From: Frank Brehm Date: Tue, 27 Apr 2021 21:43:44 +0000 (+0200) Subject: committing changes in /etc made by "/usr/bin/apt full-upgrade -y" X-Git-Url: https://git.uhu-banane.de/?a=commitdiff_plain;h=f2817aaa261ee2a2a1001b1a8f176643607e9828;p=config%2Fbruni%2Fetc-mint-new1.git committing changes in /etc made by "/usr/bin/apt full-upgrade -y" Package changes: -grub-common 2.04-1ubuntu26.9 amd64 +grub-common 2.04-1ubuntu26.11 amd64 -grub-pc 2.04-1ubuntu26.9 amd64 -grub-pc-bin 2.04-1ubuntu26.9 amd64 -grub2-common 2.04-1ubuntu26.9 amd64 +grub-pc 2.04-1ubuntu26.11 amd64 +grub-pc-bin 2.04-1ubuntu26.11 amd64 +grub2-common 2.04-1ubuntu26.11 amd64 -openjdk-11-jre 11.0.10+9-0ubuntu1~20.04 amd64 -openjdk-11-jre-headless 11.0.10+9-0ubuntu1~20.04 amd64 -openjdk-8-jdk 8u282-b08-0ubuntu1~20.04 amd64 -openjdk-8-jdk-headless 8u282-b08-0ubuntu1~20.04 amd64 -openjdk-8-jre 8u282-b08-0ubuntu1~20.04 amd64 -openjdk-8-jre-headless 8u282-b08-0ubuntu1~20.04 amd64 +openjdk-11-jre 11.0.11+9-0ubuntu2~20.04 amd64 +openjdk-11-jre-headless 11.0.11+9-0ubuntu2~20.04 amd64 +openjdk-8-jdk 8u292-b10-0ubuntu1~20.04 amd64 +openjdk-8-jdk-headless 8u292-b10-0ubuntu1~20.04 amd64 +openjdk-8-jre 8u292-b10-0ubuntu1~20.04 amd64 +openjdk-8-jre-headless 8u292-b10-0ubuntu1~20.04 amd64 --- diff --git a/alternatives/jfr b/alternatives/jfr index d5fda24..6d67ef9 120000 --- a/alternatives/jfr +++ b/alternatives/jfr @@ -1 +1 @@ -/usr/lib/jvm/java-11-openjdk-amd64/bin/jfr \ No newline at end of file +/usr/lib/jvm/java-8-openjdk-amd64/bin/jfr \ No newline at end of file diff --git a/java-11-openjdk/security/default.policy b/java-11-openjdk/security/default.policy index 694e403..ab59a33 100644 --- a/java-11-openjdk/security/default.policy +++ b/java-11-openjdk/security/default.policy @@ -122,6 +122,8 @@ grant codeBase "jrt:/jdk.crypto.ec" { }; grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; diff --git a/java-11-openjdk/security/java.security b/java-11-openjdk/security/java.security index 0c0a901..d1d8856 100644 --- a/java-11-openjdk/security/java.security +++ b/java-11-openjdk/security/java.security @@ -726,8 +726,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ +jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves # @@ -1256,3 +1256,26 @@ jdk.io.permissionsUseCanonicalPath=false # System value prevails. The default value of the property is "false". # #jdk.security.allowNonCaAnchor=true + +# +# JNDI Object Factories Filter +# +# This filter is used by the JNDI runtime to control the set of object factory classes +# which will be allowed to instantiate objects from object references returned by +# naming/directory systems. The factory class named by the reference instance will be +# matched against this filter. The filter property supports pattern-based filter syntax +# with the same format as jdk.serialFilter. +# +# Each pattern is matched against the factory class name to allow or disallow it's +# instantiation. The access to a factory class is allowed unless the filter returns +# REJECTED. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes +# the security property value defined here. The default value of the property is "*". +# +# The default pattern value allows any object factory class specified by the reference +# instance to recreate the referenced object. +#jdk.jndi.object.factoriesFilter=* diff --git a/java-8-openjdk/security/java.security b/java-8-openjdk/security/java.security index b766d2e..4d9ef23 100644 --- a/java-8-openjdk/security/java.security +++ b/java-8-openjdk/security/java.security @@ -452,6 +452,22 @@ sun.security.krb5.disableReferrals=false # be overwritten with a System property (-Dsun.security.krb5.maxReferrals). sun.security.krb5.maxReferrals=5 +# +# This property contains a list of disabled EC Named Curves that can be included +# in the jdk.