Monthly Archives: March 2022

Advisories

CVE-2021-25220

Read Time:31 Second

BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown – back to 9.1.0, including Supported Preview Editions – are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.

Read More

News

Helping Mom & Dad: Family Video Chats

Read Time:8 Minute, 51 Second

Editor’s Note: This is the third in a series of articles about how we can help our elder parents get the most out of digital life—the ways we can help them look after their finances and health online, along with how they can use the internet to keep connected with friends and family, all safely and simply. 

Now here’s a great topic. Spending more quality time with our folks, even if they’re far away. That’s the beauty of a family video chat. It’s a way to connect with more than voice. It’s a way to share moments together. 

If your parents and the older loved ones in your family haven’t come around to the idea of video chats just yet, now’s a good time to give it a try. Video chats are far easier to enjoy than ever, and with a little initiative from you, the family can gather around a video chat rather quickly. In fact, there’s plenty you can do to get them started.  

Video chats may be old hat to you, but it’s likely quite new to them 

Clearly, a video chat is different than a phone call. Beyond the technological differences, it’s quite a different way of interacting. After all, there you are, face-to-face, talking over a device. And that may feel a little awkward, especially for our parents. They’ve lived lives where long-distance conversations meant using a phone that was anchored to the kitchen wall. 

So aside from the technical considerations of video chats, there’s a degree of freedom that may leave our parents wondering what to do and how to act in this new medium. Just like when we first used video chat ourselves, questions come up … Where should I be looking on the screen How should I hold the phone Can everyone on this call see up my nose? 

You can ease them in by taking the lead, welcoming them into the notion that your video chat can be much more than a phone call. More than simply talking, it’s a chance to create a shared space together.  

A great example is this: a co-worker recently told me about his in-laws who were scouting out retirement communities to live in. Even though his in-laws lived 2,000 miles away, they all got to do a little house-hunting together. Using a smartphone, they took room-to-room tours of model homes together, got views of the tree-lined streets, checked out the pools and rec centers, and so on. A few weeks later, they shared another video call where his in-laws walked the family through their new place after they’d settled in. And all of it started with a simple request, “Hey, turn on FaceTime so we can take a look too!” 

So, in a way, video chats truly are an opportunity to create moments together. It could be as simple as asking grandma to read a book to the kids, have mom and dad share what they’re having for a birthday dinner, or ask them to show how hard it’s snowing outside their home. Anything you can do to encourage a little free interaction of some sort may make a video chat feel far more comfortable. You can really relax and interact once you settle in and let the possibilities unfold. 

Set a time for your call 

In a way, a video call is much like dropping by the house for a visit. Placing a video call unannounced may catch mom in her curlers, so to speak. Or, as we’ve heard our parents say when they looked at a messy living room, we may catch them when “the house isn’t ready for guests.” In either case, scheduling a time for a video call gives everyone time to prepare. Whether it’s sprucing up your appearance or simply getting into the headspace for a face-to-face interaction, a designated time helps everyone get ready. 

On your end, it’s an opportunity for you to prepare as well. Do the kids have some recent schoolwork or a project they’re proud of? Have them bring it for some show-and-tell. Doing some cooking lately and you just can’t seem to get the family secret BBQ sauce just right? Bring your folks into the kitchen for some cooking advice. Find an old treasure in storage? Break it out and flip through your old grade-school art scrapbook with them on the call. As you prepare, think about sharing and moments, some of the things you’d like to do together over a video call. That’ll make it all the more special. 

Picking a platform for your video call—smartphones and tablets are a straightforward way to go 

As you know, there are plenty ways to hold a video call. There’s a good chance you’ve used several platforms and apps yourself already, whether with friends, work, or a mix of both. So when it comes to picking what’s best for your video call, the question to ask here is what’s your parent’s comfort level with technology. 

