_libraries(pq PRIVATE com_err_gauss crypto gssapi_krb5_gauss gssrpc_gauss k5crypto_gauss krb5_gauss krb5support_gauss securec ssl)
  else()
 !     target_link_libraries(pq PRIVATE crypto securec ssl)
  endif()
  target_link_directories(pq PUBLIC 
 !     ${LIBOPENSSL_LIB_PATH} ${KERBEROS_LIB_PATH} ${SECURE_LIB_PATH} 
      ${PROJECT_SRC_DIR}/common/port ${PROJECT_SRC_DIR}/gstrace/common
  )
  set_target_properties(pq PROPERTIES VERSION 5.5)
 --- 118,129 ----
  set(pq_LINK_OPTIONS ${LIB_LINK_OPTIONS})
  add_shared_libtarget(pq TGT_pq_SRC TGT_pq_INC "${pq_DEF_OPTIONS}" "${pq_COMPILE_OPTIONS}" "${pq_LINK_OPTIONS}")
  if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
 !     target_link_libraries(pq PRIVATE com_err_gauss crypto gssapi_krb5_gauss gssrpc_gauss k5crypto_gauss krb5_gauss krb5support_gauss ${SECURE_C_CHECK} ssl)
  else()
 !     target_link_libraries(pq PRIVATE crypto ${SECURE_C_CHECK} ssl)
  endif()
  target_link_directories(pq PUBLIC 
 !     ${LIBOPENSSL_LIB_PATH} ${KERBEROS_LIB_PATH}
      ${PROJECT_SRC_DIR}/common/port ${PROJECT_SRC_DIR}/gstrace/common
  )
  set_target_properties(pq PROPERTIES VERSION 5.5)
 ***************
 *** 302,308 ****
  endif()
  add_dependencies(pq_ce libpq_ce cmk_entity_manager_hooks encryption_hooks client_logic_common client_logic_expressions client_logic_cache client_logic_processor client_logic_fmt client_logic_hooks client_logic_data_fetcher frontend_parser)
  target_link_directories(pq_ce PUBLIC 
 -     ${SECURE_LIB_PATH}
      ${KMC_LIB_PATH}
      ${LIBOPENSSL_LIB_PATH}
      ${CJSON_LIB_PATH}
 --- 302,307 ----
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/gausskernel/cbb/communication/libcomm_utils/libcomm_thread.cpp openGauss-server-5.0.1-edit/src/gausskernel/cbb/communication/libcomm_utils/libcomm_thread.cpp
 *** openGauss-server-5.0.1/src/gausskernel/cbb/communication/libcomm_utils/libcomm_thread.cpp	2024-05-07 20:16:39.608798681 +0800
 --- openGauss-server-5.0.1-edit/src/gausskernel/cbb/communication/libcomm_utils/libcomm_thread.cpp	2024-05-07 20:17:58.873383188 +0800
 ***************
 *** 2417,2423 ****
  #else
      switch ((comm_sender_flower_pid = fork_process())) {
  #endif
 !         case -1:
              ereport(LOG, (errmsg("could not fork comm sender flower process: %m")));
              return 0;
  #ifndef EXEC_BACKEND
 --- 2417,2423 ----
  #else
      switch ((comm_sender_flower_pid = fork_process())) {
  #endif
 !         case (ThreadId)-1:
              ereport(LOG, (errmsg("could not fork comm sender flower process: %m")));
              return 0;
  #ifndef EXEC_BACKEND
 ***************
 *** 2454,2460 ****
  #else
      switch ((comm_receiver_flower_pid = fork_process())) {
  #endif
 !         case -1:
              ereport(LOG, (errmsg("could not fork comm sender flower process: %m")));
              return 0;
  #ifndef EXEC_BACKEND
 --- 2454,2460 ----
  #else
      switch ((comm_receiver_flower_pid = fork_process())) {
  #endif
 !         case (ThreadId)-1:
              ereport(LOG, (errmsg("could not fork comm sender flower process: %m")));
              return 0;
  #ifndef EXEC_BACKEND
 ***************
 *** 2488,2494 ****
  #else
      switch ((comm_auxiliary_pid = fork_process())) {
  #endif
 !         case -1:
              ereport(LOG, (errmsg("could not fork comm auxiliary flower process: %m")));
              return 0;
  #ifndef EXEC_BACKEND
 --- 2488,2494 ----
  #else
      switch ((comm_auxiliary_pid = fork_process())) {
  #endif
 !         case (ThreadId)-1:
              ereport(LOG, (errmsg("could not fork comm auxiliary flower process: %m")));
              return 0;
  #ifndef EXEC_BACKEND
 ***************
 *** 2522,2528 ****
      switch ((comm_receiver_pid = fork_process()))
  #endif
      {
 !         case -1:
              ereport(LOG, (errmsg("could not fork comm receiver process: %m")));
              return 0;
  #ifndef EXEC_BACKEND
 --- 2522,2528 ----
      switch ((comm_receiver_pid = fork_process()))
  #endif
      {
 !         case (ThreadId)-1:
              ereport(LOG, (errmsg("could not fork comm receiver process: %m")));
              return 0;
  #ifndef EXEC_BACKEND
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/gausskernel/storage/smgr/smgr.cpp openGauss-server-5.0.1-edit/src/gausskernel/storage/smgr/smgr.cpp
 *** openGauss-server-5.0.1/src/gausskernel/storage/smgr/smgr.cpp	2024-05-07 20:16:39.940801129 +0800
 --- openGauss-server-5.0.1-edit/src/gausskernel/storage/smgr/smgr.cpp	2024-05-07 20:17:59.201385607 +0800
 ***************
 *** 949,955 ****
              return convertScalarToDatumT<UNKNOWNOID>;
          }
          default: {
 !             return convertScalarToDatumT<-2>;
          }
      }
  }
 --- 949,955 ----
              return convertScalarToDatumT<UNKNOWNOID>;
          }
          default: {
 !             return convertScalarToDatumT<((Oid)-2)>;
          }
      }
  }
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' Plugin-5.0.1/contrib/dolphin/cmake.sh Plugin-5.0.1-edit/contrib/dolphin/cmake.sh
 *** Plugin-5.0.1/contrib/dolphin/cmake.sh	2024-06-12 20:17:51.731405913 +0800
 --- Plugin-5.0.1-edit/contrib/dolphin/cmake.sh	2024-06-12 20:43:24.223308216 +0800
 ***************
 *** 1,5 ****
  #!/bin/bash
 ! CMAKE_OPT="-DENABLE_MULTIPLE_NODES=OFF -DENABLE_PRIVATEGAUSS=OFF -DENABLE_THREAD_SAFETY=ON -DENABLE_LITE_MODE=ON"
  cpus_num=$(grep -w processor /proc/cpuinfo|wc -l)
  rm -f dolphin--1.0.sql
  touch dolphin--1.0.sql
 --- 1,5 ----
  #!/bin/bash
 ! CMAKE_OPT="-DENABLE_MULTIPLE_NODES=OFF -DENABLE_PRIVATEGAUSS=OFF -DENABLE_THREAD_SAFETY=ON -DENABLE_LITE_MODE=ON -DENABLE_OPENEULER_MAJOR=ON -DWITH_OPENEULER_OS=ON"
  cpus_num=$(grep -w processor /proc/cpuinfo|wc -l)
  rm -f dolphin--1.0.sql
  touch dolphin--1.0.sql
 ***************
 *** 9,14 ****
 --- 9,15 ----
  touch dolphin--1.2.sql
  cat dolphin--1.0.sql >> dolphin--1.2.sql
  cat upgrade_script/dolphin--1.0--1.2.sql >> dolphin--1.2.sql
 + BUILD_TUPLE=$(uname -p)
  cp llvmir/openGauss_expr_dolphin_${BUILD_TUPLE}.ir openGauss_expr_dolphin.ir
  DOLPHIN_CMAKE_BUILD_DIR=`pwd`/tmp_build
  [ -d "${DOLPHIN_CMAKE_BUILD_DIR}" ] && rm -rf ${DOLPHIN_CMAKE_BUILD_DIR}
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/bin/pg_ctl/backup.cpp openGauss-server-5.0.1-edit/src/bin/pg_ctl/backup.cpp
 *** openGauss-server-5.0.1/src/bin/pg_ctl/backup.cpp    2024-05-09 14:48:32.000000000 +0800
 --- openGauss-server-5.0.1-edit/src/bin/pg_ctl/backup.cpp       2024-06-19 16:22:57.390413059 +0800
 ***************
 *** 1939,1945 ****
          }
          while (1) {
              de = readdir(dir);
 !             if (de <= 0) {
                  break;
              }
              if (strcmp(de->d_name, ".") == 0 || strcmp(de->d_name, "..") == 0) {
 --- 1939,1945 ----
          }
          while (1) {
              de = readdir(dir);
 !             if (de == NULL) {
                  break;
              }
              if (strcmp(de->d_name, ".") == 0 || strcmp(de->d_name, "..") == 0) {
 ***************
 *** 2799,2802 ****
      /* free sysidentifier after use */
      pg_free(sysidentifier);
      sysidentifier = NULL;
 ! }
 \ No newline at end of file
 --- 2799,2802 ----
      /* free sysidentifier after use */
      pg_free(sysidentifier);
      sysidentifier = NULL;
 ! }
--- a/compile_2309.patch
+++ b/compile_2309.patch
@ -1,39 +0,0 @@
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/bin/pg_basebackup/pg_basebackup.cpp openGauss-server-5.0.1-edit/src/bin/pg_basebackup/pg_basebackup.cpp
 *** openGauss-server-5.0.1/src/bin/pg_basebackup/pg_basebackup.cpp	2024-05-07 20:16:39.176795495 +0800
 --- openGauss-server-5.0.1-edit/src/bin/pg_basebackup/pg_basebackup.cpp	2024-05-07 20:17:58.441380003 +0800
 ***************
 *** 1622,1628 ****
      struct dirent* ent;
      while (1) {
          ent = readdir(dir);
 !         if (ent <= 0) {
              break;
          }
          if ((strcmp(".", ent->d_name) == 0) || (strcmp("..", ent->d_name) == 0)) {
 --- 1622,1628 ----
      struct dirent* ent;
      while (1) {
          ent = readdir(dir);
 !         if (ent == NULL) {
              break;
          }
          if ((strcmp(".", ent->d_name) == 0) || (strcmp("..", ent->d_name) == 0)) {
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/gausskernel/runtime/opfusion/opfusion_util.cpp openGauss-server-5.0.1-edit/src/gausskernel/runtime/opfusion/opfusion_util.cpp
 *** openGauss-server-5.0.1/src/gausskernel/runtime/opfusion/opfusion_util.cpp	2024-05-07 20:16:39.780799949 +0800
 --- openGauss-server-5.0.1-edit/src/gausskernel/runtime/opfusion/opfusion_util.cpp	2024-05-07 20:17:59.041384427 +0800
 ***************
 *** 424,430 ****
      /* check whether to have order by */
      if (node->aggstrategy != AGG_PLAIN ||
 !             node->groupingSets > 0) {
          return NOBYPASS_NOT_PLAIN_AGG;
      }
 --- 424,430 ----
      /* check whether to have order by */
      if (node->aggstrategy != AGG_PLAIN ||
 !             node->groupingSets != NIL) {
          return NOBYPASS_NOT_PLAIN_AGG;
      }
--- a/krb5-1.18.3-final.tar.gz
+++ b/krb5-1.18.3-final.tar.gz
--- a/krb5-CVE-2023-36054.patch
+++ b/krb5-CVE-2023-36054.patch
@ -0,0 +1,35 @@
 diff -Naur a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
 --- a/src/lib/kadm5/kadm_rpc_xdr.c	2023-09-01 16:16:12.843658117 +0800
 +++ b/src/lib/kadm5/kadm_rpc_xdr.c	2023-09-01 16:12:03.704811364 +0800
@@ -390,6 +390,7 @@
 			     int v)
 {
 	unsigned int n;
 +	bool_t r;
 	if (!xdr_krb5_principal(xdrs, &objp->principal)) {
 		return (FALSE);
@@ -443,6 +444,9 @@
 	if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
 		return (FALSE);
 	}
 +	if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
 +		return (FALSE);
 +	}
 	if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
 		return (FALSE);
 	}
@@ -451,9 +455,10 @@
 		return FALSE;
 	}
 	n = objp->n_key_data;
 -	if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
 -		       &n, ~0, sizeof(krb5_key_data),
 -		       xdr_krb5_key_data_nocontents)) {
 +	r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
 +		      sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
 +	objp->n_key_data = n;
 +	if (!r) {
 		return (FALSE);
 	}
--- a/krb5-backport-Add-a-simple-DER-support-header.patch
+++ b/krb5-backport-Add-a-simple-DER-support-header.patch
@ -0,0 +1,171 @@
 From 548da160b52b25a106e9f6077d6a42c2c049586c Mon Sep 17 00:00:00 2001                 
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 7 Mar 2023 00:19:33 -0500
 Subject: [PATCH] Add a simple DER support header
 Reference: https://github.com/krb5/krb5/commit/548da160b52b25a106e9f6077d6a42c2c049586c
 Conflict: NA
 ---
 src/include/k5-der.h | 149 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 149 insertions(+)
 create mode 100644 src/include/k5-der.h
 diff --git a/src/include/k5-der.h b/src/include/k5-der.h
 new file mode 100644
 index 0000000..b8371d9
 --- /dev/null
 +++ b/src/include/k5-der.h
@@ -0,0 +1,149 @@
 +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
 +/* include/k5-der.h - Distinguished Encoding Rules (DER) declarations */
 +/*
 + * Copyright (C) 2023 by the Massachusetts Institute of Technology.