[tls|certpath|jar].disabledAlgorithms properties. To include this +# list in any of the disabledAlgorithms properties, add the property name as +# an entry. +jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \ + secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \ + secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \ + sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \ + sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \ + sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \ + X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \ + X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \ + X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \ + brainpoolP320r1, brainpoolP384r1, brainpoolP512r1 + # # Algorithm restrictions for certification path (CertPath) processing # @@ -466,7 +482,7 @@ sun.security.krb5.maxReferrals=5 # " DisabledAlgorithm { , DisabledAlgorithm } " # # DisabledAlgorithm: -# AlgorithmName [Constraint] { '&' Constraint } +# AlgorithmName [Constraint] { '&' Constraint } | IncludeProperty # # AlgorithmName: # (see below) @@ -493,6 +509,9 @@ sun.security.krb5.maxReferrals=5 # UsageConstraint: # usage [TLSServer] [TLSClient] [SignedJAR] # +# IncludeProperty: +# include +# # The "AlgorithmName" is the standard algorithm name of the disabled # algorithm. See "Java Cryptography Architecture Standard Algorithm Name # Documentation" for information about Standard Algorithm Names. Matching @@ -505,6 +524,14 @@ sun.security.krb5.maxReferrals=5 # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion # will not disable algorithms related to "ECDSA". # +# The "IncludeProperty" allows a implementation-defined security property that +# can be included in the disabledAlgorithms properties. These properties are +# to help manage common actions easier across multiple disabledAlgorithm +# properties. +# There is one defined security property: jdk.disabled.NamedCurves +# See the property for more specific details. +# +# # A "Constraint" defines restrictions on the keys and/or certificates for # a specified AlgorithmName: # @@ -577,7 +604,28 @@ sun.security.krb5.maxReferrals=5 # # jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ - RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 + RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \ + include jdk.disabled.namedCurves + +# +# Legacy algorithms for certification path (CertPath) processing and +# signed JAR files. +# +# In some environments, a certain algorithm or key length may be undesirable +# but is not yet disabled. +# +# Tools such as keytool and jarsigner may emit warnings when these legacy +# algorithms are used. See the man pages for those tools for more information. +# +# The syntax is the same as the "jdk.certpath.disabledAlgorithms" and +# "jdk.jar.disabledAlgorithms" security properties. +# +# Note: This property is currently used by the JDK Reference +# implementation. It is not guaranteed to be examined and used by other +# implementations. + +jdk.security.legacyAlgorithms=SHA1, \ + RSA keySize < 2048, DSA keySize < 2048 # # Algorithm restrictions for signed JAR files @@ -620,7 +668,8 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ # # See "jdk.certpath.disabledAlgorithms" for syntax descriptions. # -jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 +jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ + DSA keySize < 1024, include jdk.disabled.namedCurves # # Algorithm restrictions for Secure Socket Layer/Transport Layer Security @@ -652,8 +701,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC, anon, NULL +jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ + include jdk.disabled.namedCurves # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # processing in JSSE implementation. @@ -1148,3 +1198,26 @@ jdk.security.caDistrustPolicies=SYMANTEC_TLS # System value prevails. The default value of the property is "false". # #jdk.security.allowNonCaAnchor=true + +# +# JNDI Object Factories Filter +# +# This filter is used by the JNDI runtime to control the set of object factory classes +# which will be allowed to instantiate objects from object references returned by +# naming/directory systems. The factory class named by the reference instance will be +# matched against this filter. The filter property supports pattern-based filter syntax +# with the same format as jdk.serialFilter. +# +# Each pattern is matched against the factory class name to allow or disallow it's +# instantiation. The access to a factory class is allowed unless the filter returns +# REJECTED. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes +# the security property value defined here. The default value of the property is "*". +# +# The default pattern value allows any object factory class specified by the reference +# instance to recreate the referenced object. +#jdk.jndi.object.factoriesFilter=*