From 339240fb45d8edd2ad8fef808d6a78712432c91c Mon Sep 17 00:00:00 2001
From: Frank Brehm <frank@brehm-online.com>
Date: Mon, 27 Jul 2020 09:46:52 +0200
Subject: [PATCH] committing changes in /etc made by "/usr/bin/apt full-upgrade
 -y"

Package changes:
-evince 3.36.5-0ubuntu1 amd64
-evince-common 3.36.5-0ubuntu1 all
+evince 3.36.7-0ubuntu1 amd64
+evince-common 3.36.7-0ubuntu1 all
-gir1.2-evince-3.0 3.36.5-0ubuntu1 amd64
+gir1.2-evince-3.0 3.36.7-0ubuntu1 amd64
-gnome-control-center 1:3.36.3-0ubuntu1 amd64
-gnome-control-center-data 1:3.36.3-0ubuntu1 all
+gnome-control-center 1:3.36.4-0ubuntu1 amd64
+gnome-control-center-data 1:3.36.4-0ubuntu1 all
-libevdocument3-4 3.36.5-0ubuntu1 amd64
+libevdocument3-4 3.36.7-0ubuntu1 amd64
-libevview3-3 3.36.5-0ubuntu1 amd64
+libevview3-3 3.36.7-0ubuntu1 amd64
-libnss-myhostname 245.4-4ubuntu3.1 amd64
-libnss-systemd 245.4-4ubuntu3.1 amd64
+libnss-myhostname 245.4-4ubuntu3.2 amd64
+libnss-systemd 245.4-4ubuntu3.2 amd64
-libpam-systemd 245.4-4ubuntu3.1 amd64
+libpam-systemd 245.4-4ubuntu3.2 amd64
-libsystemd0 245.4-4ubuntu3.1 amd64
+libsystemd0 245.4-4ubuntu3.2 amd64
-libudev1 245.4-4ubuntu3.1 amd64
-libudev1 245.4-4ubuntu3.1 i386
+libudev1 245.4-4ubuntu3.2 amd64
+libudev1 245.4-4ubuntu3.2 i386
-openjdk-11-jre 11.0.7+10-3ubuntu1 amd64
-openjdk-11-jre-headless 11.0.7+10-3ubuntu1 amd64
+openjdk-11-jre 11.0.8+10-0ubuntu1~20.04 amd64
+openjdk-11-jre-headless 11.0.8+10-0ubuntu1~20.04 amd64
-python-apt 2.0.0 amd64
-python-apt-common 2.0.0 all
+python-apt 2.0.0ubuntu0.20.04.1 amd64
+python-apt-common 2.0.0ubuntu0.20.04.1 all
-python3-apt 2.0.0 amd64
+python3-apt 2.0.0ubuntu0.20.04.1 amd64
-python3-distupgrade 1:20.04.21 all
+python3-distupgrade 1:20.04.23 all
-systemd 245.4-4ubuntu3.1 amd64
-systemd-container 245.4-4ubuntu3.1 amd64
+systemd 245.4-4ubuntu3.2 amd64
+systemd-container 245.4-4ubuntu3.2 amd64
-systemd-sysv 245.4-4ubuntu3.1 amd64
+systemd-sysv 245.4-4ubuntu3.2 amd64
-ubuntu-release-upgrader-core 1:20.04.21 all
+ubuntu-release-upgrader-core 1:20.04.23 all
-udev 245.4-4ubuntu3.1 amd64
+udev 245.4-4ubuntu3.2 amd64
---
 java-11-openjdk/security/default.policy | 10 +++++++---
 java-11-openjdk/security/java.security  | 12 ++++++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/java-11-openjdk/security/default.policy b/java-11-openjdk/security/default.policy
index 2c11f46..694e403 100644
--- a/java-11-openjdk/security/default.policy
+++ b/java-11-openjdk/security/default.policy
@@ -162,10 +162,14 @@ grant codeBase "jrt:/jdk.internal.vm.compiler" {
 };
 
 grant codeBase "jrt:/jdk.internal.vm.compiler.management" {
-    permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.hotspot";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.vm.compiler.collections";
     permission java.lang.RuntimePermission "accessClassInPackage.jdk.vm.ci.runtime";
-    permission java.lang.RuntimePermission "accessClassInPackage.sun.management.spi";
-    permission java.lang.RuntimePermission "sun.management.spi.PlatformMBeanProvider.subclass";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.core.common";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.debug";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.hotspot";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.options";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.phases.common.jmx";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.serviceprovider";
 };
 
 grant codeBase "jrt:/jdk.jsobject" {
diff --git a/java-11-openjdk/security/java.security b/java-11-openjdk/security/java.security
index e922ef3..788ee84 100644
--- a/java-11-openjdk/security/java.security
+++ b/java-11-openjdk/security/java.security
@@ -1195,3 +1195,15 @@ jdk.io.permissionsUseCanonicalPath=false
 #
 #jdk.security.krb5.default.initiate.credential=always-impersonate
 
+#
+# Trust Anchor Certificates - CA Basic Constraint check
+#
+# X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS
+# connections) must have the cA Basic Constraint field set to 'true'. Also, if
+# they include a Key Usage extension, the keyCertSign bit must be set. These
+# checks, enabled by default, can be disabled for backward-compatibility
+# purposes with the jdk.security.allowNonCaAnchor System and Security
+# properties. In the case that both properties are simultaneously set, the
+# System value prevails. The default value of the property is "false".
+#
+#jdk.security.allowNonCaAnchor=true
-- 
2.39.5