 + * All rights reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions
 + * are met:
 + *
 + * * Redistributions of source code must retain the above copyright
 + *   notice, this list of conditions and the following disclaimer.
 + *
 + * * Redistributions in binary form must reproduce the above copyright
 + *   notice, this list of conditions and the following disclaimer in
 + *   the documentation and/or other materials provided with the
 + *   distribution.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
 + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 + * OF THE POSSIBILITY OF SUCH DAMAGE.
 + */
 +
 +/*
 + * Most ASN.1 encoding and decoding is done using the table-driven framework in
 + * libkrb5.  When that is not an option, these helpers can be used to encode
 + * and decode simple types.
 + */
 +
 +#ifndef K5_DER_H
 +#define K5_DER_H
 +
 +#include <stdint.h>
 +#include <stdbool.h>
 +#include "k5-buf.h"
 +#include "k5-input.h"
 +
 +/* Return the number of bytes needed to encode len as a DER encoding length. */
 +static inline size_t
 +k5_der_len_len(size_t len)
 +{
 +    size_t llen;
 +
 +    if (len < 128)
 +        return 1;
 +    llen = 1;
 +    while (len > 0) {
 +        len >>= 8;
 +        llen++;
 +    }
 +    return llen;
 +}
 +
 +/* Return the number of bytes needed to encode a DER value (with identifier
 + * byte and length) for a given contents length. */
 +static inline size_t
 +k5_der_value_len(size_t contents_len)
 +{
 +    return 1 + k5_der_len_len(contents_len) + contents_len;
 +}
 +
 +/* Add a DER identifier byte (composed by the caller, including the ASN.1
 + * class, tag, and constructed bit) and length. */
 +static inline void
 +k5_der_add_taglen(struct k5buf *buf, uint8_t idbyte, size_t len)
 +{
 +    uint8_t *p;
 +    size_t llen = k5_der_len_len(len);
 +
 +    p = k5_buf_get_space(buf, 1 + llen);
 +    if (p == NULL)
 +        return;
 +    *p++ = idbyte;
 +    if (len < 128) {
 +        *p = len;
 +    } else {
 +        *p = 0x80 | (llen - 1);
 +        /* Encode the length bytes backwards so the most significant byte is
 +         * first. */
 +        p += llen;
 +        while (len > 0) {
 +            *--p = len & 0xFF;
 +            len >>= 8;
 +        }
 +    }
 +}
 +
 +/* Add a DER value (identifier byte, length, and contents). */
 +static inline void
 +k5_der_add_value(struct k5buf *buf, uint8_t idbyte, const void *contents,
 +                 size_t len)
 +{
 +    k5_der_add_taglen(buf, idbyte, len);
 +    k5_buf_add_len(buf, contents, len);
 +}
 +
 +/*
 + * If the next byte in in matches idbyte and the subsequent DER length is
 + * valid, advance in past the value, set *contents_out to the value contents,
 + * and return true.  Otherwise return false.  Only set an error on in if the
 + * next bytes matches idbyte but the ensuing length is invalid.  contents_out
 + * may be aliased to in; it will only be written to on successful decoding of a
 + * value.
 + */
 +static inline bool
 +k5_der_get_value(struct k5input *in, uint8_t idbyte,
 +                 struct k5input *contents_out)
 +{
 +    uint8_t lenbyte, i;
 +    size_t len;
 +    const void *bytes;
 +
 +    /* Do nothing if in is empty or the next byte doesn't match idbyte. */
 +    if (in->status || in->len == 0 || *in->ptr != idbyte)
 +        return false;
 +
 +    /* Advance past the identifier byte and decode the length. */
 +    (void)k5_input_get_byte(in);
 +    lenbyte = k5_input_get_byte(in);
 +    if (lenbyte < 128) {
 +        len = lenbyte;
 +    } else {
 +        len = 0;
 +        for (i = 0; i < (lenbyte & 0x7F); i++) {
 +            if (len > (SIZE_MAX >> 8)) {
 +                k5_input_set_status(in, EOVERFLOW);
 +                return false;
 +            }
 +            len = (len << 8) | k5_input_get_byte(in);
 +        }
 +    }
 +
 +    bytes = k5_input_get_bytes(in, len);
 +    if (bytes == NULL)
 +        return false;
 +    k5_input_init(contents_out, bytes, len);
 +    return true;
 +}
 +
 +#endif /* K5_DER_H */
 -- 
 2.33.0
--- a/krb5-backport-CVE-2024-37370-CVE-2024-37371-Fix-vulnerabilities-in-GSS-message-token-handling.patch
+++ b/krb5-backport-CVE-2024-37370-CVE-2024-37371-Fix-vulnerabilities-in-GSS-message-token-handling.patch
@ -0,0 +1,536 @@
 From b0a2f8a5365f2eec3e27d78907de9f9d2c80505a Mon Sep 17 00:00:00 2001                 
 From: Greg Hudson <ghudson@mit.edu>
 Date: Fri, 14 Jun 2024 10:56:12 -0400
 Subject: [PATCH] Fix vulnerabilities in GSS message token handling
 In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
 verify the Extra Count field of CFX wrap tokens against the encrypted
 header.  Reported by Jacob Champion.
 In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
 length too short to contain the encrypted header and extra count
 bytes.  Reported by Jacob Champion.
 In kg_unseal_iov_token(), separately track the header IOV length and
 complete token length when parsing the token's ASN.1 wrapper.  This
 fix contains modified versions of functions from k5-der.h and
 util_token.c; this duplication will be cleaned up in a future commit.
 CVE-2024-37370:
 In MIT krb5 release 1.3 and later, an attacker can modify the
 plaintext Extra Count field of a confidential GSS krb5 wrap token,
 causing the unwrapped token to appear truncated to the application.
 CVE-2024-37371:
 In MIT krb5 release 1.3 and later, an attacker can cause invalid
 memory reads by sending message tokens with invalid length fields.
 ticket: 9128 (new)
 tags: pullup
 target_version: 1.21-next
 Reference: https://github.com/krb5/krb5/commit/b0a2f8a5365f2eec3e27d78907de9f9d2c80505a
 Conflict: src/tests/gssapi/t_invalid.c
 ---
 src/lib/gssapi/krb5/k5sealv3.c    |   5 +
 src/lib/gssapi/krb5/k5sealv3iov.c |   3 +-
 src/lib/gssapi/krb5/k5unsealiov.c |  80 +++++++++-
 src/tests/gssapi/t_invalid.c      | 233 +++++++++++++++++++++++++-----
 4 files changed, 275 insertions(+), 46 deletions(-)
 diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
 index e881eee..d3210c1 100644
 --- a/src/lib/gssapi/krb5/k5sealv3.c
 +++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -400,10 +400,15 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr,
             /* Don't use bodysize here!  Use the fact that
                cipher.ciphertext.length has been adjusted to the
                correct length.  */
 +            if (plain.length < 16 + ec) {
 +                free(plain.data);
 +                goto defective;
 +            }
             althdr = (unsigned char *)plain.data + plain.length - 16;
             if (load_16_be(althdr) != KG2_TOK_WRAP_MSG
                 || althdr[2] != ptr[2]
                 || althdr[3] != ptr[3]
 +                || load_16_be(althdr+4) != ec
                 || memcmp(althdr+8, ptr+8, 8)) {
                 free(plain.data);
                 goto defective;
 diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c
 index 333ee12..f8e90c3 100644
 --- a/src/lib/gssapi/krb5/k5sealv3iov.c
 +++ b/src/lib/gssapi/krb5/k5sealv3iov.c
@@ -402,9 +402,10 @@ gss_krb5int_unseal_v3_iov(krb5_context context,
             if (load_16_be(althdr) != KG2_TOK_WRAP_MSG
                 || althdr[2] != ptr[2]
                 || althdr[3] != ptr[3]
 +                || load_16_be(althdr + 4) != ec
                 || memcmp(althdr + 8, ptr + 8, 8) != 0) {
                 *minor_status = 0;
 -                return GSS_S_BAD_SIG;
 +                return GSS_S_DEFECTIVE_TOKEN;
             }
         } else {
             /* Verify checksum: note EC is checksum size here, not padding */
 diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
 index 3ce2a90..6a6585d 100644
 --- a/src/lib/gssapi/krb5/k5unsealiov.c
 +++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -25,6 +25,7 @@
  */
 #include "k5-int.h"
 +#include "k5-der.h"
 #include "gssapiP_krb5.h"
 static OM_uint32
@@ -247,6 +248,73 @@ cleanup:
     return retval;
 }
 +/* Similar to k5_der_get_value(), but output an unchecked content length
 + * instead of a k5input containing the contents. */
 +static inline bool
 +get_der_tag(struct k5input *in, uint8_t idbyte, size_t *len_out)
 +{
 +    uint8_t lenbyte, i;
 +    size_t len;
 +
 +    /* Do nothing if in is empty or the next byte doesn't match idbyte. */
 +    if (in->status || in->len == 0 || *in->ptr != idbyte)
 +        return false;
 +
 +    /* Advance past the identifier byte and decode the length. */
 +    (void)k5_input_get_byte(in);
 +    lenbyte = k5_input_get_byte(in);
 +    if (lenbyte < 128) {
 +        len = lenbyte;
 +    } else {
 +        len = 0;
 +        for (i = 0; i < (lenbyte & 0x7F); i++) {
 +            if (len > (SIZE_MAX >> 8)) {
 +                k5_input_set_status(in, EOVERFLOW);
 +                return false;
 +            }
 +            len = (len << 8) | k5_input_get_byte(in);
 +        }
 +    }
 +
 +    if (in->status)
 +        return false;
 +
 +    *len_out = len;
 +    return true;
 +}
 +
 +/*
 + * Similar to g_verify_token_header() without toktype or flags, but do not read
 + * more than *header_len bytes of ASN.1 wrapper, and on output set *header_len
 + * to the remaining number of header bytes.  Verify the outer DER tag's length
 + * against token_len, which may be larger (but not smaller) than *header_len.
 + */
 +static gss_int32
 +verify_detached_wrapper(const gss_OID_desc *mech, size_t *header_len,
 +                        uint8_t **header_in, size_t token_len)
 +{
 +    struct k5input in, mech_der;
 +    gss_OID_desc toid;
 +    size_t len;
 +
 +    k5_input_init(&in, *header_in, *header_len);
 +
 +    if (get_der_tag(&in, 0x60, &len)) {
 +        if (len != token_len - (in.ptr - *header_in))
 +            return G_BAD_TOK_HEADER;
 +        if (!k5_der_get_value(&in, 0x06, &mech_der))
 +            return G_BAD_TOK_HEADER;
 +        toid.elements = (uint8_t *)mech_der.ptr;
 +        toid.length = mech_der.len;
 +        if (!g_OID_equal(&toid, mech))
 +            return G_WRONG_MECH;
 +    }
 +
 +    *header_in = (uint8_t *)in.ptr;
 +    *header_len = in.len;
 +    return 0;
 +}
 +
 /*
  * Caller must provide TOKEN | DATA | PADDING | TRAILER, except
  * for DCE in which case it can just provide TOKEN | DATA (must
@@ -267,8 +335,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
     gss_iov_buffer_t header;
     gss_iov_buffer_t padding;
     gss_iov_buffer_t trailer;
 -    size_t input_length;
 -    unsigned int bodysize;
 +    size_t input_length, hlen;
     int toktype2;
     header = kg_locate_header_iov(iov, iov_count, toktype);
@@ -298,15 +365,14 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
             input_length += trailer->buffer.length;
     }
 -    code = g_verify_token_header(ctx->mech_used,
 -                                 &bodysize, &ptr, -1,
 -                                 input_length, 0);
 +    hlen = header->buffer.length;
 +    code = verify_detached_wrapper(ctx->mech_used, &hlen, &ptr, input_length);
     if (code != 0) {
         *minor_status = code;
         return GSS_S_DEFECTIVE_TOKEN;
     }
 -    if (bodysize < 2) {
 +    if (hlen < 2) {
         *minor_status = (OM_uint32)G_BAD_TOK_HEADER;
         return GSS_S_DEFECTIVE_TOKEN;
     }
@@ -314,7 +380,7 @@ kg_unseal_iov_token(OM_uint32 *minor_status,
     toktype2 = load_16_be(ptr);
     ptr += 2;
 -    bodysize -= 2;
 +    hlen -= 2;
     switch (toktype2) {
     case KG2_TOK_MIC_MSG:
 diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c
 index fb8fe55..d1f019f 100644
 --- a/src/tests/gssapi/t_invalid.c
 +++ b/src/tests/gssapi/t_invalid.c
@@ -36,31 +36,41 @@
  *
  * 1. A pre-CFX wrap or MIC token processed with a CFX-only context causes a
  *    null pointer dereference.  (The token must use SEAL_ALG_NONE or it will
 - *    be rejected.)
 + *    be rejected.)  This vulnerability also applies to IOV unwrap.
  *
 - * 2. A pre-CFX wrap or MIC token with fewer than 24 bytes after the ASN.1
 + * 2. A CFX wrap token with a different value of EC between the plaintext and
 + *    encrypted copies will be erroneously accepted, which allows a message
 + *    truncation attack.  This vulnerability also applies to IOV unwrap.
