HttpURLConnection cache issues leading to crashes in JGSS w/ native GSS introduced by 8303809
Nico Williams
Nico.Williams at twosigma.com
Fri Oct 20 16:50:12 UTC 2023
On Fri, Oct 20, 2023 at 01:42:44PM +0000, Wei-Jun Wang wrote:
> I've filed a bug at https://bugs.openjdk.org/browse/JDK-8318599. Will look into it.
Thanks Max!
A comment if I may (did I ever complete my bugs.openjdk.org account setup?):
This is primarily a bug in HttpURLConnection and related classes, not really a
JGSS bug, so either a second issue should be opened for HttpURLConnection /
core-libs, or JDK-8318599 should be moved to core-libs.
Also, the HttpURLConnection issue should be higher than P4 in my opinion, even
if there is a workaround (`-Djdk.spnego.cache=false`). At the very least there
should be a high-priority issue to default `jdk.spnego.cache` to `false` in the
interim and then a lower-priority issue to fix the `AuthCache` issues.
Also, we're not asking for the fixes to the `dispose()` hazards in JGSS to be
backported, though we're not opposed to it either :)
Nico
--
More information about the security-dev
mailing list