If your parents are pretty comfortable with technology, you can share one of my earlier articles on video calls with them, which walks through the ins and outs of different apps and options. If they’re a little less savvy with technology, ideally they have a smartphone or tablet that they can use. Chances are, that device will have video calling built right in, such as Apple’s FaceTime or Google Duo on Android devices—both of which make video calls an easier “point and shoot” experience.  

Even if you’re using different devices, you can still use apps like FaceTime between Androids and iPhones. It’s rather straightforward, as all it takes is for one party or other to click a link. Additionally, Google Duo is available as an app in Apple’s App Store, which makes it easy for everyone to get on one platform as needed. 

Video calls on laptops and computers 

If a smartphone or tablet isn’t in the picture, there are certainly options for laptops and computers, several you may also know well already. Of the free and relatively straightforward apps out there, you can choose from: 

Zoom

With a free account that can run through a browser window, you and your parents can enjoy a call without having to manually download an app. 

Skype

This comes standard on Windows PCs and supports apps for all kinds of tablets and smartphones too. If you want to create a video chat without an account, you can simply visit this page and start an instant video chat with a click 

Google Meet

Free to anyone with a free Google Gmail account, you can use Google Meet just by clicking its icon from your Google apps menu or by visiting https://meet.google.com/. Like Zoom and Skype, it can run in the window of a browser, so there’s no app to manually download. 

Of course, your folks will need a camera and microphone for their computer. If they don’t have one, there are plenty of moderately priced web cameras that include a microphone. I suggest getting one with a physical lens cap. That way they can protect privacy. Of course, they can always simply disconnect it when they’re not using it. 

Setting up a laptop or computer for video calls may take a little bit of work. You can help your parents by walking them through the process with these articles: 

If they have a Windows computer, you can check out this quick article to get the audio set up and this article for setting up the camera 
For Macs, check out this article for setting up audio and this article for setting up video. 

Keeping safe on your calls 

Once you’re all set up, here are a few things that you and your parents can do to help keep your calls private and secure.   

1) Set a password 

If your video chap app generates a link that others can click to join in, be sure to create a password that uninvited parties can’t join in as well. Also, don’t be shy about asking your family members to use a password on the calls they initiate. It’s pretty much standard practice nowadays. 

2) Double-check any video chat invitation links 

Likewise, with any chat link that’s sent to you, be sure that link is legitimate. Confirm the link with the family member who sent it, particularly if you weren’t expecting one. (This is another good reason to schedule calls. Family members will be on the lookout for that link.) 

3) Use security software 

Make sure that you’re using comprehensive online protection software that helps steer you clear of scam emails and links, along with browser protection that blocks links that could send you to sketchy websites. That way, if you do get sent a bogus invite link from a scammer, you’ll be protected. 

4) Keep your apps and operating system up to date 

Aside from giving you the latest features and functionality, updates also often include essential security improvements. Set your computer to update itself automatically and consider using security software that will scan for vulnerabilities and install updates automatically as needed. 

Chat it up! 

An interesting closing note is that getting comfortable with video chat may open a world of other possibilities as well. Perhaps once they get online and see how video chats work, they’ll reach out to other friends and them get in on it too, creating more opportunities to reach out and spend time with others. In other words, you may really start something here by getting mom and dad on video chat. 

Additionally, early research has shown that older adults who use regularly technologies like video chat have seen positive impacts in their long-term memory compared to those who just interacted over the phone or in person. Similarly, research has shown that the use of technology, in general, can enhance mental health for older adults as well.  

With that, I hope you’ll give it a try with your parents and older loved ones. Meet the inevitable technical bumps in the road with a smile because this journey will be absolutely worth it. For all of you. 

The post Helping Mom & Dad: Family Video Chats appeared first on McAfee Blog.