 + *
 + * 3. A CFX wrap token with a plaintext length fewer than 16 bytes causes an
 + *    access before the beginning of the input buffer, possibly leading to a
 + *    crash.
 + *
 + * 4. A CFX wrap token with a plaintext EC value greater than the plaintext
 + *    length - 16 causes an integer underflow when computing the result length,
 + *    likely causing a crash.
 + *
 + * 5. An IOV unwrap operation will overrun the header buffer if an ASN.1
 + *    wrapper longer than the header buffer is present.
 + *
 + * 6. A pre-CFX wrap or MIC token with fewer than 24 bytes after the ASN.1
  *    header causes an input buffer overrun, usually leading to either a segv
  *    or a GSS_S_DEFECTIVE_TOKEN error due to garbage algorithm, filler, or
 - *    sequence number values.
 + *    sequence number values.  This vulnerability also applies to IOV unwrap.
  *
 - * 3. A pre-CFX wrap token with fewer than 16 + cksumlen bytes after the ASN.1
 + * 7. A pre-CFX wrap token with fewer than 16 + cksumlen bytes after the ASN.1
  *    header causes an integer underflow when computing the ciphertext length,
  *    leading to an allocation error on 32-bit platforms or a segv on 64-bit
  *    platforms.  A pre-CFX MIC token of this size causes an input buffer
  *    overrun when comparing the checksum, perhaps leading to a segv.
  *
 - * 4. A pre-CFX wrap token with fewer than conflen + padlen bytes in the
 + * 8. A pre-CFX wrap token with fewer than conflen + padlen bytes in the
  *    ciphertext (where padlen is the last byte of the decrypted ciphertext)
  *    causes an integer underflow when computing the original message length,
  *    leading to an allocation error.
  *
 - * 5. In the mechglue, truncated encapsulation in the initial context token can
 + * 9. In the mechglue, truncated encapsulation in the initial context token can
  *    cause input buffer overruns in gss_accept_sec_context().
 - *
 - * Vulnerabilities #1 and #2 also apply to IOV unwrap, although tokens with
 - * fewer than 16 bytes after the ASN.1 header will be rejected.
 - * Vulnerabilities #2 and #5 can only be robustly detected using a
 - * memory-checking environment such as valgrind.
  */
 #include "k5-int.h"
@@ -98,16 +108,24 @@ struct test {
 };
 /* Fake up enough of a CFX GSS context for gss_unwrap, using an AES key. */
 +static void *
 +ealloc(size_t len)
 +{
 +    void *ptr = calloc(len, 1);
 +
 +    if (ptr == NULL)
 +        abort();
 +    return ptr;
 +}
 +
 +/* Fake up enough of a CFX GSS context for gss_unwrap, using an AES key.
 + * The context takes ownership of subkey. */
 static gss_ctx_id_t
 -make_fake_cfx_context()
 +make_fake_cfx_context(krb5_key subkey)
 {
     gss_union_ctx_id_t uctx;
     krb5_gss_ctx_id_t kgctx;
 -    krb5_keyblock kb;
 -
 -    kgctx = calloc(1, sizeof(*kgctx));
 -    if (kgctx == NULL)
 -        abort();
 +    kgctx = ealloc(sizeof(*kgctx));
     kgctx->established = 1;
     kgctx->proto = 1;
     if (g_seqstate_init(&kgctx->seqstate, 0, 0, 0, 0) != 0)
@@ -116,15 +134,10 @@ make_fake_cfx_context()
     kgctx->sealalg = -1;
     kgctx->signalg = -1;
 -    kb.enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
 -    kb.length = 16;
 -    kb.contents = (unsigned char *)"1234567887654321";
 -    if (krb5_k_create_key(NULL, &kb, &kgctx->subkey) != 0)
 -        abort();
 +    kgctx->subkey = subkey;
 +    kgctx->cksumtype = CKSUMTYPE_HMAC_SHA1_96_AES128;
 -    uctx = calloc(1, sizeof(*uctx));
 -    if (uctx == NULL)
 -        abort();
 +    uctx = ealloc(sizeof(*uctx));
     uctx->mech_type = &mech_krb5;
     uctx->internal_ctx_id = (gss_ctx_id_t)kgctx;
     return (gss_ctx_id_t)uctx;
@@ -138,9 +151,7 @@ make_fake_context(const struct test *test)
     krb5_gss_ctx_id_t kgctx;
     krb5_keyblock kb;
 -    kgctx = calloc(1, sizeof(*kgctx));
 -    if (kgctx == NULL)
 -        abort();
 +    kgctx = ealloc(sizeof(*kgctx));
     kgctx->established = 1;
     if (g_seqstate_init(&kgctx->seqstate, 0, 0, 0, 0) != 0)
         abort();
@@ -162,9 +173,7 @@ make_fake_context(const struct test *test)
     if (krb5_k_create_key(NULL, &kb, &kgctx->enc) != 0)
         abort();
 -    uctx = calloc(1, sizeof(*uctx));
 -    if (uctx == NULL)
 -        abort();
 +    uctx = ealloc(sizeof(*uctx));
     uctx->mech_type = &mech_krb5;
     uctx->internal_ctx_id = (gss_ctx_id_t)kgctx;
     return (gss_ctx_id_t)uctx;
@@ -194,9 +203,7 @@ make_token(unsigned char *token, size_t len, gss_buffer_t out)
     assert(mech_krb5.length == 9);
     assert(len + 11 < 128);
 -    wrapped = malloc(len + 13);
 -    if (wrapped == NULL)
 -        abort();
 +    wrapped = ealloc(len + 13);
     wrapped[0] = 0x60;
     wrapped[1] = len + 11;
     wrapped[2] = 0x06;
@@ -207,6 +214,18 @@ make_token(unsigned char *token, size_t len, gss_buffer_t out)
     out->value = wrapped;
 }
 +/* Create a 16-byte header for a CFX confidential wrap token to be processed by
 + * the fake CFX context. */
 +static void
 +write_cfx_header(uint16_t ec, uint8_t *out)
 +{
 +    memset(out, 0, 16);
 +    store_16_be(KG2_TOK_WRAP_MSG, out);
 +    out[2] = FLAG_WRAP_CONFIDENTIAL;
 +    out[3] = 0xFF;
 +    store_16_be(ec, out + 4);
 +}
 +
 /* Unwrap a superficially valid RFC 1964 token with a CFX-only context, with
  * regular and IOV unwrap. */
 static void
@@ -238,6 +257,134 @@ test_bogus_1964_token(gss_ctx_id_t ctx)
     free(in.value);
 }
 +static void
 +test_cfx_altered_ec(gss_ctx_id_t ctx, krb5_key subkey)
 +{
 +    OM_uint32 major, minor;
 +    uint8_t tokbuf[128], plainbuf[24];
 +    krb5_data plain;
 +    krb5_enc_data cipher;
 +    gss_buffer_desc in, out;
 +    gss_iov_buffer_desc iov[2];
 +
 +    /* Construct a header with a plaintext EC value of 3. */
 +    write_cfx_header(3, tokbuf);
 +
 +    /* Encrypt a plaintext and a copy of the header with the EC value 0. */
 +    memcpy(plainbuf, "truncate", 8);
 +    memcpy(plainbuf + 8, tokbuf, 16);
 +    store_16_be(0, plainbuf + 12);
 +    plain = make_data(plainbuf, 24);
 +    cipher.ciphertext.data = (char *)tokbuf + 16;
 +    cipher.ciphertext.length = sizeof(tokbuf) - 16;
 +    cipher.enctype = subkey->keyblock.enctype;
 +    if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
 +                       &plain, &cipher) != 0)
 +        abort();
 +
 +    /* Verify that the token is rejected by gss_unwrap(). */
 +    in.value = tokbuf;
 +    in.length = 16 + cipher.ciphertext.length;
 +    major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
 +    if (major != GSS_S_DEFECTIVE_TOKEN)
 +        abort();
 +    (void)gss_release_buffer(&minor, &out);
 +
 +    /* Verify that the token is rejected by gss_unwrap_iov(). */
 +    iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
 +    iov[0].buffer = in;
 +    iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
 +    major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2);
 +    if (major != GSS_S_DEFECTIVE_TOKEN)
 +        abort();
 +}
 +
 +static void
 +test_cfx_short_plaintext(gss_ctx_id_t ctx, krb5_key subkey)
 +{
 +    OM_uint32 major, minor;
 +    uint8_t tokbuf[128], zerobyte = 0;
 +    krb5_data plain;
 +    krb5_enc_data cipher;
 +    gss_buffer_desc in, out;
 +
 +    write_cfx_header(0, tokbuf);
 +
 +    /* Encrypt a single byte, with no copy of the header. */
 +    plain = make_data(&zerobyte, 1);
 +    cipher.ciphertext.data = (char *)tokbuf + 16;
 +    cipher.ciphertext.length = sizeof(tokbuf) - 16;
 +    cipher.enctype = subkey->keyblock.enctype;
 +    if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
 +                       &plain, &cipher) != 0)
 +        abort();
 +
 +    /* Verify that the token is rejected by gss_unwrap(). */
 +    in.value = tokbuf;
 +    in.length = 16 + cipher.ciphertext.length;
 +    major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
 +    if (major != GSS_S_DEFECTIVE_TOKEN)
 +        abort();
 +    (void)gss_release_buffer(&minor, &out);
 +}
 +
 +static void
 +test_cfx_large_ec(gss_ctx_id_t ctx, krb5_key subkey)
 +{
 +    OM_uint32 major, minor;
 +    uint8_t tokbuf[128] = { 0 }, plainbuf[20];
 +    krb5_data plain;
 +    krb5_enc_data cipher;
 +    gss_buffer_desc in, out;
 +
 +    /* Construct a header with an EC value of 5. */
 +    write_cfx_header(5, tokbuf);
 +
 +    /* Encrypt a 4-byte plaintext plus the header. */
 +    memcpy(plainbuf, "abcd", 4);
 +    memcpy(plainbuf + 4, tokbuf, 16);
 +    plain = make_data(plainbuf, 20);
 +    cipher.ciphertext.data = (char *)tokbuf + 16;
 +    cipher.ciphertext.length = sizeof(tokbuf) - 16;
 +    cipher.enctype = subkey->keyblock.enctype;
 +    if (krb5_k_encrypt(NULL, subkey, KG_USAGE_INITIATOR_SEAL, NULL,
 +                       &plain, &cipher) != 0)
 +        abort();
 +
 +    /* Verify that the token is rejected by gss_unwrap(). */
 +    in.value = tokbuf;
 +    in.length = 16 + cipher.ciphertext.length;
 +    major = gss_unwrap(&minor, ctx, &in, &out, NULL, NULL);
 +    if (major != GSS_S_DEFECTIVE_TOKEN)
 +        abort();
 +    (void)gss_release_buffer(&minor, &out);
 +}
 +
 +static void
 +test_iov_large_asn1_wrapper(gss_ctx_id_t ctx)
 +{
 +    OM_uint32 minor, major;
 +    uint8_t databuf[10] = { 0 };
 +    gss_iov_buffer_desc iov[2];
 +
 +    /*
 +     * In this IOV array, the header contains a DER tag with a dangling eight
 +     * bytes of length field.  The data IOV indicates a total token length
 +     * sufficient to contain the length bytes.
 +     */
 +    iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
 +    iov[0].buffer.value = ealloc(2);
 +    iov[0].buffer.length = 2;
 +    memcpy(iov[0].buffer.value, "\x60\x88", 2);
 +    iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
 +    iov[1].buffer.value = databuf;
 +    iov[1].buffer.length = 10;
 +    major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2);
 +    if (major != GSS_S_DEFECTIVE_TOKEN)
 +        abort();
 +    free(iov[0].buffer.value);
 +}
 +
 /* Process wrap and MIC tokens with incomplete headers. */
 static void
 test_short_header(gss_ctx_id_t ctx)
@@ -387,9 +534,7 @@ try_accept(void *value, size_t len)
     gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
     /* Copy the provided value to make input overruns more obvious. */
 -    in.value = malloc(len);
 -    if (in.value == NULL)
 -        abort();
 +    in.value = ealloc(len);
     memcpy(in.value, value, len);
     in.length = len;
     (void)gss_accept_sec_context(&minor, &ctx, GSS_C_NO_CREDENTIAL, &in,
@@ -424,11 +569,23 @@ test_short_encapsulation()
 int
 main(int argc, char **argv)
 {
 +    krb5_keyblock kb;
 +    krb5_key cfx_subkey;
     gss_ctx_id_t ctx;
     size_t i;
 -    ctx = make_fake_cfx_context();
 +    kb.enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
 +    kb.length = 16;
 +    kb.contents = (unsigned char *)"1234567887654321";
 +    if (krb5_k_create_key(NULL, &kb, &cfx_subkey) != 0)
 +        abort();
 +
 +    ctx = make_fake_cfx_context(cfx_subkey);
     test_bogus_1964_token(ctx);
 +    test_cfx_altered_ec(ctx, cfx_subkey);
 +    test_cfx_short_plaintext(ctx, cfx_subkey);
 +    test_cfx_large_ec(ctx, cfx_subkey);
 +    test_iov_large_asn1_wrapper(ctx);
     free_fake_context(ctx);
     for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
 -- 
 2.33.0
--- a/krb5-cve-2022-42898.patch
+++ b/krb5-cve-2022-42898.patch
@ -0,0 +1,84 @@
 From ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 17 Oct 2022 20:25:11 -0400
 Subject: [PATCH] Fix integer overflows in PAC parsing
 In krb5_parse_pac(), check for buffer counts large enough to threaten
 integer overflow in the header length and memory length calculations.
