Question about openjdk security patches
Andrew Hughes
gnu.andrew at redhat.com
Fri Mar 18 21:51:14 UTC 2016
----- Original Message -----
> Hi,
> I am new to the forum, this is my first question; so go easy. I have
> googled and looked up previous archives, I could not find about information
> about security.properties in the security patches.
>
> I intend to change security.properties on openjdk6. Specifically I intend
> to change
>
> #networkaddress.cache.ttl=-1
>
> to
>
> networkaddress.cache.ttl=30
>
> My worry is subsequent OpenJDK security updates may overwrite this setting.
> So here is the question
> Does openJDK security patches "overwrite" existing "user amended" settings
> in the java.security file ?
This is more a question about binaries built from OpenJDK than OpenJDK itself,
and how updated binaries are installed. This really depends on how your
distribution handles updates to the OpenJDK package.
On Fedora and RHEL, the file is treated as a config file. If java.security has
been modified, the new version will not overwrite it but will add the new
version as java.security.rpmnew. You then need to manually merge the two
to get the updates. Other distributions take a similar route, with Gentoo
having an 'etc-update' tool to aid in these updates.
A few recent security updates have modified this file so as to disable cryptographic
algorithms that have become insecure. To avoid missing such updates, it's thus safest
not to modify the system version of this file and instead use your own version
to override the relevant settings as Sean mentioned. This is especially true if
you just want to alter settings for a specific application.
>
> Thanks,
> Vinay
>
--
Andrew :)
Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
More information about the jdk6-dev
mailing list