From d250f89e6bd3396f3f570908b127111d25a71c53 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Mon, 7 Mar 2022 17:02:48 +0100 Subject: [PATCH] committing changes in /etc made by "/usr/bin/apt full-upgrade -y" Package changes: -cpp-9 9.3.0-17ubuntu1~20.04 amd64 +cpp-9 9.4.0-1ubuntu1~20.04 amd64 -firefox 97.0.1+linuxmint1+una amd64 -firefox-locale-de 97.0.1+linuxmint1+una amd64 -firefox-locale-en 97.0.1+linuxmint1+una amd64 -firefox-locale-fr 97.0.1+linuxmint1+una amd64 -firefox-locale-vi 97.0.1+linuxmint1+una amd64 +firefox 97.0.2+linuxmint1+una amd64 +firefox-locale-de 97.0.2+linuxmint1+una amd64 +firefox-locale-en 97.0.2+linuxmint1+una amd64 +firefox-locale-fr 97.0.2+linuxmint1+una amd64 +firefox-locale-vi 97.0.2+linuxmint1+una amd64 -g++-9 9.3.0-17ubuntu1~20.04 amd64 +g++-9 9.4.0-1ubuntu1~20.04 amd64 -gcc-9 9.3.0-17ubuntu1~20.04 amd64 -gcc-9-base 9.3.0-17ubuntu1~20.04 amd64 +gcc-9 9.4.0-1ubuntu1~20.04 amd64 +gcc-9-base 9.4.0-1ubuntu1~20.04 amd64 -gnome-disk-utility 3.36.3-0ubuntu1 amd64 +gnome-disk-utility 3.38.2+mint1+una amd64 -libasan5 9.3.0-17ubuntu1~20.04 amd64 +libasan5 9.4.0-1ubuntu1~20.04 amd64 -libgcc-9-dev 9.3.0-17ubuntu1~20.04 amd64 +libgcc-9-dev 9.4.0-1ubuntu1~20.04 amd64 -libssl-dev 1.1.1f-1ubuntu2.10 amd64 +libssl-dev 1.1.1f-1ubuntu2.11 amd64 -libssl1.1 1.1.1f-1ubuntu2.10 amd64 +libssl1.1 1.1.1f-1ubuntu2.11 amd64 -libstdc++-9-dev 9.3.0-17ubuntu1~20.04 amd64 +libstdc++-9-dev 9.4.0-1ubuntu1~20.04 amd64 -openjdk-11-jre 11.0.13+8-0ubuntu1~20.04 amd64 -openjdk-11-jre-headless 11.0.13+8-0ubuntu1~20.04 amd64 +openjdk-11-jre 11.0.14+9-0ubuntu2~20.04 amd64 +openjdk-11-jre-headless 11.0.14+9-0ubuntu2~20.04 amd64 -openssl 1.1.1f-1ubuntu2.10 amd64 +openssl 1.1.1f-1ubuntu2.11 amd64 --- .etckeeper | 1 + java-11-openjdk/net.properties | 18 ++++++++++++ java-11-openjdk/security/blocked.certs | 39 +++++++++++++++++++++++++ java-11-openjdk/security/default.policy | 1 + java-11-openjdk/security/java.security | 21 ++++++------- 5 files changed, 70 insertions(+), 10 deletions(-) create mode 100644 java-11-openjdk/security/blocked.certs diff --git a/.etckeeper b/.etckeeper index 9fac37d..d064aef 100755 --- a/.etckeeper +++ b/.etckeeper @@ -2137,6 +2137,7 @@ maybe chmod 0644 'java-11-openjdk/psfont.properties.ja' maybe chmod 0644 'java-11-openjdk/psfontj2d.properties' maybe chmod 0755 'java-11-openjdk/security' maybe chmod 0644 'java-11-openjdk/security/blacklisted.certs' +maybe chmod 0644 'java-11-openjdk/security/blocked.certs' maybe chmod 0644 'java-11-openjdk/security/default.policy' maybe chmod 0644 'java-11-openjdk/security/java.policy' maybe chmod 0644 'java-11-openjdk/security/java.security' diff --git a/java-11-openjdk/net.properties b/java-11-openjdk/net.properties index d95715d..6bc00e4 100644 --- a/java-11-openjdk/net.properties +++ b/java-11-openjdk/net.properties @@ -99,6 +99,24 @@ ftp.nonProxyHosts=localhost|127.