 Avoid potential integer overflows when checking the length of each
 buffer.  Credit to OSS-Fuzz for discovering one of the issues.
 CVE-2022-42898:
 In MIT krb5 releases 1.8 and later, an authenticated attacker may be
 able to cause a KDC or kadmind process to crash by reading beyond the
 bounds of allocated memory, creating a denial of service.  A
 privileged attacker may similarly be able to cause a Kerberos or GSS
 application service to crash.  On 32-bit platforms, an attacker can
 also cause insufficient memory to be allocated for the result,
 potentially leading to remote code execution in a KDC, kadmind, or GSS
 or Kerberos application server process.  An attacker with the
 privileges of a cross-realm KDC may be able to extract secrets from a
 KDC process's memory by having them copied into the PAC of a new
 ticket.
 ticket: 9074 (new)
 tags: pullup
 target_version: 1.20-next
 target_version: 1.19-next
 ---
 src/lib/krb5/krb/pac.c   |  9 +++++++--
 src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)
 diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
 index 2f1df8d42..f6c4373de 100644
 --- a/src/lib/krb5/krb/pac.c
 +++ b/src/lib/krb5/krb/pac.c
 *** 26,31 ****
 --- 26,32 ----
  #include "k5-int.h"
  #include "authdata.h"
 + #define MAX_BUFFERS 4096
  /* draft-brezak-win2k-krb-authz-00 */
 diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
 index 0b1b1f056..173bde7ba 100644
 --- a/src/lib/krb5/krb/t_pac.c
 +++ b/src/lib/krb5/krb/t_pac.c
@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = {
     0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00
 };
 +static const unsigned char fuzz1[] = {
 +    0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
 +    0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5
 +};
 +
 +static const unsigned char fuzz2[] = {
 +    0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
 +    0x20, 0x20
 +};
 +
 static const char *s4u_principal = "w2k8u@ACME.COM";
 static const char *s4u_enterprise = "w2k8u@abc@ACME.COM";
@@ -828,6 +838,14 @@ main(int argc, char **argv)
         krb5_free_principal(context, sep);
     }
 +    /* Check problematic PACs found by fuzzing. */
 +    ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);
 +    if (!ret)
 +        err(context, ret, "krb5_pac_parse should have failed");
 +    ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);
 +    if (!ret)
 +        err(context, ret, "krb5_pac_parse should have failed");
 +
     /*
      * Test empty free
      */
 -- 
 2.32.0.windows.1
--- a/krb5.patch
+++ b/krb5.patch
--- a/og-cmake.patch
+++ b/og-cmake.patch
@ -0,0 +1,293 @@
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/cmake/src/set_thirdparty_path.cmake opengauss_server_600_edit/cmake/src/set_thirdparty_path.cmake
 *** opengauss_server_600/cmake/src/set_thirdparty_path.cmake	2024-11-19 20:01:27.693621300 +0800
 --- opengauss_server_600_edit/cmake/src/set_thirdparty_path.cmake	2024-11-21 20:14:05.645621300 +0800
 ***************
 *** 36,105 ****
  set(LIB_UNIFIED_SUPPORT comm)
  set(MEMCHECK_BUILD_TYPE debug)
  set(DEPENDENCY_PATH ${3RD_PATH}/kernel/dependency)
 ! set(PLATFORM_PATH ${3RD_PATH}/kernel/platform)
 ! set(BUILDTOOLS_PATH ${3RD_PATH}/buildtools)
 ! set(COMPONENT_PATH ${3RD_PATH}/kernel/component)
 ! 
 ! set(CJSON_HOME ${DEPENDENCY_PATH}/cjson/${SUPPORT_LLT})
 ! set(ETCD_HOME ${DEPENDENCY_PATH}/etcd/${LIB_UNIFIED_SUPPORT})
 ! set(EVENT_HOME ${DEPENDENCY_PATH}/event/${LIB_UNIFIED_SUPPORT})
 ! set(FIO_HOME ${DEPENDENCY_PATH}/fio/${SUPPORT_LLT})
 ! set(IPERF_HOME ${DEPENDENCY_PATH}/iperf/${LIB_UNIFIED_SUPPORT})
  if("${VERSION_TYPE}" STREQUAL "debug" OR "${VERSION_TYPE}" STREQUAL "memcheck")
      set(JEMALLOC_HOME ${DEPENDENCY_PATH}/jemalloc/debug${JEMALLOC_SUPPORT_LLT})
  else()
      set(JEMALLOC_HOME ${DEPENDENCY_PATH}/jemalloc/${VERSION_TYPE}${JEMALLOC_SUPPORT_LLT})
  endif()
  set(KERBEROS_HOME ${DEPENDENCY_PATH}/kerberos/${SUPPORT_LLT})
 - set(KMC_HOME ${PLATFORM_PATH}/kmc/${LIB_UNIFIED_SUPPORT})
 - set(CGROUP_HOME ${DEPENDENCY_PATH}/libcgroup/${SUPPORT_LLT})
 - set(CURL_HOME ${DEPENDENCY_PATH}/libcurl/${SUPPORT_LLT})
 - set(EDIT_HOME ${DEPENDENCY_PATH}/libedit/${SUPPORT_LLT})
 - set(OBS_HOME ${DEPENDENCY_PATH}/libobs/${LIB_UNIFIED_SUPPORT})
 - set(XML2_HOME ${DEPENDENCY_PATH}/libxml2/${SUPPORT_LLT})
 - set(LLVM_HOME ${DEPENDENCY_PATH}/llvm/${LIB_UNIFIED_SUPPORT})
 - set(LZ4_HOME ${DEPENDENCY_PATH}/lz4/${SUPPORT_LLT})
 - set(NANOMSG_HOME ${DEPENDENCY_PATH}/nng/${LIB_UNIFIED_SUPPORT})
 - set(NCURSES_HOME ${DEPENDENCY_PATH}/ncurses/${SUPPORT_LLT})
 - set(AWSSDK_HOME ${DEPENDENCY_PATH}/aws-sdk-cpp/${SUPPORT_LLT})
  if(($ENV{WITH_TASSL}) STREQUAL "YES")
      set(OPENSSL_HOME ${DEPENDENCY_PATH}/tassl/${LIB_UNIFIED_SUPPORT})
  else()
      set(OPENSSL_HOME ${DEPENDENCY_PATH}/openssl/${LIB_UNIFIED_SUPPORT})
  endif()
 ! set(PLJAVA_HOME ${DEPENDENCY_PATH}/pljava/${LIB_UNIFIED_SUPPORT})
 ! if (EXISTS "${PLATFORM_PATH}/openjdk8/${BUILD_TUPLE}/jdk")
 !   set(JAVA_HOME ${PLATFORM_PATH}/openjdk8/${BUILD_TUPLE}/jdk)
  else()
 !   set(JAVA_HOME ${PLATFORM_PATH}/huaweijdk8/${BUILD_TUPLE}/jdk)
  endif()
  set(ZLIB_HOME ${DEPENDENCY_PATH}/zlib1.2.11/${SUPPORT_LLT})
  set(XGBOOST_HOME ${DEPENDENCY_PATH}/xgboost/${SUPPORT_LLT})
 - set(ZSTD_HOME ${DEPENDENCY_PATH}/zstd)
 - set(LICENSE_HOME ${PLATFORM_PATH}/AdaptiveLM_C_V100R005C01SPC002/${SUPPORT_LLT})
 - set(HOTPATCH_HOME ${PLATFORM_PATH}/hotpatch)
 - set(SECURE_HOME ${PLATFORM_PATH}/Huawei_Secure_C/${LIB_UNIFIED_SUPPORT})
 - set(SECUREDYNAMICLIB_HOME ${PLATFORM_PATH}/Huawei_Secure_C/Dynamic_Lib)
 - set(DCF_HOME ${COMPONENT_PATH}/dcf)
 - set(DMS_HOME ${COMPONENT_PATH}/dms)
 - set(DSS_HOME ${COMPONENT_PATH}/dss)
 - 
 - set(MOCKCPP_HOME ${BUILDTOOLS_PATH}/mockcpp/${LIB_UNIFIED_SUPPORT})
 - set(GTEST_HOME ${BUILDTOOLS_PATH}/gtest/${LIB_UNIFIED_SUPPORT})
 - set(MASSTREE_HOME ${BUILDTOOLS_PATH}/masstree/${LIB_UNIFIED_SUPPORT})
 - set(NUMA_HOME ${DEPENDENCY_PATH}/numactl/${SUPPORT_LLT})
 - set(BOOST_HOME ${DEPENDENCY_PATH}/boost/${SUPPORT_LLT})
 - set(ODBC_HOME ${DEPENDENCY_PATH}/unixodbc)
 - set(MASSTREE_HOME ${DEPENDENCY_PATH}/masstree/${LIB_UNIFIED_SUPPORT})
 - set(LCOV_HOME ${BUILDTOOLS_PATH}/gcc${GCC_VERSION_LIT}/gcc/lib/gcc/${HOST_TUPLE})
 - set(GCC_LIB_PATH $ENV{GCC_INSTALL_HOME})
 - set(MEMCHECK_LIB_PATH $ENV{GCC_INSTALL_HOME}/lib64/)
 - if("${GCC_LIB_PATH}" STREQUAL "")
 -     set(GCC_LIB_PATH ${BUILDTOOLS_PATH}/gcc${GCC_VERSION_LIT}/gcc)
 -     set(MEMCHECK_HOME ${DEPENDENCY_PATH}/memcheck/${MEMCHECK_BUILD_TYPE})
 -     set(MEMCHECK_LIB_PATH ${MEMCHECK_HOME}/gcc${GCC_VERSION}/lib/)
 - endif()
  #############################################################################
  # lcov
 --- 36,67 ----
  set(LIB_UNIFIED_SUPPORT comm)
  set(MEMCHECK_BUILD_TYPE debug)
  set(DEPENDENCY_PATH ${3RD_PATH}/kernel/dependency)
 ! 
  if("${VERSION_TYPE}" STREQUAL "debug" OR "${VERSION_TYPE}" STREQUAL "memcheck")
      set(JEMALLOC_HOME ${DEPENDENCY_PATH}/jemalloc/debug${JEMALLOC_SUPPORT_LLT})
  else()
      set(JEMALLOC_HOME ${DEPENDENCY_PATH}/jemalloc/${VERSION_TYPE}${JEMALLOC_SUPPORT_LLT})
  endif()
  set(KERBEROS_HOME ${DEPENDENCY_PATH}/kerberos/${SUPPORT_LLT})
  if(($ENV{WITH_TASSL}) STREQUAL "YES")
      set(OPENSSL_HOME ${DEPENDENCY_PATH}/tassl/${LIB_UNIFIED_SUPPORT})
  else()
      set(OPENSSL_HOME ${DEPENDENCY_PATH}/openssl/${LIB_UNIFIED_SUPPORT})
  endif()
 ! execute_process(
 !     COMMAND bash -c "readlink -f $(which java) | sed 's:/jre/bin/java::'"
 !     OUTPUT_VARIABLE JAVA_HOME_PATH
 !     OUTPUT_STRIP_TRAILING_WHITESPACE
 ! )
 ! if(JAVA_HOME_PATH)
 !     message(STATUS "Detected JAVA_HOME: ${JAVA_HOME_PATH}")
 !     set(JAVA_HOME ${JAVA_HOME_PATH})
  else()
 !     message(FATAL_ERROR "Unable to detect JAVA_HOME")
  endif()
  set(ZLIB_HOME ${DEPENDENCY_PATH}/zlib1.2.11/${SUPPORT_LLT})
  set(XGBOOST_HOME ${DEPENDENCY_PATH}/xgboost/${SUPPORT_LLT})
  #############################################################################
  # lcov
 ***************
 *** 209,230 ****
  #############################################################################
  # obs component
  #############################################################################
 - set(LIBOBS_INCLUDE_PATH ${OBS_HOME}/include)
 - set(LIBOBS_LIB_PATH ${OBS_HOME}/lib)
  #############################################################################
  # xml2 component
  #############################################################################
 ! set(LIBXML_INCLUDE_PATH ${XML2_HOME}/include)
 ! set(LIBXML_LIB_PATH ${XML2_HOME}/lib)
  #############################################################################
  # llvm component
  #############################################################################
 ! set(LIBLLVM_BIN_PATH ${LLVM_HOME}/bin)
 ! set(LIBLLVM_INCLUDE_PATH ${LLVM_HOME}/include)
 ! set(LIBLLVM_LIB_PATH ${LLVM_HOME}/lib)
 ! set(LLVM_CONFIG ${LIBLLVM_BIN_PATH}/llvm-config)
  #############################################################################
  # lz4 component
 --- 171,187 ----
  #############################################################################
  # obs component
  #############################################################################
  #############################################################################
  # xml2 component
  #############################################################################
 ! set(LIBXML_INCLUDE_PATH /usr/include)
 ! set(LIBXML_LIB_PATH /usr/lib64)
  #############################################################################
  # llvm component
  #############################################################################
 ! 
