Hi Michael,
Please share a working copy of the code to duplicate the failure scenario of
NPE related to Connection.java. BTW, I checked the stack trace posted on April
28 it did not clearly show Connection::cleanup got called. Was there something
missed?
Thank you,
Weibing
From: security-dev <security-dev-r...@openjdk.org> on behalf of
security-dev-requ...@openjdk.org <security-dev-requ...@openjdk.org>
Date: Tuesday, April 29, 2025 at 4:54 AM
To: security-dev@openjdk.org <security-dev@openjdk.org>
Subject: security-dev Digest, Vol 214, Issue 151
Send security-dev mailing list submissions to
security-dev@openjdk.org
To subscribe or unsubscribe via the World Wide Web, visit
https://mail.openjdk.org/mailman/listinfo/security-dev
or, via email, send a message with subject or body 'help' to
security-dev-requ...@openjdk.org
You can reach the person managing the list at
security-dev-ow...@openjdk.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of security-dev digest..."
Today's Topics:
1. Re: RFR: 8350498: Remove two Camerfirma root CA certificates
(Mark Powers)
2. Re: RFR: 8354305: SHAKE128 and SHAKE256 MessageDigest
algorithms [v3] (Valerie Peng)
3. Re: [Bug] NPE thrown from SASL GSSAPI impl on Java 11+ when
TLS is used with QOP auth-int against Active Directory
(Osipov, Michael (IN IT IN))
----------------------------------------------------------------------
Message: 1
Date: Tue, 29 Apr 2025 01:21:44 GMT
From: Mark Powers <mpow...@openjdk.org>
To: <security-dev@openjdk.org>
Subject: Re: RFR: 8350498: Remove two Camerfirma root CA certificates
Message-ID:
<A9eAJBJDaHecIKxXaVFN1OYPI3klaPxL5AkWVbC39Eg=.23a9c6ce-9cf2-4d30-94e2-5bc9f9a2f...@github.com>
Content-Type: text/plain; charset=utf-8
On Tue, 22 Apr 2025 20:27:04 GMT, Rajan Halade <rhal...@openjdk.org> wrote:
> The change is to remove two Camerfirma root certificates which are terminated
> and no longer in use. These two roots are removed from `cacerts` truststore.
> Distrust of these roots is also removed as these roots will no longer be
> trusted by JDK by default.
>
> The release-note is at
> [JDK-8355325](https://bugs.openjdk.org/browse/JDK-8355325)
This looks good to me.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/24800#issuecomment-2837171301
------------------------------
Message: 2
Date: Tue, 29 Apr 2025 01:41:44 GMT
From: Valerie Peng <valer...@openjdk.org>
To: <security-dev@openjdk.org>
Subject: Re: RFR: 8354305: SHAKE128 and SHAKE256 MessageDigest
algorithms [v3]
Message-ID:
<7tQk66i69YQpgGj4_thPeRH0Dvx3Z5ohyzefcsLL7wA=.b11500ea-08b1-4961-b65d-e68082b56...@github.com>
Content-Type: text/plain; charset=utf-8
On Mon, 28 Apr 2025 14:48:34 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> Add 2 `MessageDigest` algorithms.
>
> Weijun Wang has updated the pull request incrementally with one additional
> commit since the last revision:
>
> test alias usage
Changes look fine. However, we should probably caution about these being
different from the regular message digest algorithms, i.e. regarding their
related output property.
-------------
Marked as reviewed by valeriep (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/24576#pullrequestreview-2801570550
------------------------------
Message: 3
Date: Tue, 29 Apr 2025 10:54:31 +0200
From: "Osipov, Michael (IN IT IN)" <michael.osi...@innomotics.com>
To: security-dev@openjdk.org
Cc: andre...@openjdk.org
Subject: Re: [Bug] NPE thrown from SASL GSSAPI impl on Java 11+ when
TLS is used with QOP auth-int against Active Directory
Message-ID: <9baba8d6-066a-42cd-9649-e16033108...@siemens.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 2025-04-28 10:22, Osipov, Michael (IN IT IN) wrote:
> Hi folks,
> Hi Max,
>
> please assess the following bug I have found in Java 11+, it does not
exist
> in Java 8. I have tried the following most versions on Azul Zulu/
> OpenJDK: 8, 11, 17, 21, 24 on multiple platforms. Searched JBS as well,
> nothing found.
I was able to debug this and find the cause.
It is a regression from
https://github.com/openjdk/jdk11u/commit/bcac47f00ac6cf511ad7709fb9d39276ac27b049,
introduced with https://bugs.openjdk.org/browse/JDK-8313657.
I can even reproduce this with the HPE JDK 8 for HP-UX, so I guess they
have backported that broken fix.
Connection#flushAndCloseOutputStream() closes the SaslOutputStream()
which disposes the GSS security context and sets it to null. After that
Connection#abandonRequest(LdapRequest, Control[]) is invoked which still
uses the SaslOutputStream:
> synchronized (this) {
> outStream.write(ber.getBuf(), 0, ber.getDataLen());
> outStream.flush();
> }
Andrew,
can you log a bug here?
Michael
End of security-dev Digest, Vol 214, Issue 151
**********************************************
