From: mhoellein Date: Fri, 30 Apr 2021 17:49:13 +0000 (+0200) Subject: committing changes in /etc after apt run X-Git-Url: https://git.hoellein.online/?a=commitdiff_plain;h=7efdc0a8b9b4131559f1e70456be37352724f761;p=homeserver committing changes in /etc after apt run Package changes: -bind9 1:9.11.3+dfsg-1ubuntu1.14 amd64 -bind9-host 1:9.11.3+dfsg-1ubuntu1.14 amd64 -bind9utils 1:9.11.3+dfsg-1ubuntu1.14 amd64 +bind9 1:9.11.3+dfsg-1ubuntu1.15 amd64 +bind9-host 1:9.11.3+dfsg-1ubuntu1.15 amd64 +bind9utils 1:9.11.3+dfsg-1ubuntu1.15 amd64 -dnsutils 1:9.11.3+dfsg-1ubuntu1.14 amd64 +dnsutils 1:9.11.3+dfsg-1ubuntu1.15 amd64 -gir1.2-gst-plugins-base-1.0 1.14.5-0ubuntu1~18.04.1 amd64 +gir1.2-gst-plugins-base-1.0 1.14.5-0ubuntu1~18.04.2 amd64 -gir1.2-gstreamer-1.0 1.14.5-0ubuntu1~18.04.1 amd64 +gir1.2-gstreamer-1.0 1.14.5-0ubuntu1~18.04.2 amd64 -gstreamer1.0-alsa 1.14.5-0ubuntu1~18.04.1 amd64 +gstreamer1.0-alsa 1.14.5-0ubuntu1~18.04.2 amd64 -gstreamer1.0-plugins-base 1.14.5-0ubuntu1~18.04.1 amd64 -gstreamer1.0-plugins-base-apps 1.14.5-0ubuntu1~18.04.1 amd64 -gstreamer1.0-plugins-good 1.14.5-0ubuntu1~18.04.1 amd64 +gstreamer1.0-plugins-base 1.14.5-0ubuntu1~18.04.2 amd64 +gstreamer1.0-plugins-base-apps 1.14.5-0ubuntu1~18.04.2 amd64 +gstreamer1.0-plugins-good 1.14.5-0ubuntu1~18.04.2 amd64 -gstreamer1.0-pulseaudio 1.14.5-0ubuntu1~18.04.1 amd64 -gstreamer1.0-tools 1.14.5-0ubuntu1~18.04.1 amd64 +gstreamer1.0-pulseaudio 1.14.5-0ubuntu1~18.04.2 amd64 +gstreamer1.0-tools 1.14.5-0ubuntu1~18.04.2 amd64 -gstreamer1.0-x 1.14.5-0ubuntu1~18.04.1 amd64 +gstreamer1.0-x 1.14.5-0ubuntu1~18.04.2 amd64 -libbind9-160 1:9.11.3+dfsg-1ubuntu1.14 amd64 +libbind9-160 1:9.11.3+dfsg-1ubuntu1.15 amd64 -libdns-export1100 1:9.11.3+dfsg-1ubuntu1.14 amd64 +libdns-export1100 1:9.11.3+dfsg-1ubuntu1.15 amd64 -libdns1100 1:9.11.3+dfsg-1ubuntu1.14 amd64 +libdns1100 1:9.11.3+dfsg-1ubuntu1.15 amd64 -libgstreamer-gl1.0-0 1.14.5-0ubuntu1~18.04.1 amd64 +libgstreamer-gl1.0-0 1.14.5-0ubuntu1~18.04.2 amd64 -libgstreamer-plugins-base1.0-0 1.14.5-0ubuntu1~18.04.1 amd64 -libgstreamer-plugins-base1.0-0 1.14.5-0ubuntu1~18.04.1 i386 -libgstreamer-plugins-good1.0-0 1.14.5-0ubuntu1~18.04.1 amd64 +libgstreamer-plugins-base1.0-0 1.14.5-0ubuntu1~18.04.2 amd64 +libgstreamer-plugins-base1.0-0 1.14.5-0ubuntu1~18.04.2 i386 +libgstreamer-plugins-good1.0-0 1.14.5-0ubuntu1~18.04.2 amd64 -libgstreamer1.0-0 1.14.5-0ubuntu1~18.04.1 amd64 -libgstreamer1.0-0 1.14.5-0ubuntu1~18.04.1 i386 +libgstreamer1.0-0 1.14.5-0ubuntu1~18.04.2 amd64 +libgstreamer1.0-0 1.14.5-0ubuntu1~18.04.2 i386 -libirs160 1:9.11.3+dfsg-1ubuntu1.14 amd64 +libirs160 1:9.11.3+dfsg-1ubuntu1.15 amd64 -libisc-export169 1:9.11.3+dfsg-1ubuntu1.14 amd64 +libisc-export169 1:9.11.3+dfsg-1ubuntu1.15 amd64 -libisc169 1:9.11.3+dfsg-1ubuntu1.14 amd64 +libisc169 1:9.11.3+dfsg-1ubuntu1.15 amd64 -libisccc160 1:9.11.3+dfsg-1ubuntu1.14 amd64 +libisccc160 1:9.11.3+dfsg-1ubuntu1.15 amd64 -libisccfg160 1:9.11.3+dfsg-1ubuntu1.14 amd64 +libisccfg160 1:9.11.3+dfsg-1ubuntu1.15 amd64 -liblwres160 1:9.11.3+dfsg-1ubuntu1.14 amd64 +liblwres160 1:9.11.3+dfsg-1ubuntu1.15 amd64 -libsmbclient 2:4.7.6+dfsg~ubuntu-0ubuntu2.21 amd64 +libsmbclient 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 amd64 -libwbclient0 2:4.7.6+dfsg~ubuntu-0ubuntu2.21 amd64 +libwbclient0 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 amd64 -openjdk-11-jre 11.0.10+9-0ubuntu1~18.04 amd64 -openjdk-11-jre-headless 11.0.10+9-0ubuntu1~18.04 amd64 +openjdk-11-jre 11.0.11+9-0ubuntu2~18.04 amd64 +openjdk-11-jre-headless 11.0.11+9-0ubuntu2~18.04 amd64 -openjdk-8-jre 8u282-b08-0ubuntu1~18.04 amd64 -openjdk-8-jre-headless 8u282-b08-0ubuntu1~18.04 amd64 +openjdk-8-jre 8u292-b10-0ubuntu1~18.04 amd64 +openjdk-8-jre-headless 8u292-b10-0ubuntu1~18.04 amd64 -python-samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.21 amd64 +python-samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 amd64 -samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.21 amd64 -samba-common 2:4.7.6+dfsg~ubuntu-0ubuntu2.21 all -samba-common-bin 2:4.7.6+dfsg~ubuntu-0ubuntu2.21 amd64 -samba-dsdb-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.21 amd64 -samba-libs 2:4.7.6+dfsg~ubuntu-0ubuntu2.21 amd64 -samba-vfs-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.21 amd64 +samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 amd64 +samba-common 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 all +samba-common-bin 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 amd64 +samba-dsdb-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 amd64 +samba-libs 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 amd64 +samba-vfs-modules 2:4.7.6+dfsg~ubuntu-0ubuntu2.23 amd64 -update-notifier-common 3.192.1.9 all +update-notifier-common 3.192.1.10 all --- diff --git a/alternatives/jfr b/alternatives/jfr deleted file mode 120000 index d5fda24f..00000000 --- a/alternatives/jfr +++ /dev/null @@ -1 +0,0 @@ -/usr/lib/jvm/java-11-openjdk-amd64/bin/jfr \ No newline at end of file diff --git a/java-11-openjdk/security/default.policy b/java-11-openjdk/security/default.policy index 694e403d..ab59a334 100644 --- a/java-11-openjdk/security/default.policy +++ b/java-11-openjdk/security/default.policy @@ -122,6 +122,8 @@ grant codeBase "jrt:/jdk.crypto.ec" { }; grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; diff --git a/java-11-openjdk/security/java.security b/java-11-openjdk/security/java.security index 0c0a9014..d1d8856b 100644 --- a/java-11-openjdk/security/java.security +++ b/java-11-openjdk/security/java.security @@ -726,8 +726,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ +jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves # @@ -1256,3 +1256,26 @@ jdk.io.permissionsUseCanonicalPath=false # System value prevails. The default value of the property is "false". # #jdk.security.allowNonCaAnchor=true + +# +# JNDI Object Factories Filter +# +# This filter is used by the JNDI runtime to control the set of object factory classes +# which will be allowed to instantiate objects from object references returned by +# naming/directory systems. The factory class named by the reference instance will be +# matched against this filter. The filter property supports pattern-based filter syntax +# with the same format as jdk.serialFilter. +# +# Each pattern is matched against the factory class name to allow or disallow it's +# instantiation. The access to a factory class is allowed unless the filter returns +# REJECTED. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes +# the security property value defined here. The default value of the property is "*". +# +# The default pattern value allows any object factory class specified by the reference +# instance to recreate the referenced object. +#jdk.jndi.object.factoriesFilter=* diff --git a/java-8-openjdk/security/java.security b/java-8-openjdk/security/java.security index b766d2e0..4d9ef231 100644 --- a/java-8-openjdk/security/java.security +++ b/java-8-openjdk/security/java.security @@ -452,6 +452,22 @@ sun.security.krb5.disableReferrals=false # be overwritten with a System property (-Dsun.security.krb5.maxReferrals). sun.security.krb5.maxReferrals=5 +# +# This property contains a list of disabled EC Named Curves that can be included +# in the jdk.[tls|certpath|jar].disabledAlgorithms properties. To include this +# list in any of the disabledAlgorithms properties, add the property name as +# an entry. +jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \ + secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \ + secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \ + sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \ + sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \ + sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \ + X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \ + X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \ + X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \ + brainpoolP320r1, brainpoolP384r1, brainpoolP512r1 + # # Algorithm restrictions for certification path (CertPath) processing # @@ -466,7 +482,7 @@ sun.security.krb5.maxReferrals=5 # " DisabledAlgorithm { , DisabledAlgorithm } " # # DisabledAlgorithm: -# AlgorithmName [Constraint] { '&' Constraint } +# AlgorithmName [Constraint] { '&' Constraint } | IncludeProperty # # AlgorithmName: # (see below) @@ -493,6 +509,9 @@ sun.security.krb5.maxReferrals=5 # UsageConstraint: # usage [TLSServer] [TLSClient] [SignedJAR] # +# IncludeProperty: +# include +# # The "AlgorithmName" is the standard algorithm name of the disabled # algorithm. See "Java Cryptography Architecture Standard Algorithm Name # Documentation" for information about Standard Algorithm Names. Matching @@ -505,6 +524,14 @@ sun.security.krb5.maxReferrals=5 # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion # will not disable algorithms related to "ECDSA". # +# The "IncludeProperty" allows a implementation-defined security property that +# can be included in the disabledAlgorithms properties. These properties are +# to help manage common actions easier across multiple disabledAlgorithm +# properties. +# There is one defined security property: jdk.disabled.NamedCurves +# See the property for more specific details. +# +# # A "Constraint" defines restrictions on the keys and/or certificates for # a specified AlgorithmName: # @@ -577,7 +604,28 @@ sun.security.krb5.maxReferrals=5 # # jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ - RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 + RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \ + include jdk.disabled.namedCurves + +# +# Legacy algorithms for certification path (CertPath) processing and +# signed JAR files. +# +# In some environments, a certain algorithm or key length may be undesirable +# but is not yet disabled. +# +# Tools such as keytool and jarsigner may emit warnings when these legacy +# algorithms are used. See the man pages for those tools for more information. +# +# The syntax is the same as the "jdk.certpath.disabledAlgorithms" and +# "jdk.jar.disabledAlgorithms" security properties. +# +# Note: This property is currently used by the JDK Reference +# implementation. It is not guaranteed to be examined and used by other +# implementations. + +jdk.security.legacyAlgorithms=SHA1, \ + RSA keySize < 2048, DSA keySize < 2048 # # Algorithm restrictions for signed JAR files @@ -620,7 +668,8 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ # # See "jdk.certpath.disabledAlgorithms" for syntax descriptions. # -jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 +jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ + DSA keySize < 1024, include jdk.disabled.namedCurves # # Algorithm restrictions for Secure Socket Layer/Transport Layer Security @@ -652,8 +701,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 # # Example: # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 -jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ - EC keySize < 224, 3DES_EDE_CBC, anon, NULL +jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ + include jdk.disabled.namedCurves # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # processing in JSSE implementation. @@ -1148,3 +1198,26 @@ jdk.security.caDistrustPolicies=SYMANTEC_TLS # System value prevails. The default value of the property is "false". # #jdk.security.allowNonCaAnchor=true + +# +# JNDI Object Factories Filter +# +# This filter is used by the JNDI runtime to control the set of object factory classes +# which will be allowed to instantiate objects from object references returned by +# naming/directory systems. The factory class named by the reference instance will be +# matched against this filter. The filter property supports pattern-based filter syntax +# with the same format as jdk.serialFilter. +# +# Each pattern is matched against the factory class name to allow or disallow it's +# instantiation. The access to a factory class is allowed unless the filter returns +# REJECTED. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes +# the security property value defined here. The default value of the property is "*". +# +# The default pattern value allows any object factory class specified by the reference +# instance to recreate the referenced object. +#jdk.jndi.object.factoriesFilter=*