  #############################################################################
  # lz4 component
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/CMakeLists.txt opengauss_server_600_edit/src/CMakeLists.txt
 *** opengauss_server_600/src/CMakeLists.txt	2024-11-19 20:01:27.693621300 +0800
 --- opengauss_server_600_edit/src/CMakeLists.txt	2024-11-21 20:14:05.841621300 +0800
 ***************
 *** 176,297 ****
  install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/include/common/config/cm_config.h DESTINATION include)
  # special
 - install(CODE "execute_process(
 -     COMMAND rm ${prefix_home}/include/pg_config_os.h
 -     COMMAND rm ${prefix_home}/include/postgresql/server/pg_config_os.h)"
 - )
 - install(CODE "execute_process(
 -     COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/include/port/linux.h ${prefix_home}/include/pg_config_os.h
 -     COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/include/port/linux.h ${prefix_home}/include/postgresql/server/pg_config_os.h
 -     COMMAND cp ${CMAKE_CURRENT_SOURCE_DIR}/include/cm/libpq-fe.h ${prefix_home}/include/cm-libpq-fe.h)"
 - )
 - 
  # open source install part
  if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
 -     install(DIRECTORY ${JAVA_HOME}/jre/ DESTINATION jre FILE_PERMISSIONS OWNER_EXECUTE GROUP_EXECUTE OWNER_READ GROUP_READ)
 - endif()
 - 
 - if("${ENABLE_MULTIPLE_NODES}" STREQUAL "OFF")
 -     install(DIRECTORY ${DCF_LIB_PATH} DESTINATION .)
 - endif()
 - if(${ENABLE_MULTIPLE_NODES}_${ENABLE_PRIVATEGAUSS} STREQUAL OFF_OFF AND NOT ${ENABLE_LITE_MODE} STREQUAL ON)
 -     if(EXISTS ${DMS_LIB_PATH})
 -         install(DIRECTORY ${DMS_LIB_PATH} DESTINATION .)
 -     endif()
 -     if(EXISTS ${DSS_LIB_PATH})
 -         install(DIRECTORY ${DSS_LIB_PATH} DESTINATION .)
 -     endif()
 -     if(EXISTS ${DSS_BIN_PATH})
 -         install(DIRECTORY ${DSS_BIN_PATH} DESTINATION . FILE_PERMISSIONS OWNER_EXECUTE GROUP_EXECUTE WORLD_EXECUTE OWNER_READ GROUP_READ WORLD_READ OWNER_WRITE)
 -     endif()
 - endif()
 - 
 - install(DIRECTORY ${ZSTD_LIB_PATH} DESTINATION . PATTERN "*.a" EXCLUDE)
 - if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
 -     install(DIRECTORY ${LIBOBS_LIB_PATH} DESTINATION .)
 -     install(DIRECTORY ${LIBOBS_INCLUDE_PATH} DESTINATION include/postgresql/server/access/obs)
 - endif()
 - install(DIRECTORY ${CJSON_LIB_PATH} DESTINATION .)
 - install(DIRECTORY ${CJSON_INCLUDE_PATH}/cjson DESTINATION include/postgresql/server)
 - if(NOT ${ENABLE_LITE_MODE} STREQUAL ON)
 -     install(DIRECTORY ${ETCD_BIN_PATH} DESTINATION .)
 -     install(DIRECTORY ${IPERF_LIB_PATH} DESTINATION .)
 - endif()
 - if(NOT ${ENABLE_LITE_MODE} STREQUAL ON)
 - if(NOT ${ENABLE_MULTIPLE_NODES}_${ENABLE_PRIVATEGAUSS} STREQUAL OFF_OFF)
 -     install(DIRECTORY ${KMC_LIB_PATH} DESTINATION .)
 - endif()
 - endif()
 - install(DIRECTORY ${LIBCURL_LIB_PATH} DESTINATION .)
 - install(DIRECTORY ${AWSSDK_LIB_PATH} DESTINATION .)
 - if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
      install(DIRECTORY ${KERBEROS_SBIN_PATH}/ DESTINATION bin)
      install(DIRECTORY ${KERBEROS_BIN_PATH} DESTINATION .)
      install(DIRECTORY ${KERBEROS_LIB_PATH} DESTINATION .)
  endif()
 - install(DIRECTORY ${LZ4_LIB_PATH} DESTINATION .)
 - install(DIRECTORY ${LZ4_BIN_PATH} DESTINATION .)
 - install(DIRECTORY ${LIBOPENSSL_BIN_PATH} DESTINATION .)
 - install(DIRECTORY ${LIBOPENSSL_LIB_PATH} DESTINATION . PATTERN "*.a" EXCLUDE )
  install(DIRECTORY ${ZLIB_LIB_PATH} DESTINATION . FILES_MATCHING PATTERN "libz.*")
 - 
 - list(FIND MACRO_OPTIONS "-D__USE_NUMA" RET_NUMA)
 - if(NOT ${RET_NUMA} EQUAL -1)
 -     install(DIRECTORY ${NUMA_LIB_PATH} DESTINATION .)
 - endif()
 - 
 - if("${ENABLE_MOT}" STREQUAL "ON")
 - install(DIRECTORY ${MASSTREE_LIB_PATH} DESTINATION .)
 - install(CODE "execute_process(
 -      COMMAND cp ${GCC_LIB_PATH}/lib64/libatomic.so.1.2.0 ${prefix_home}/lib/libatomic.so.1.2.0
 -      COMMAND ln -fs libatomic.so.1.2.0 libatomic.so
 -      COMMAND ln -fs libatomic.so.1.2.0 libatomic.so.1
 -      WORKING_DIRECTORY ${prefix_home}/lib)"
 - )
 - install(CODE "message(\"-- Created symlink: libatomic.so -> libatomic.so.1.2.0\")")
 - install(CODE "message(\"-- Created symlink: libatomic.so.1 -> libatomic.so.1.2.0\")")
 - endif()
 - 
 - install(FILES ${SECUREDYNAMICLIB_HOME}/libsecurec.so DESTINATION lib)
 - install(FILES ${GCC_LIB_PATH}/lib64/libgcc_s.so.1 DESTINATION lib)
 - install(FILES ${GCC_LIB_PATH}/lib64/libgomp.so DESTINATION lib)
 - install(FILES ${GCC_LIB_PATH}/lib64/libgomp.so.1 DESTINATION lib)
 - install(FILES ${GCC_LIB_PATH}/lib64/libgomp.so.1.0.0 DESTINATION lib)
 - install(FILES ${XGBOOST_LIB_PATH}/libxgboost.so DESTINATION lib)
 - if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
 -     install(FILES ${PLJAVA_HOME}/lib/libpljava.so DESTINATION lib)
 -     install(FILES ${PLJAVA_HOME}/java/pljava.jar DESTINATION lib/postgresql/java)
 -     install(FILES ${PLJAVA_HOME}/udstools.py DESTINATION share/postgresql/tmp)
 - endif()
 - if(NOT ${ENABLE_MULTIPLE_NODES}_${ENABLE_PRIVATEGAUSS} STREQUAL OFF_OFF)
 -     if("${SUPPORT_HOTPATCH}" STREQUAL "yes")
 -         install(FILES ${LIBHOTPATCH_LIB_PATH}/libdoprapatch.a DESTINATION lib)
 -     endif()
 - endif()
 - 
 - if("${ENABLE_MOT}" STREQUAL "ON")
 -     install(DIRECTORY ${MASSTREE_LIB_PATH} DESTINATION .)
 -     install(DIRECTORY ${GCC_LIB_PATH}/lib64/ DESTINATION lib
 -         FILES_MATCHING PATTERN "libatomic.so*")
 - endif()
 - 
 - install(FILES ${GCC_LIB_PATH}/lib64/libgcc_s.so.1 DESTINATION lib)
 - install(DIRECTORY ${GCC_LIB_PATH}/lib64/ DESTINATION lib
 -     FILES_MATCHING PATTERN "libgomp.so*")
 - 
 - install(CODE "execute_process(
 -      COMMAND cp ${GCC_LIB_PATH}/lib64/libstdc++.so.6.0.${LIBSTD_SUB_VERSION} ${prefix_home}/lib/libstdc++.so.6
 -      WORKING_DIRECTORY ${prefix_home}/lib)"
 - )
 - 
 - # install(DIRECTORY ${LIBCGROUP_LIB_PATH} DESTINATION . FILES_MATCHING PATTERN "libcgroup.so*")
 - install(CODE "execute_process(
 - COMMAND cp ${LIBCGROUP_LIB_PATH}/libcgroup.so.1.0.42 ${prefix_home}/lib/libcgroup.so
 - COMMAND ln -fs libcgroup.so libcgroup.so.1
 - WORKING_DIRECTORY ${prefix_home}/lib)"
 - )
 - install(CODE "message(\"-- Created symlink: libcgroup.so.1 -> libcgroup.so\")")
  # fastcheck part
  install(FILES ${PROJECT_SRC_DIR}/test/regress/stub/roach_api_stub/roach_api_stub.control
      DESTINATION share/postgresql/extension/
 --- 176,190 ----
  install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/include/common/config/cm_config.h DESTINATION include)
  # special
  # open source install part
  if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
      install(DIRECTORY ${KERBEROS_SBIN_PATH}/ DESTINATION bin)
      install(DIRECTORY ${KERBEROS_BIN_PATH} DESTINATION .)
      install(DIRECTORY ${KERBEROS_LIB_PATH} DESTINATION .)
  endif()
  install(DIRECTORY ${ZLIB_LIB_PATH} DESTINATION . FILES_MATCHING PATTERN "libz.*")
 + install(FILES ${XGBOOST_LIB_PATH}/libxgboost.so DESTINATION lib)
  # fastcheck part
  install(FILES ${PROJECT_SRC_DIR}/test/regress/stub/roach_api_stub/roach_api_stub.control
      DESTINATION share/postgresql/extension/
--- a/og-delete-obs.patch
+++ b/og-delete-obs.patch
--- a/og-edit.patch
+++ b/og-edit.patch
@ -1,33 +0,0 @@
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/bin/psql/startup.cpp openGauss-server-5.0.1-edit/src/bin/psql/startup.cpp
 *** openGauss-server-5.0.1/src/bin/psql/startup.cpp	2024-05-07 20:16:39.232795908 +0800
 --- openGauss-server-5.0.1-edit/src/bin/psql/startup.cpp	2024-05-07 20:17:58.501380445 +0800
 ***************
 *** 530,535 ****
 --- 530,539 ----
          pset.popt.topt.recordSep.separator_zero = false;
      }
 +     if (options.port == NULL) {
 +         options.port = GetEnvStr("PORT");
 +     }
 + 
      if (options.username == NULL)
          password_prompt = pg_strdup(_("Password: "));
      else {
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/gausskernel/dbmind/db4ai/executor/Makefile openGauss-server-5.0.1-edit/src/gausskernel/dbmind/db4ai/executor/Makefile
 *** openGauss-server-5.0.1/src/gausskernel/dbmind/db4ai/executor/Makefile	2024-05-07 20:16:39.632798858 +0800
 --- openGauss-server-5.0.1-edit/src/gausskernel/dbmind/db4ai/executor/Makefile	2024-05-07 20:17:58.897383365 +0800
 ***************
 *** 11,21 ****
  include $(top_builddir)/src/Makefile.global
 - PLATFORM_ARCH = $(shell uname -p)
 - ifeq ($(PLATFORM_ARCH),x86_64)
 -         override CPPFLAGS += -mavx
 - endif
 - 
  ifneq "$(MAKECMDGOALS)" "clean"
    ifneq "$(MAKECMDGOALS)" "distclean"
      ifneq "$(shell which g++ |grep hutaf_llt |wc -l)" "1"
 --- 11,16 ----
--- a/og-openssl3-adptor.patch
+++ b/og-openssl3-adptor.patch
@ -0,0 +1,111 @@
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/common/interfaces/libpq/fe-secure.cpp opengauss_server_600_edit/src/common/interfaces/libpq/fe-secure.cpp
 *** opengauss_server_600/src/common/interfaces/libpq/fe-secure.cpp	2024-11-19 20:01:27.697621300 +0800
 --- opengauss_server_600_edit/src/common/interfaces/libpq/fe-secure.cpp	2024-11-19 20:04:07.461621300 +0800
 ***************
 *** 446,451 ****
 --- 446,454 ----
                      libpq_gettext("SSL error: %s, remote datanode %s, error: %s\n"),
                      errm, conn->remote_nodename, strerror(errno));
                  SSLerrfree(errm);
 + #ifdef ENABLE_OPENSSL3
 +                 REMEMBER_EPIPE(spinfo, errno == EPIPE);
 + #endif
                  /* assume the connection is broken */
                  result_errno = ECONNRESET;
                  n = -1;
 ***************
 *** 596,601 ****
 --- 599,607 ----
                      libpq_gettext("SSL error: %s, remote datanode %s, error: %s\n"), errm,
                      conn->remote_nodename, strerror(errno));
                  SSLerrfree(errm);
 + #ifdef ENABLE_OPENSSL3
 +                 REMEMBER_EPIPE(spinfo, errno == EPIPE);
 + #endif
                  /* assume the connection is broken */
                  result_errno = ECONNRESET;
                  n = -1;
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp opengauss_server_600_edit/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp
 *** opengauss_server_600/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp	2024-11-19 20:01:27.705621300 +0800
 --- opengauss_server_600_edit/src/gausskernel/security/keymgr/encrypt/security_aead_aes_hmac_enc_key.cpp	2024-11-19 20:04:07.773621300 +0800
 ***************
 *** 47,52 ****
 --- 47,62 ----
  const int RAND_COUNT = 100;
 + #ifdef ENABLE_OPENSSL3
 + void HmacCtxGroup::free_hmac_ctx(HMAC_CTX** ctx_tmp) const
 + {
 +     if (*ctx_tmp != NULL) {
 +         HMAC_CTX_free(*ctx_tmp);
 +         *ctx_tmp = NULL;
 +     }
 + }
 + #endif
 + 
  /* Derives all the required keys from the given root key */
  AeadAesHamcEncKey::AeadAesHamcEncKey(unsigned char *root_key, size_t root_key_size)
  {
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp opengauss_server_600_edit/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp
 *** opengauss_server_600/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp	2024-11-19 20:01:27.705621300 +0800
 --- opengauss_server_600_edit/src/gausskernel/security/keymgr/encrypt/security_sm2_enc_key.cpp	2024-11-19 20:04:07.773621300 +0800
 ***************
 *** 163,174 ****
 --- 163,176 ----
          return CMKEM_EVP_ERR;
      }
 + #ifndef ENABLE_OPENSSL3
      ret = EVP_PKEY_set_alias_type(public_evp_key, EVP_PKEY_SM2);
      if (ret != 1) {
          cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
          EVP_PKEY_free(public_evp_key);
          return CMKEM_EVP_ERR;
      }
 + #endif
      /* do cipher. */
      ctx = EVP_PKEY_CTX_new(public_evp_key, NULL);
 ***************
 *** 253,264 ****
 --- 255,268 ----
          return CMKEM_EVP_ERR;
      }
 + #ifndef ENABLE_OPENSSL3
      ret = EVP_PKEY_set_alias_type(private_evp_key, EVP_PKEY_SM2);
      if (ret != 1) {
          cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
          EVP_PKEY_free(private_evp_key);
          return CMKEM_EVP_ERR;
      }
 + #endif
      /* do cipher. */
      ctx = EVP_PKEY_CTX_new(private_evp_key, NULL);
