From: Frank Brehm Date: Sun, 25 Apr 2021 17:47:03 +0000 (+0200) Subject: committing changes in /etc made by "apt dist-upgrade -y" X-Git-Url: https://git.uhu-banane.de/?a=commitdiff_plain;h=6868b5710307e243d2b3c1a6ab6350fd0911a1b9;p=config%2Fhelga-hetzner%2Fetc.git committing changes in /etc made by "apt dist-upgrade -y" Package changes: -clamav-base 0.102.4+dfsg-0+deb10u1 all -clamav-daemon 0.102.4+dfsg-0+deb10u1 amd64 -clamav-freshclam 0.102.4+dfsg-0+deb10u1 amd64 +clamav-base 0.103.2+dfsg-0+deb10u1 all +clamav-daemon 0.103.2+dfsg-0+deb10u1 amd64 +clamav-freshclam 0.103.2+dfsg-0+deb10u1 amd64 -libclamav9 0.102.4+dfsg-0+deb10u1 amd64 +libclamav9 0.103.2+dfsg-0+deb10u1 amd64 +libgraphite2-3 1.3.13-7 amd64 +libharfbuzz0b 2.3.1-1 amd64 -openjdk-11-jdk 11.0.9.1+1-1~deb10u2 amd64 -openjdk-11-jdk-headless 11.0.9.1+1-1~deb10u2 amd64 -openjdk-11-jre 11.0.9.1+1-1~deb10u2 amd64 -openjdk-11-jre-headless 11.0.9.1+1-1~deb10u2 amd64 +openjdk-11-jdk 11.0.11+9-1~deb10u1 amd64 +openjdk-11-jdk-headless 11.0.11+9-1~deb10u1 amd64 +openjdk-11-jre 11.0.11+9-1~deb10u1 amd64 +openjdk-11-jre-headless 11.0.11+9-1~deb10u1 amd64 --- diff --git a/apparmor.d/usr.bin.freshclam b/apparmor.d/usr.bin.freshclam index df5cb5b..a00317e 100644 --- a/apparmor.d/usr.bin.freshclam +++ b/apparmor.d/usr.bin.freshclam @@ -10,6 +10,9 @@ #include #include + capability dac_override, + capability chown, + capability setgid, capability setuid, diff --git a/apparmor.d/usr.sbin.clamd b/apparmor.d/usr.sbin.clamd index 4544759..da2bed0 100644 --- a/apparmor.d/usr.sbin.clamd +++ b/apparmor.d/usr.sbin.clamd @@ -15,6 +15,7 @@ # needed, when using systemd capability setgid, capability setuid, + capability chown, @{PROC}/filesystems r, @{PROC}/[0-9]*/status r, diff --git a/clamav/freshclam.conf b/clamav/freshclam.conf index d238dc2..b1e1237 100644 --- a/clamav/freshclam.conf +++ b/clamav/freshclam.conf @@ -19,7 +19,6 @@ ReceiveTimeout 0 TestDatabases yes ScriptedUpdates yes CompressLocalDatabase no -SafeBrowsing false Bytecode true NotifyClamd /etc/clamav/clamd.conf # Check for new database 24 times a day diff --git a/java-11-openjdk/jfr/default.jfc b/java-11-openjdk/jfr/default.jfc index e76140c..1a1d420 100644 --- a/java-11-openjdk/jfr/default.jfc +++ b/java-11-openjdk/jfr/default.jfc @@ -29,6 +29,7 @@ true + true diff --git a/java-11-openjdk/jfr/profile.jfc b/java-11-openjdk/jfr/profile.jfc index 11ad365..edde79c 100644 --- a/java-11-openjdk/jfr/profile.jfc +++ b/java-11-openjdk/jfr/profile.jfc @@ -29,6 +29,7 @@ true + true diff --git a/java-11-openjdk/security/default.policy b/java-11-openjdk/security/default.policy index 694e403..ab59a33 100644 --- a/java-11-openjdk/security/default.policy +++ b/java-11-openjdk/security/default.policy @@ -122,6 +122,8 @@ grant codeBase "jrt:/jdk.crypto.ec" { }; grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; diff --git a/java-11-openjdk/security/java.security b/java-11-openjdk/security/java.security index 0c0a901..d1d8856 100644 --- a/java-11-openjdk/security/java.security +++ b/java-11-openjdk/security/java.security @@ -726,8 +726,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ +jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves # @@ -1256,3 +1256,26 @@ jdk.io.permissionsUseCanonicalPath=false # System value prevails. The default value of the property is "false". # #jdk.security.allowNonCaAnchor=true + +# +# JNDI Object Factories Filter +# +# This filter is used by the JNDI runtime to control the set of object factory classes +# which will be allowed to instantiate objects from object references returned by +# naming/directory systems. The factory class named by the reference instance will be +# matched against this filter. The filter property supports pattern-based filter syntax +# with the same format as jdk.serialFilter. +# +# Each pattern is matched against the factory class name to allow or disallow it's +# instantiation. The access to a factory class is allowed unless the filter returns +# REJECTED. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes +# the security property value defined here. The default value of the property is "*". +# +# The default pattern value allows any object factory class specified by the reference +# instance to recreate the referenced object. +#jdk.jndi.object.factoriesFilter=*