*|[::1] #jdk.http.auth.proxying.disabledSchemes= jdk.http.auth.tunneling.disabledSchemes=Basic +# +# Allow restricted HTTP request headers +# +# By default, the following request headers are not allowed to be set by user code +# in HttpRequests: "connection", "content-length", "expect", "host" and "upgrade". +# The 'jdk.httpclient.allowRestrictedHeaders' property allows one or more of these +# headers to be specified as a comma separated list to override the default restriction. +# The names are case-insensitive and white-space is ignored (removed before processing +# the list). Note, this capability is mostly intended for testing and isn't expected +# to be used in real deployments. Protocol errors or other undefined behavior is likely +# to occur when using them. The property is not set by default. +# Note also, that there may be other headers that are restricted from being set +# depending on the context. This includes the "Authorization" header when the +# relevant HttpClient has an authenticator set. These restrictions cannot be +# overridden by this property. +# +# jdk.httpclient.allowRestrictedHeaders=host +# # # Transparent NTLM HTTP authentication mode on Windows. Transparent authentication # can be used for the NTLM scheme, where the security credentials based on the diff --git a/java-11-openjdk/security/blocked.certs b/java-11-openjdk/security/blocked.certs new file mode 100644 index 0000000..beded9e --- /dev/null +++ b/java-11-openjdk/security/blocked.certs @@ -0,0 +1,39 @@ +Algorithm=SHA-256 +03DB9E5E79FE6117177F81C11595AF598CB176AF766290DBCEB2C318B32E39A2 +08C396C006A21055D00826A5781A5CCFCE2C8D053AB3C197637A4A7A5BB9A650 +14E6D2764A4B06701C6CBC376A253775F79C782FBCB6C0EE6F99DE4BA1024ADD +1C5E6985ACC09221DBD1A4B7BBC6D3A8C3F8540D19F20763A9537FDD42B4FFE7 +1F6BF8A3F2399AF7FD04516C2719C566CBAD51F412738F66D0457E1E6BDE6F2D +2A464E4113141352C7962FBD1706ED4B88533EF24D7BBA6CCC5D797FD202F1C4 +31C8FD37DB9B56E708B03D1F01848B068C6DA66F36FB5D82C008C6040FA3E133 +3946901F46B0071E90D78279E82FABABCA177231A704BE72C5B0E8918566EA66 +3E11CF90719F6FB44D94EAC9A156B89BEBE7B8598F28EC58913F2BFCAF91D0C0 +423279423B9FC8CB06F1BB7C3B247522B948D5F18939F378ECC901126DE40BFB +450F1B421BB05C8609854884559C323319619E8B06B001EA2DCBB74A23AA3BE2 +4CBBF8256BC9888A8007B2F386940A2E394378B0D903CBB3863C5A6394B889CE +4FEE0163686ECBD65DB968E7494F55D84B25486D438E9DE558D629D28CD4D176 +535D04DFCE027C70BD5F8A9E0AD4F218E9AFDCF5BBCF9B6DE0D81E148E2E3172 +568FAF38D9F155F624838E2181B1CEB4D8459305EE652B0F810C97C3611BFE19 +585CFE6B7436CBD4E732763A2137D7F49599BA9B1790E688FCEC799C58EB84A6 +5E83124D68D24E8E177E306DF643D5EA99C5A94D6FC34B072F7544A1CABB7C7B +71CB00749B9130FB2707A2664BFF958D0FCC8E161D9674C7450BA0FC2BEAF9D3 +76A45A496031E4DD2D7ED23E8F6FF97DBDEA980BAAC8B0BA94D7EDB551348645 +8A1BD21661C60015065212CC98B1ABB50DFD14C872A208E66BAE890F25C448AF +9ED8F9B0E8E42A1656B8E1DD18F42BA42DC06FE52686173BA2FC70E756F207DC +9FADCE80D62A959F9930D748488C1E22E821F4E1E4A43584B848C2FC11E04D77 +A686FEE577C88AB664D0787ECDFFF035F4806F3DE418DC9E4D516324FFF02083 +A90132CEA1D4F7185E4F688EFFD16F6AC14DFD78356A807599A5DABBEEF3333E +B8686723E415534BC0DBD16326F9486F85B0B0799BF6639334E61DAAE67F36CD +C0D1F42B9F4BF7ACC045B7BB5D4805E10737F67B6310CE505248D543D0D5FE07 +D0156949F1381943442C6974E9B5B49EF441BB799EF20477B90A89C3F33620CE +D151962D954970501C60079258EBCFA38502E0A9F03CD640322B08C0A3117FE5 +D24566BF315F4E597D6E381C87119FB4198F5E9E2607F5F4AB362EF7E2E7672F +D3A936E1A7775A45217C8296A1F22AC5631DCDEC45594099E78EEEBBEDCBA967 +D6CEAE5D9E047FAF7D797858D229AC991AD44316D1E2A37A21926D763153593A +DF21016B00FC54F9FE3BC8B039911BB216E9162FAD2FD14D990AB96E951B49BE +E0E740E4B0F8B3548181FF75B5372FAF4C70B99EC995D694ED0FB91B03FF8D21 +EC30C9C3065A06BB07DC5B1C6B497F370C1CA65C0F30C08E042BA6BCECC78F2C +F5B6F88F75D391A4B1EB336F9E201239FB6B1377DB8CFA7B84736216E5AFFFD7 +FBB12938ABD86C125796EDF4162D291028890A7D6C0C1CCA75FD4B95EBFA7A1A +FC02FD48DB92D4DCE6F11679D38354CF750CFC7F584A520EB90BDE80E241F2BD +FDEDB5BDFCB67411513A61AEE5CB5B5D7C52AF06028EFC996CC1B05B1D6CEA2B diff --git a/java-11-openjdk/security/default.policy b/java-11-openjdk/security/default.policy index ab59a33..5db744f 100644 --- a/java-11-openjdk/security/default.policy +++ b/java-11-openjdk/security/default.policy @@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { grant codeBase "jrt:/jdk.crypto.cryptoki" { permission java.lang.RuntimePermission "accessClassInPackage.com.sun.crypto.provider"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; diff --git a/java-11-openjdk/security/java.security b/java-11-openjdk/security/java.security index 30a1f37..c3698ea 100644 --- a/java-11-openjdk/security/java.security +++ b/java-11-openjdk/security/java.security @@ -428,21 +428,22 @@ networkaddress.cache.negative.ttl=10 # Policy for failed Kerberos KDC lookups: # # When a KDC is unavailable (network error, service failure, etc), it is -# put inside a blacklist and accessed less often for future requests. The +# put inside a secondary list and accessed less often for future requests. The # value (case-insensitive) for this policy can be: # # tryLast -# KDCs in the blacklist are always tried after those not on the list. +# KDCs in the secondary list are always tried after those not on the list. # # tryLess[:max_retries,timeout] -# KDCs in the blacklist are still tried by their order in the configuration, -# but with smaller max_retries and timeout values. max_retries and timeout -# are optional numerical parameters (default 1 and 5000, which means once -# and 5 seconds). Please notes that if any of the values defined here is -# more than what is defined in krb5.conf, it will be ignored. -# -# Whenever a KDC is detected as available, it is removed from the blacklist. -# The blacklist is reset when krb5.conf is reloaded. You can add +# KDCs in the secondary list are still tried by their order in the +# configuration, but with smaller max_retries and timeout values. +# max_retries and timeout are optional numerical parameters (default 1 and +# 5000, which means once and 5 seconds). Please note that if any of the +# values defined here are more than what is defined in krb5.conf, it will be +# ignored. +# +# Whenever a KDC is detected as available, it is removed from the secondary +# list. The secondary list is reset when krb5.conf is reloaded. You can add # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is # reloaded whenever a JAAS authentication is attempted. # -- 2.39.5