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h opengauss_server_600_edit/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h
 *** opengauss_server_600/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h	2024-11-19 20:01:27.721621300 +0800
 --- opengauss_server_600_edit/src/include/keymgr/encrypt/security_aead_aes_hamc_enc_key.h	2024-11-19 20:04:08.037621300 +0800
 ***************
 *** 49,54 ****
 --- 49,57 ----
      HMAC_CTX* ctx_worker;
      HMAC_CTX* ctx_template;
  private:
 + #ifdef ENABLE_OPENSSL3
 +     void free_hmac_ctx(HMAC_CTX** ctx_tmp) const;
 + #else
      void free_hmac_ctx(HMAC_CTX** ctx_tmp)
      {
          if (*ctx_tmp != NULL) {
 ***************
 *** 56,61 ****
 --- 59,65 ----
              *ctx_tmp = NULL;
          }
      }
 + #endif
  };
  /*
--- a/og-security.patch
+++ b/og-security.patch
@ -0,0 +1,64 @@
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/bin/gs_persist/CMakeLists.txt opengauss_server_600_edit/src/bin/gs_persist/CMakeLists.txt
 *** opengauss_server_600/src/bin/gs_persist/CMakeLists.txt	2024-11-19 20:01:27.693621300 +0800
 --- opengauss_server_600_edit/src/bin/gs_persist/CMakeLists.txt	2024-11-19 20:04:07.089621300 +0800
 ***************
 *** 13,19 ****
  set(gssgpersist_DEF_OPTIONS ${MACRO_OPTIONS})
  set(gssgpersist_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${BIN_SECURE_OPTIONS} ${CHECK_OPTIONS})
  set(gssgpersist_LINK_OPTIONS ${BIN_LINK_OPTIONS})
 ! set(gssgpersist_LINK_LIBS -lsecurec -ldl -lrt)
  if("${ENABLE_UT}" STREQUAL "ON")
      add_shared_libtarget(ut_gs_persist_lib tgt_gssgpersist_SRC tgt_gssgpersist_INC "${gssgpersist_DEF_OPTIONS}" "${gssgpersist_COMPILE_OPTIONS}" "${gssgpersist_LINK_OPTIONS}") 
 --- 13,19 ----
  set(gssgpersist_DEF_OPTIONS ${MACRO_OPTIONS})
  set(gssgpersist_COMPILE_OPTIONS ${OPTIMIZE_OPTIONS} ${OS_OPTIONS} ${PROTECT_OPTIONS} ${WARNING_OPTIONS} ${BIN_SECURE_OPTIONS} ${CHECK_OPTIONS})
  set(gssgpersist_LINK_OPTIONS ${BIN_LINK_OPTIONS})
 ! set(gssgpersist_LINK_LIBS -l${SECURE_C_CHECK} -ldl -lrt)
  if("${ENABLE_UT}" STREQUAL "ON")
      add_shared_libtarget(ut_gs_persist_lib tgt_gssgpersist_SRC tgt_gssgpersist_INC "${gssgpersist_DEF_OPTIONS}" "${gssgpersist_COMPILE_OPTIONS}" "${gssgpersist_LINK_OPTIONS}") 
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/common/interfaces/libpq/CMakeLists.txt opengauss_server_600_edit/src/common/interfaces/libpq/CMakeLists.txt
 *** opengauss_server_600/src/common/interfaces/libpq/CMakeLists.txt	2024-11-19 20:01:27.697621300 +0800
 --- opengauss_server_600_edit/src/common/interfaces/libpq/CMakeLists.txt	2024-11-19 20:04:07.441621300 +0800
 ***************
 *** 118,126 ****
  set(pq_LINK_OPTIONS ${LIB_LINK_OPTIONS})
  add_shared_libtarget(pq TGT_pq_SRC TGT_pq_INC "${pq_DEF_OPTIONS}" "${pq_COMPILE_OPTIONS}" "${pq_LINK_OPTIONS}")
  if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
 !     target_link_libraries(pq PRIVATE com_err_gauss crypto gssapi_krb5_gauss gssrpc_gauss k5crypto_gauss krb5_gauss krb5support_gauss securec ssl)
  else()
 !     target_link_libraries(pq PRIVATE crypto securec ssl)
  endif()
  target_link_directories(pq PUBLIC 
      ${LIBOPENSSL_LIB_PATH} ${KERBEROS_LIB_PATH} ${SECURE_LIB_PATH} 
 --- 118,126 ----
  set(pq_LINK_OPTIONS ${LIB_LINK_OPTIONS})
  add_shared_libtarget(pq TGT_pq_SRC TGT_pq_INC "${pq_DEF_OPTIONS}" "${pq_COMPILE_OPTIONS}" "${pq_LINK_OPTIONS}")
  if(NOT "${ENABLE_LITE_MODE}" STREQUAL "ON")
 !     target_link_libraries(pq PRIVATE com_err_gauss crypto gssapi_krb5_gauss gssrpc_gauss k5crypto_gauss krb5_gauss krb5support_gauss ${SECURE_C_CHECK} ssl)
  else()
 !     target_link_libraries(pq PRIVATE crypto ${SECURE_C_CHECK} ssl)
  endif()
  target_link_directories(pq PUBLIC 
      ${LIBOPENSSL_LIB_PATH} ${KERBEROS_LIB_PATH} ${SECURE_LIB_PATH} 
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/gausskernel/security/keymgr/CMakeLists.txt opengauss_server_600_edit/src/gausskernel/security/keymgr/CMakeLists.txt
 *** opengauss_server_600/src/gausskernel/security/keymgr/CMakeLists.txt	2024-11-19 20:01:27.705621300 +0800
 --- opengauss_server_600_edit/src/gausskernel/security/keymgr/CMakeLists.txt	2024-11-19 20:04:07.773621300 +0800
 ***************
 *** 64,70 ****
  if("${ENABLE_KT}" STREQUAL "ON")
      add_dependencies(keymgr gs_ktool)
  endif()
 ! set(libkey_LINKS -lcjson -lcurl -lsecurec -lssl -lcrypto -ldl -lrt)
  if("${ENABLE_KT}" STREQUAL "ON")
      list(APPEND libkey_LINKS -lgs_ktool -lkmc)
  endif()
 --- 64,70 ----
  if("${ENABLE_KT}" STREQUAL "ON")
      add_dependencies(keymgr gs_ktool)
  endif()
 ! set(libkey_LINKS -lcjson -lcurl -l${SECURE_C_CHECK} -lssl -lcrypto -ldl -lrt)
  if("${ENABLE_KT}" STREQUAL "ON")
      list(APPEND libkey_LINKS -lgs_ktool -lkmc)
  endif()
--- a/og-syntax.patch
+++ b/og-syntax.patch
@ -0,0 +1,74 @@
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/bin/pg_basebackup/pg_basebackup.cpp opengauss_server_600_edit/src/bin/pg_basebackup/pg_basebackup.cpp
 *** opengauss_server_600/src/bin/pg_basebackup/pg_basebackup.cpp	2024-11-19 20:01:27.697621300 +0800
 --- opengauss_server_600_edit/src/bin/pg_basebackup/pg_basebackup.cpp	2024-11-19 20:04:07.105621300 +0800
 ***************
 *** 1689,1695 ****
      struct dirent* ent;
      while (1) {
          ent = readdir(dir);
 !         if (ent <= 0) {
              break;
          }
          if ((strcmp(".", ent->d_name) == 0) || (strcmp("..", ent->d_name) == 0)) {
 --- 1689,1695 ----
      struct dirent* ent;
      while (1) {
          ent = readdir(dir);
 !         if (ent == NULL) {
              break;
          }
          if ((strcmp(".", ent->d_name) == 0) || (strcmp("..", ent->d_name) == 0)) {
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/bin/pg_ctl/backup.cpp opengauss_server_600_edit/src/bin/pg_ctl/backup.cpp
 *** opengauss_server_600/src/bin/pg_ctl/backup.cpp	2024-11-19 20:01:27.697621300 +0800
 --- opengauss_server_600_edit/src/bin/pg_ctl/backup.cpp	2024-11-19 20:04:07.109621300 +0800
 ***************
 *** 1985,1991 ****
          }
          while (1) {
              de = readdir(dir);
 !             if (de <= 0) {
                  break;
              }
              if (strcmp(de->d_name, ".") == 0 || strcmp(de->d_name, "..") == 0) {
 --- 1985,1991 ----
          }
          while (1) {
              de = readdir(dir);
 !             if (de == NULL) {
                  break;
              }
              if (strcmp(de->d_name, ".") == 0 || strcmp(de->d_name, "..") == 0) {
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/gausskernel/runtime/opfusion/opfusion_util.cpp opengauss_server_600_edit/src/gausskernel/runtime/opfusion/opfusion_util.cpp
 *** opengauss_server_600/src/gausskernel/runtime/opfusion/opfusion_util.cpp	2024-11-19 20:01:27.705621300 +0800
 --- opengauss_server_600_edit/src/gausskernel/runtime/opfusion/opfusion_util.cpp	2024-11-19 20:04:07.757621300 +0800
 ***************
 *** 446,452 ****
      /* check whether to have order by */
      if (node->aggstrategy != AGG_PLAIN ||
 !             node->groupingSets > 0) {
          return NOBYPASS_NOT_PLAIN_AGG;
      }
 --- 446,452 ----
      /* check whether to have order by */
      if (node->aggstrategy != AGG_PLAIN ||
 !             node->groupingSets != NULL) {
          return NOBYPASS_NOT_PLAIN_AGG;
      }
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' opengauss_server_600/src/include/gs_policy/policy_common.h opengauss_server_600_edit/src/include/gs_policy/policy_common.h
 *** opengauss_server_600/src/include/gs_policy/policy_common.h	2024-11-19 20:01:27.721621300 +0800
 --- opengauss_server_600_edit/src/include/gs_policy/policy_common.h	2024-11-19 20:04:08.029621300 +0800
 ***************
 *** 30,35 ****
 --- 30,37 ----
  #include "gs_map.h"
  #include "gs_vector.h"
  #include "pgaudit.h"
 + #include <vector>
 + #include <string>
  struct GsPolicyFQDN {
      GsPolicyFQDN():m_value_schema(0), m_value_object(0), is_function(false){}
--- a/openGauss-server-6.0.0.tar.gz
+++ b/openGauss-server-6.0.0.tar.gz
--- a/3
+++ b/3
@ -2,4 +2,5 @@ export GAUSSHOME=/usr/local/opengauss
 export LD_LIBRARY_PATH=/usr/local/opengauss/lib:$LD_LIBRARY_PATH
 export PATH=/usr/local/opengauss/bin:$PATH
 export PGDATA=/var/lib/opengauss/data
-export PORT=7654
+export PGPORT=7654
 export PGDATABASE=postgres
--- a/opengauss-server.spec
+++ b/opengauss-server.spec
@ -1,5 +1,7 @@
 %define zlib_name zlib
 %define zlib_version 1.2.12
 %define krb5_name krb5
 %define krb5_version 1.18.3-final
 %define xgboost_name xgboost
 %define xgboost_version v1.4.1
 %define dmlc_name dmlc-core
@ -7,44 +9,49 @@
 %define port 7654
 %define datapath /var/lib/opengauss
 %define apppath %{_prefix}/local/opengauss
-%define tmppath /var/lib/opengauss/pkg_5.0.1
+%define tmppath /var/lib/opengauss/pkg_6.0.0
 Name:           opengauss
-Version:        5.0.1
+Version:        6.0.0
-Release:        15
+Release:        16
 Summary:        openGauss is an open source relational database management system
 License:        MulanPSL-2.0 and MIT and BSD and zlib and TCL and Apache-2.0 and BSL-1.0
 URL:            https://gitee.com/opengauss/openGauss-server
 Source0:        openGauss-server-%{version}.tar.gz
-Source2:        %{zlib_name}-%{zlib_version}.tar.gz
+Source1:        %{zlib_name}-%{zlib_version}.tar.gz
 Source2:        %{krb5_name}-%{krb5_version}.tar.gz
 Source3:        %{dmlc_name}-%{dmlc_version}.tar.gz
 Source4:        %{xgboost_name}-%{xgboost_version}.tar.gz
 Source5:        opengauss-bashprofile
 Source6:        opengauss.service
 Source7:        autostart.sh
 Source8:        version.cfg
 Source9:        opengauss_upgrade_start.sh
 Source10:       opengauss_upgrade_common.sh
 Source11:       opengauss_upgrade_config.sh
 Source12:       opengauss_upgrade_errorcode.sh
-Patch0:         og-edit.patch
+Source20:       opengauss-bashprofile
-Patch1:         cmake_compile.patch
+Source21:       opengauss.service
-Patch2:         compile_2309.patch
+Source22:       autostart.sh
-Patch3:         openssl3-adptor.patch
+Source23:       version.cfg
-Patch4:         upgrade.patch
+Source24:       opengauss_upgrade_start.sh
-Patch20:        zlib.patch
+Source25:       opengauss_upgrade_common.sh
-Patch21:        zlib-CVE-2022-37434.patch
+Source26:       opengauss_upgrade_config.sh
 Source27:       opengauss_upgrade_errorcode.sh
 Patch0:         og-cmake.patch
 Patch1:         og-delete-obs.patch
 Patch2:         og-openssl3-adptor.patch
 Patch3:         og-security.patch
 Patch4:         og-syntax.patch
 Patch11:        zlib.patch
 Patch12:        zlib-CVE-2022-37434.patch
 Patch21:        krb5-backport-Add-a-simple-DER-support-header.patch
 Patch22:        krb5-backport-CVE-2024-37370-CVE-2024-37371-Fix-vulnerabilities-in-GSS-message-token-handling.patch
 Patch23:        krb5-cve-2022-42898.patch
 Patch24:        krb5-CVE-2023-36054.patch
 Patch25:        krb5.patch
 BuildRequires:  cmake gcc gcc-c++ openssl-devel python tar
-BuildRequires:  cjson lz4-devel zstd-devel boost-devel cjson-devel
+BuildRequires:  lz4-devel zstd-devel boost-devel cjson-devel
-BuildRequires:  libcgroup-devel libcurl-devel unixODBC-devel jemalloc-devel krb5-devel
+BuildRequires:  libcgroup-devel libcurl-devel unixODBC-devel jemalloc-devel
 BuildRequires:  java-1.8.0-openjdk-devel libedit-devel libaio-devel
-BuildRequires:  bison flex, DCF >= 5
+BuildRequires:  bison flex, DCF >= 6
-BuildRequires:  numactl-devel
+BuildRequires:  numactl-devel libxml2-devel xerces-c-devel pkgconfig(aws-cpp-sdk-core)
-%ifarch sw_64
+BuildRequires:  libatomic autoconf
 BuildRequires:  libatomic
 %endif
 %global _privatelibs lib(cjson|ecpg|z|pg|pq)\\.so*
 %global __provides_exclude %{_privatelibs}
@ -53,8 +60,8 @@ BuildRequires:  libatomic
 Requires: lz4-devel zstd-devel boost-devel cjson-devel tar
 Requires: libcgroup-devel libcurl-devel unixODBC-devel jemalloc-devel 
 Requires: java-1.8.0-openjdk-devel libedit-devel libaio-devel
-Requires: DCF >= 5, lsof
+Requires: DCF >= 6, lsof
-Requires: numactl-devel
+Requires: numactl-devel libxml2-devel xerces-c-devel aws-sdk-cpp
 %description
 openGauss kernel : openGauss is an open source relational database management system.
