HttpURLConnection cache issues leading to crashes in JGSS w/ native GSS introduced by 8303809

Wei-Jun Wang weijun.wang at oracle.com
Fri Oct 20 13:42:44 UTC 2023


Hi Nico,

I've filed a bug at https://bugs.openjdk.org/browse/JDK-8318599. Will look into it.

Thanks,
Max

> On Oct 19, 2023, at 10:39 PM, Nico Williams <Nico.Williams at twosigma.com> wrote:
> 
> Also, a colleague informs me that 17.0.5 (as packaged by Debian) w/o `-Djdk.spnego.cache=false` doesn't exhibit the double-free/use-after-free crashes (as expected), but:
> 
>> I do see some "Authentication failure" / and "java.lang.NullPointerException: Cannot invoke "sun.net.www.protocol.http.Negotiator.nextToken(byte[])" because "this.negotiator" is null".
> 
> That seems to support the idea that the `AuthCache` is harmful.
> 
> Nico
> --
> 
> 
> 



More information about the security-dev mailing list