committing changes in /etc made by "apt dist-upgrade -y"

Package changes:
-clamav-base 0.102.4+dfsg-0+deb10u1 all
-clamav-daemon 0.102.4+dfsg-0+deb10u1 amd64
-clamav-freshclam 0.102.4+dfsg-0+deb10u1 amd64
+clamav-base 0.103.2+dfsg-0+deb10u1 all
+clamav-daemon 0.103.2+dfsg-0+deb10u1 amd64
+clamav-freshclam 0.103.2+dfsg-0+deb10u1 amd64
-libclamav9 0.102.4+dfsg-0+deb10u1 amd64
+libclamav9 0.103.2+dfsg-0+deb10u1 amd64
+libgraphite2-3 1.3.13-7 amd64
+libharfbuzz0b 2.3.1-1 amd64
-openjdk-11-jdk 11.0.9.1+1-1~deb10u2 amd64
-openjdk-11-jdk-headless 11.0.9.1+1-1~deb10u2 amd64
-openjdk-11-jre 11.0.9.1+1-1~deb10u2 amd64
-openjdk-11-jre-headless 11.0.9.1+1-1~deb10u2 amd64
+openjdk-11-jdk 11.0.11+9-1~deb10u1 amd64
+openjdk-11-jdk-headless 11.0.11+9-1~deb10u1 amd64
+openjdk-11-jre 11.0.11+9-1~deb10u1 amd64
+openjdk-11-jre-headless 11.0.11+9-1~deb10u1 amd64

diff --git a/apparmor.d/usr.bin.freshclam b/apparmor.d/usr.bin.freshclam
index df5cb5be72eb9d2a14d95785cfeb140c2ef8f67f..a00317e40e78cad438749bdcba5561a771cf8b66 100644 (file)
--- a/apparmor.d/usr.bin.freshclam
+++ b/apparmor.d/usr.bin.freshclam
@@ -10,6 +10,9 @@
   #include <abstractions/user-tmp>
   #include <abstractions/openssl>
 
+  capability dac_override,
+  capability chown,
+
   capability setgid,
   capability setuid,
 

diff --git a/apparmor.d/usr.sbin.clamd b/apparmor.d/usr.sbin.clamd
index 45447594c38aaa03f77b670036ebb5c77328975e..da2bed00075404688c7e0b4830225437b2385a22 100644 (file)
--- a/apparmor.d/usr.sbin.clamd
+++ b/apparmor.d/usr.sbin.clamd
@@ -15,6 +15,7 @@
   # needed, when using systemd
   capability setgid,
   capability setuid,
+  capability chown,
 
   @{PROC}/filesystems r,
   @{PROC}/[0-9]*/status r,

diff --git a/clamav/freshclam.conf b/clamav/freshclam.conf
index d238dc2171a092d4319ab31055f45bd61db44db0..b1e1237a134b1034529c56caf53bee31f469320d 100644 (file)
--- a/clamav/freshclam.conf
+++ b/clamav/freshclam.conf
@@ -19,7 +19,6 @@ ReceiveTimeout 0
 TestDatabases yes
 ScriptedUpdates yes
 CompressLocalDatabase no
-SafeBrowsing false
 Bytecode true
 NotifyClamd /etc/clamav/clamd.conf
 # Check for new database 24 times a day

diff --git a/java-11-openjdk/jfr/default.jfc b/java-11-openjdk/jfr/default.jfc
index e76140c44a1ab0799b9b9a27417e689de51f61e5..1a1d420d73fd1006f66e485ea792b1e0470b2b62 100644 (file)
--- a/java-11-openjdk/jfr/default.jfc
+++ b/java-11-openjdk/jfr/default.jfc
@@ -29,6 +29,7 @@
 
     <event name="jdk.ThreadStart">
       <setting name="enabled">true</setting>
+      <setting name="stackTrace">true</setting>
     </event>
 
     <event name="jdk.ThreadEnd">

diff --git a/java-11-openjdk/jfr/profile.jfc b/java-11-openjdk/jfr/profile.jfc
index 11ad365468f1a44c590ae34fd7d1f1e56f86100f..edde79ce7c3c2b155afd00b114275bce55623480 100644 (file)
--- a/java-11-openjdk/jfr/profile.jfc
+++ b/java-11-openjdk/jfr/profile.jfc
@@ -29,6 +29,7 @@
 
     <event name="jdk.ThreadStart">
       <setting name="enabled">true</setting>
+      <setting name="stackTrace">true</setting>
     </event>
 
     <event name="jdk.ThreadEnd">

diff --git a/java-11-openjdk/security/default.policy b/java-11-openjdk/security/default.policy
index 694e403dd5c9b75eb9d7eb851c63c9f5f74e81ec..ab59a334cd0b6cd2d58d0878f7a31af42ef16802 100644 (file)
--- a/java-11-openjdk/security/default.policy
+++ b/java-11-openjdk/security/default.policy
@@ -122,6 +122,8 @@ grant codeBase "jrt:/jdk.crypto.ec" {
 };
 
 grant codeBase "jrt:/jdk.crypto.cryptoki" {
+    permission java.lang.RuntimePermission
+                   "accessClassInPackage.com.sun.crypto.provider";
     permission java.lang.RuntimePermission
                    "accessClassInPackage.sun.security.*";
     permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";

diff --git a/java-11-openjdk/security/java.security b/java-11-openjdk/security/java.security
index 0c0a9014084f4d96900589b9f2de490574f329a8..d1d8856beb156737399177c097a5a338065f5a6e 100644 (file)
--- a/java-11-openjdk/security/java.security
+++ b/java-11-openjdk/security/java.security
@@ -726,8 +726,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
+    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
     include jdk.disabled.namedCurves
 
 #
@@ -1256,3 +1256,26 @@ jdk.io.permissionsUseCanonicalPath=false
 # System value prevails. The default value of the property is "false".
 #
 #jdk.security.allowNonCaAnchor=true
+
+#
+# JNDI Object Factories Filter
+#
+# This filter is used by the JNDI runtime to control the set of object factory classes
+# which will be allowed to instantiate objects from object references returned by
+# naming/directory systems. The factory class named by the reference instance will be
+# matched against this filter. The filter property supports pattern-based filter syntax
+# with the same format as jdk.serialFilter.
+#
+# Each pattern is matched against the factory class name to allow or disallow it's
+# instantiation. The access to a factory class is allowed unless the filter returns
+# REJECTED.
+#
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be examined and used by other implementations.
+#
+# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes
+# the security property value defined here. The default value of the property is "*".
+#
+# The default pattern value allows any object factory class specified by the reference
+# instance to recreate the referenced object.
+#jdk.jndi.object.factoriesFilter=*