@ -63,28 +70,51 @@ openGauss kernel : openGauss is an open source relational database management sy
 %prep
 %setup -q -c -n %{name}-%{version}
 %setup -q -D -T -a 1
 %setup -q -D -T -a 2
 %setup -q -D -T -a 3
 %setup -q -D -T -a 4
 pushd openGauss-server-%{version} 
-
+%patch -P0 -p1
-
+%patch -P1 -p1
-%patch0 -p1
+%patch -P2 -p1
-%patch1 -p1
+%patch -P3 -p1
-%patch2 -p1
+%patch -P4 -p1
 %patch3 -p1
 %patch4 -p1
 popd
 pushd %{zlib_name}-%{zlib_version}
-%patch20 -p1
+%patch -P11 -p1
-%patch21 -p1
+%patch -P12 -p1
 popd
 pushd %{krb5_name}-%{krb5_name}-%{krb5_version}
 %patch -P21 -p1
 %patch -P22 -p1
 %patch -P23 -p1
 %patch -P24 -p1
 %patch -P25 -p1
 popd
 %build
 build_target=$(pwd)/binarylibs/kernel/dependency
 ########### build krb5 ###########
 pushd %{krb5_name}-%{krb5_name}-%{krb5_version}
 krb5_dir=${build_target}/kerberos/comm
 cd src
 autoconf; autoheader; sed -i 's/lcom_err/lcom_err_gauss/g' configure
 ./configure --prefix=${krb5_dir} LDFLAGS='-Wl,-z,relro,-z,now' CFLAGS='-fstack-protector-strong -fPIC' --disable-rpath --disable-pkinit --with-system-verto=no
 make -s %{?_smp_mflags}
 make install -s %{?_smp_mflags}
 rm -rf ${krb5_dir}/lib/pkgconfig
 rm -rf ${krb5_dir}/share
 rm -rf ${krb5_dir}/var
 popd
 ########### build zlib ###########
 pushd %{zlib_name}-%{zlib_version}
 zlib_dir=${build_target}/zlib1.2.11/comm
@ -138,16 +168,18 @@ popd
 ########### build opengauss ###########
 pushd openGauss-server-%{version}
 opengauss_source_dir=$(pwd)
-export ENABLE_LITE_MODE=ON
+export BUILD_TUPLE=$(uname -m)
 export DEBUG_TYPE=release
 export THIRD_BIN_PATH=${build_target}/../../../binarylibs
 export LD_LIBRARY_PATH=$THIRD_BIN_PATH/kernel/dependency/zlib1.2.11/comm/lib:$LD_LIBRARY_PATH
 export LD_LIBRARY_PATH=$THIRD_BIN_PATH/kernel/dependency/kerberos/comm/lib:$LD_LIBRARY_PATH
 export LD_LIBRARY_PATH=$THIRD_BIN_PATH/kernel/dependency/xgboost/comm/lib:$LD_LIBRARY_PATH
 export PREFIX_HOME=${opengauss_source_dir}/mppdb_temp_install
 mkdir -p tmp_build
 cd tmp_build
-cmake .. -DENABLE_MULTIPLE_NODES=OFF -DENABLE_PRIVATEGAUSS=OFF -DENABLE_THREAD_SAFETY=ON -DENABLE_LITE_MODE=ON -DENABLE_OPENEULER_MAJOR=ON -DWITH_OPENEULER_OS=ON
+cmake .. -DENABLE_MULTIPLE_NODES=OFF -DENABLE_THREAD_SAFETY=ON -DWITH_OPENEULER_OS=ON -DENABLE_OPENEULER_MAJOR=ON \
            -DENABLE_LLVM_COMPILE=OFF -DENABLE_OBS=OFF -DENABLE_OPENSSL3=ON
 make %{?_smp_mflags}
 make install
@ -161,35 +193,41 @@ mkdir -p %{buildroot}%{tmppath}/script
 # separate_debug_symbol.sh dir
 cd ${opengauss_source_dir}/build/script
 chmod +x ./separate_debug_information.sh
 sed -i '/"$BIN_DIR\/gaussdb\.map"/d' ./separate_debug_information.sh
 ./separate_debug_information.sh
 rm -rf ${opengauss_source_dir}/mppdb_temp_install/packages
 rm -rf ${opengauss_source_dir}/mppdb_temp_install/symbols
-function get_os_kernel() {
+# package
-    kernel=""
+os_name=$(cat /etc/os-release | grep -w NAME | awk -F '"' '{print $2}')
-    if [[ -f "/etc/euleros-release" ]]; then
+if [[ -f "/etc/openEuler-release" ]]; then
-        kernel=$(cat /etc/euleros-release | awk -F ' ' '{print $1}' | tr a-z A-Z)
+    os_name="openEuler"
-        if [[ "${kernel}" = "Euleros" ]]; then
+elif [[ -f "/etc/euleros-release" ]]; then
-        kernel="Euler"
+    os_name="EulerOS"
-        fi
+elif [[ -f "/etc/centos-release" ]]; then
-    elif [[ -f "/etc/openEuler-release" ]]; then
+    os_name="CentOS"
-        kernel=$(cat /etc/openEuler-release | awk -F ' ' '{print $1}')
+elif [[ -f "/etc/FusionOS-release" ]]; then
-    elif [[ -f "/etc/centos-release" ]]; then
+    os_name="FusionOS"
-        kernel=$(cat /etc/centos-release | awk -F ' ' '{print $1}')
+elif [[ -f "/etc/kylin-release" ]]; then
-    else
+    os_name="Kylin"
-        kernel=$(lsb_release -d | awk -F ' ' '{print $2}')
+elif [[ -f "/etc/asianux-release" ]]; then
-    fi
+    os_name="Asianux"
-}
+elif [[ -f "/etc/CSIOS-release" ]]; then
-get_os_kernel
+    os_name="CSIOS"
-platform_arch=$(uname -p)
+else
    os_name=$(lsb_release -d | awk -F ' ' '{print $2}'| tr A-Z a-z | sed 's/.*/\L&/; s/[a-z]*/\u&/g')
 fi
 os_version=$(cat /etc/os-release | grep -w VERSION_ID | awk -F '"' '{print $2}')
 platform_arch=$(uname -m)
 kernel_package_name=openGauss-Server-%{version}-${os_name}-${os_version}-${platform_arch}
 cd ${opengauss_source_dir}/mppdb_temp_install
-tar -zcf openGauss-Lite-%{version}-${kernel}-${platform_arch}.bin *
+tar -zcf ${kernel_package_name}.tar.bz2 *
-sha256sum openGauss-Lite-%{version}-${kernel}-${platform_arch}.bin | awk '{print $1}' > openGauss-Lite-%{version}-${kernel}-${platform_arch}.sha256
+sha256sum ${kernel_package_name}.tar.bz2 | awk '{print $1}' > ${kernel_package_name}.sha256
 # copy binarylibs packages to %{tmppath}
 cp -r ${opengauss_source_dir}/mppdb_temp_install/* %{buildroot}%{tmppath}
 sed -i "/wal_insert_status_entries/d" ${opengauss_source_dir}/build/script/opengauss_config_file_mini
 cp ${opengauss_source_dir}/build/script/opengauss_config_file_mini %{buildroot}%{tmppath}/share/postgresql/
 # make package upgrade sql
 cd ${opengauss_source_dir}/tmp_build
@ -204,23 +242,23 @@ fi
 cp -r upgrade_sql.tar.gz %{buildroot}%{tmppath}
 cp -r upgrade_sql.sha256 %{buildroot}%{tmppath}
 popd
 # opengauss datanode dir.
 install -d -m 700 $RPM_BUILD_ROOT%{?_localstatedir}/lib/opengauss/data
 # opengauss .bash_profile
-install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{?_localstatedir}/lib/opengauss/.bash_profile
+install -m 644 %{SOURCE20} $RPM_BUILD_ROOT%{?_localstatedir}/lib/opengauss/.bash_profile
 # auto start files
-install -m 644 %{SOURCE6} %{buildroot}%{tmppath}/script/opengauss.service
+install -m 644 %{SOURCE21} %{buildroot}%{tmppath}/script/opengauss.service
-install -m 700 %{SOURCE7} %{buildroot}%{tmppath}/script/autostart.sh
+install -m 700 %{SOURCE22} %{buildroot}%{tmppath}/script/autostart.sh
 # upgrade script
-install -m 644 %{SOURCE8} %{buildroot}%{tmppath}/version.cfg
+install -m 644 %{SOURCE23} %{buildroot}%{tmppath}/version.cfg
-install -m 644 %{SOURCE9} %{buildroot}%{tmppath}/opengauss_upgrade_start.sh
+install -m 644 %{SOURCE24} %{buildroot}%{tmppath}/opengauss_upgrade_start.sh
-install -m 644 %{SOURCE10} %{buildroot}%{tmppath}/opengauss_upgrade_common.sh
+install -m 644 %{SOURCE25} %{buildroot}%{tmppath}/opengauss_upgrade_common.sh
-install -m 644 %{SOURCE11} %{buildroot}%{tmppath}/opengauss_upgrade_config.sh
+install -m 644 %{SOURCE26} %{buildroot}%{tmppath}/opengauss_upgrade_config.sh
-install -m 644 %{SOURCE12} %{buildroot}%{tmppath}/opengauss_upgrade_errorcode.sh
+install -m 644 %{SOURCE27} %{buildroot}%{tmppath}/opengauss_upgrade_errorcode.sh
 popd
 %pre
 /usr/sbin/groupadd -r opengauss >/dev/null 2>&1 || :
@ -422,18 +460,18 @@ fi
 %files
 %defattr (-,root,root)
 %{apppath}
 %{tmppath}
 %doc
-%attr(700,opengauss,opengauss) %dir %{?_localstatedir}/lib/opengauss
+%defattr (755,opengauss,opengauss)
-%attr(700,opengauss,opengauss) %dir %{?_localstatedir}/lib/opengauss/data
+%{apppath}
-%attr(755,opengauss,opengauss) %dir %{apppath}
+
-%attr(755,opengauss,opengauss) %dir %{tmppath}
+%defattr (700,opengauss,opengauss)
-%attr(644,opengauss,opengauss) %config(noreplace) %{?_localstatedir}/lib/opengauss/.bash_profile
+%{?_localstatedir}/lib/opengauss
 %changelog
 * Thu Nov 14 2024 liuheng <liuheng76@huawei.com> - 6.0.0-16
 - Update version to 6.0.0
 * Thu Jun 20 2024 liuheng <liuheng76@huawei.com> - 5.0.1-15
 - Fix bugs: Initialize Remove Password
--- a/opengauss_upgrade_config.sh
+++ b/opengauss_upgrade_config.sh
@ -13,10 +13,10 @@ GAUSS_ADMIN_USER="opengauss"
 GAUSS_LOG_PATH="/var/lib/opengauss/opengauss_upgrade"
 #数据库升级根位置
-GAUSS_UPGRADE_BASE_PATH="/var/lib/opengauss/opengauss_upgrade/pkg_5.0.1"
+GAUSS_UPGRADE_BASE_PATH="/var/lib/opengauss/opengauss_upgrade/pkg_6.0.0"
 #数据库SQL包位置
-GAUSS_SQL_TAR_PATH="/var/lib/opengauss/opengauss_upgrade/pkg_5.0.1"
+GAUSS_SQL_TAR_PATH="/var/lib/opengauss/opengauss_upgrade/pkg_6.0.0"
 #数据库低版本备份位置
 GAUSS_BACKUP_BASE_PATH="/var/lib/opengauss/opengauss_upgrade/bak"
--- a/openssl3-adptor.patch
+++ b/openssl3-adptor.patch
@ -1,89 +0,0 @@
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/common/interfaces/libpq/client_logic_hooks/encryption_hooks/sm2_enc_key.cpp openGauss-server-5.0.1-edit/src/common/interfaces/libpq/client_logic_hooks/encryption_hooks/sm2_enc_key.cpp
 *** openGauss-server-5.0.1/src/common/interfaces/libpq/client_logic_hooks/encryption_hooks/sm2_enc_key.cpp	2024-05-07 20:16:39.548798239 +0800
 --- openGauss-server-5.0.1-edit/src/common/interfaces/libpq/client_logic_hooks/encryption_hooks/sm2_enc_key.cpp	2024-05-07 20:17:58.813382746 +0800
 ***************
 *** 152,165 ****
          EVP_PKEY_free(public_evp_key);
          return CMKEM_EVP_ERR;
      }
 ! 
      ret = EVP_PKEY_set_alias_type(public_evp_key, EVP_PKEY_SM2);
      if (ret != 1) {
          cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
          EVP_PKEY_free(public_evp_key);
          return CMKEM_EVP_ERR;
      }
 ! 
      /* do cipher. */
      ctx = EVP_PKEY_CTX_new(public_evp_key, NULL);
      EVP_PKEY_free(public_evp_key);
 --- 152,165 ----
          EVP_PKEY_free(public_evp_key);
          return CMKEM_EVP_ERR;
      }
 ! #ifndef WITH_OPENEULER_OS
      ret = EVP_PKEY_set_alias_type(public_evp_key, EVP_PKEY_SM2);
      if (ret != 1) {
          cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
          EVP_PKEY_free(public_evp_key);
          return CMKEM_EVP_ERR;
      }
 ! #endif
      /* do cipher. */
      ctx = EVP_PKEY_CTX_new(public_evp_key, NULL);
      EVP_PKEY_free(public_evp_key);
 ***************
 *** 242,255 ****
          EVP_PKEY_free(private_evp_key);
          return CMKEM_EVP_ERR;
      }
 ! 
      ret = EVP_PKEY_set_alias_type(private_evp_key, EVP_PKEY_SM2);
      if (ret != 1) {
          cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
          EVP_PKEY_free(private_evp_key);
          return CMKEM_EVP_ERR;
      }
 ! 
      /* do cipher. */
      ctx = EVP_PKEY_CTX_new(private_evp_key, NULL);
      EVP_PKEY_free(private_evp_key);
 --- 242,255 ----
          EVP_PKEY_free(private_evp_key);
          return CMKEM_EVP_ERR;
      }
 ! #ifndef WITH_OPENEULER_OS
      ret = EVP_PKEY_set_alias_type(private_evp_key, EVP_PKEY_SM2);
      if (ret != 1) {
          cmkem_errmsg("EVP_PKEY_set_alias_type to EVP_PKEY_SM2 failed!");
          EVP_PKEY_free(private_evp_key);
          return CMKEM_EVP_ERR;
      }
 ! #endif
      /* do cipher. */
      ctx = EVP_PKEY_CTX_new(private_evp_key, NULL);
      EVP_PKEY_free(private_evp_key);
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/src/include/gs_policy/policy_common.h openGauss-server-5.0.1-edit/src/include/gs_policy/policy_common.h
 *** openGauss-server-5.0.1/src/include/gs_policy/policy_common.h        2024-05-07 20:16:40.004801601 +0800
 --- openGauss-server-5.0.1-edit/src/include/gs_policy/policy_common.h   2024-05-08 15:15:54.570657064 +0800
 ***************
 *** 22,27 ****
 --- 22,28 ----
   */
  #ifndef _GS_POLICY_COMMON_H
  #define _GS_POLICY_COMMON_H
 + #include <vector>
  #include "nodes/parsenodes.h"
  #include "nodes/plannodes.h"
 ***************
 *** 31,36 ****
 --- 32,39 ----
  #include "gs_vector.h"
  #include "pgaudit.h"
 + using std::vector;
 + 
  struct GsPolicyFQDN {
      GsPolicyFQDN():m_value_schema(0), m_value_object(0), is_function(false){}
      Oid m_value_schema; /* schema */
--- a/upgrade.patch
+++ b/upgrade.patch
@ -1,159 +0,0 @@
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/liteom/upgrade_common.sh openGauss-server-5.0.1-edit/liteom/upgrade_common.sh
 *** openGauss-server-5.0.1/liteom/upgrade_common.sh	2024-05-09 14:48:32.000000000 +0800
 --- openGauss-server-5.0.1-edit/liteom/upgrade_common.sh	2024-06-07 17:31:52.228407016 +0800
 ***************
 *** 273,284 ****
  }
  function check_version() {
 -   if [[ ! -f "${GAUSSHOME}/version.cfg" ]]; then
 -     die "Cannot find current version.cfg!" ${err_upgrade_pre}
 -   else
 -     old_version=$(tail -n 1 "$GAUSSHOME"/version.cfg)
 -     old_cfg=$(sed -n 2p "$GAUSSHOME"/version.cfg | sed 's/\.//g')
 -   fi
    if [[ -f "$GAUSS_UPGRADE_BIN_PATH"/version.cfg ]]; then
      new_version_cfg_path="${GAUSS_UPGRADE_BIN_PATH}/version.cfg"
    elif [[ -f "$GAUSS_UPGRADE_BASE_PATH"/version.cfg ]]; then
 --- 273,278 ----
 ***************
 *** 290,333 ****
    new_version=$(tail -n 1 "$new_version_cfg_path")
    new_cfg=$(sed -n 2p "$new_version_cfg_path" | sed 's/\.//g')
 -   if [[ X"$old_version" == X || X"$old_cfg" == X || X"$new_version" == X || X"$new_cfg" == X ]]; then
 -     die "Maybe version.cfg is not normal" ${err_upgrade_pre}
 -   fi
 -   if ! echo "$old_cfg"|grep -Ewq "[0-9]{3,6}";then
 -     die "Maybe version.cfg is not normal" ${err_upgrade_pre}
 -   fi
    if ! echo "$new_cfg"|grep -Ewq "[0-9]{3,6}";then
      die "Maybe version.cfg is not normal" ${err_upgrade_pre}
    fi
 !   if [[ "$old_version" == "$new_version" ]]; then
 !     die "New version is same as old, the commitId is $old_version!" ${err_version_same}
 !   fi
 !   if [[ ${new_cfg} -lt ${old_cfg} ]]; then
 !     die "Current version is newer!" ${err_upgrade_pre}
 !   fi
 !   big_cfg="False"
 !   if [[ ${new_cfg} -gt ${old_cfg} ]]; then
 !     log "Big upgrade is needed!"
 !     big_cfg="True"
 !   fi
    local flag_file="$GAUSS_TMP_PATH"/version_flag
 -   if echo "old_version=$old_version" > "$flag_file" && chmod 600 "$flag_file"; then
 -     debug "Begin to generate $flag_file"
 -   else
 -     die "Write $flag_file failed" ${err_upgrade_pre}
 -   fi
    if ! echo "new_version=$new_version" >> "$flag_file"; then
      die "Write $flag_file failed" ${err_upgrade_pre}
    fi
    if ! echo "big_cfg=$big_cfg" >> "$flag_file"; then
      die "Write $flag_file failed" ${err_upgrade_pre}
    fi
 -   if ! echo "old_cfg=$old_cfg" >> "$flag_file"; then
 -     die "Write $flag_file failed" ${err_upgrade_pre}
 -   fi
 -   log "Old version commitId is $old_version, version info is $old_cfg"
    log "New version commitId is $new_version, version info is $new_cfg"
    ##need version.cfg to check big upgrade,note user exec sql on primary dn
 --- 284,302 ----
    new_version=$(tail -n 1 "$new_version_cfg_path")
    new_cfg=$(sed -n 2p "$new_version_cfg_path" | sed 's/\.//g')
    if ! echo "$new_cfg"|grep -Ewq "[0-9]{3,6}";then
      die "Maybe version.cfg is not normal" ${err_upgrade_pre}
    fi
 !   big_cfg="True"
    local flag_file="$GAUSS_TMP_PATH"/version_flag
    if ! echo "new_version=$new_version" >> "$flag_file"; then
      die "Write $flag_file failed" ${err_upgrade_pre}
    fi
    if ! echo "big_cfg=$big_cfg" >> "$flag_file"; then
      die "Write $flag_file failed" ${err_upgrade_pre}
    fi
    log "New version commitId is $new_version, version info is $new_cfg"
    ##need version.cfg to check big upgrade,note user exec sql on primary dn
 ***************
 *** 1239,1242 ****
      fi
      rm -f "$GAUSS_TMP_PATH"/version_flag
      rm -f "$GAUSS_TMP_PATH"/record_step.txt
 ! }
 \ No newline at end of file
 --- 1208,1211 ----
      fi
      rm -f "$GAUSS_TMP_PATH"/version_flag
      rm -f "$GAUSS_TMP_PATH"/record_step.txt
 ! }
 diff -crN '--exclude=.git' '--exclude=.gitee' '--exclude=.vscode' openGauss-server-5.0.1/liteom/upgrade_config.sh openGauss-server-5.0.1-edit/liteom/upgrade_config.sh
 *** openGauss-server-5.0.1/liteom/upgrade_config.sh	2024-05-09 14:48:32.000000000 +0800
 --- openGauss-server-5.0.1-edit/liteom/upgrade_config.sh	2024-06-06 16:56:26.681705002 +0800
 ***************
 *** 4,31 ****
  # version: 1.0
  # 数据库监听端口
 ! GAUSS_LISTEN_PORT=""
  # 数据库管理员用户名
 ! GAUSS_ADMIN_USER=""
  #数据库升级回退日志路径
 ! GAUSS_LOG_PATH=""
  #数据库升级根位置
 ! GAUSS_UPGRADE_BASE_PATH=""
  #数据库SQL包位置
 ! GAUSS_SQL_TAR_PATH=""
  #数据库低版本备份位置
 ! GAUSS_BACKUP_BASE_PATH=""
  #数据库临时目录
 ! GAUSS_TMP_PATH=""
  #是否使用存在的bin解压包
  GAUSS_UPGRADE_BIN_PATH=""
  #需要同步的cluster config 列表
 ! GAUSS_UPGRADE_SYNC_CONFIG_LIST=""
 \ No newline at end of file
 --- 4,31 ----
  # version: 1.0
  # 数据库监听端口
 ! GAUSS_LISTEN_PORT="7654"
  # 数据库管理员用户名
 ! GAUSS_ADMIN_USER="opengauss"
  #数据库升级回退日志路径
 ! GAUSS_LOG_PATH="/usr/local/opengauss_upgrade"
  #数据库升级根位置
 ! GAUSS_UPGRADE_BASE_PATH="/usr/local/opengauss_upgrade/pkg_5.0.1"
  #数据库SQL包位置
 ! GAUSS_SQL_TAR_PATH="/usr/local/opengauss_upgrade/pkg_5.0.1"
  #数据库低版本备份位置
 ! GAUSS_BACKUP_BASE_PATH="/usr/local/opengauss_upgrade/bak"
  #数据库临时目录
 ! GAUSS_TMP_PATH="/usr/local/opengauss_upgrade/tmp"
  #是否使用存在的bin解压包
  GAUSS_UPGRADE_BIN_PATH=""
  #需要同步的cluster config 列表
 ! GAUSS_UPGRADE_SYNC_CONFIG_LIST=""
--- a/version.cfg
+++ b/version.cfg
@ -1,3 +1,4 @@
-openGauss-Lite-5.0.1
+openGauss-Server-6.0.0
-92.854
+92.954
-33b035fd
+798b1578
 release