Read More

News

NASA’s Insider Threat Program

Read Time:1 Minute, 41 Second

The Office of Inspector General has audited NASA’s insider threat program:

While NASA has a fully operational insider threat program for its classified systems, the vast majority of the Agency’s information technology (IT) systems — including many containing high-value assets or critical infrastructure — are unclassified and are therefore not covered by its current insider threat program. Consequently, the Agency may be facing a higher-than-necessary risk to its unclassified systems and data. While NASA’s exclusion of unclassified systems from its insider threat program is common among federal agencies, adding those systems to a multi-faceted security program could provide an additional level of maturity to the program and better protect agency resources. According to Agency officials, expanding the insider threat program to unclassified systems would benefit the Agency’s cybersecurity posture if incremental improvements, such as focusing on IT systems and people at the most risk, were implemented. However, on-going concerns including staffing challenges, technology resource limitations, and lack of funding to support such an expansion would need to be addressed prior to enhancing the existing program.

Further amplifying the complexities of insider threats are the cross-discipline challenges surrounding cybersecurity expertise. At NASA, responsibilities for unclassified systems are largely shared between the Office of Protective Services and the Office of the Chief Information Officer. In addition, Agency contracts are managed by the Office of Procurement while grants and cooperative agreements are managed by the Office of the Chief Financial Officer. Nonetheless, in our view, mitigating the risk of an insider threat is a team sport in which a comprehensive insider threat risk assessment would allow the Agency to gather key information on weak spots or gaps in administrative processes and cybersecurity. At a time when there is growing concern about the continuing threats of foreign influence, taking the proactive step to conduct a risk assessment to evaluate NASA’s unclassified systems ensures that gaps cannot be exploited in ways that undermine the Agency’s ability to carry out its mission.

Read More

Advisories

java-latest-openjdk-17.0.2.0.8-1.rolling.el8

Read Time:18 Minute, 36 Second

FEDORA-EPEL-2022-b042a4581a

Packages in this update:

java-latest-openjdk-17.0.2.0.8-1.rolling.el8

Update description:

New in release OpenJDK 17.0.2 (2022-01-18):

Live versions of these release notes can be found at:
https://bitly.com/openjdk1702
https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt

Security fixes

JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named “.” inside
JDK-8264934, CVE-2022-21248: Enhance cross VM serialization
JDK-8268488: More valuable DerValues
JDK-8268494: Better inlining of inlined interfaces
JDK-8268512: More content for ContentInfo
JDK-8268813, CVE-2022-21283: Better String matching
JDK-8269151: Better construction of EncryptedPrivateKeyInfo
JDK-8269944: Better HTTP transport redux
JDK-8270386, CVE-2022-21291: Better verification of scan methods
JDK-8270392, CVE-2022-21293: Improve String constructions
JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps
JDK-8270492, CVE-2022-21282: Better resolution of URIs
JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management
JDK-8270646, CVE-2022-21299: Improved scanning of XML entities
JDK-8270952, CVE-2022-21277: Improve TIFF file handling
JDK-8271962: Better TrueType font loading
JDK-8271968: Better canonical naming
JDK-8271987: Manifest improved manifest entries
JDK-8272014, CVE-2022-21305: Better array indexing
JDK-8272026, CVE-2022-21340: Verify Jar Verification
JDK-8272236, CVE-2022-21341: Improve serial forms for transport
JDK-8272272: Enhance jcmd communication
JDK-8272462: Enhance image handling
JDK-8273290: Enhance sound handling
JDK-8273756, CVE-2022-21360: Enhance BMP image support
JDK-8273838, CVE-2022-21365: Enhanced BMP processing
JDK-8274096, CVE-2022-21366: Improve decoding of image files

Other changes

JDK-4819544: SwingSet2 JTable Demo throws NullPointerException
JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing
JDK-8140241: (fc) Data transfer from FileChannel to itself causes hang in case of overlap
JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently
JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream
JDK-8214761: Bug in parallel Kahan summation implementation
JDK-8223923: C2: Missing interference with mismatched unsafe accesses
JDK-8233020: (fs) UnixFileSystemProvider should use StaticProperty.userDir().
JDK-8238649: Call new Win32 API SetThreadDescription in os::set_native_thread_name
JDK-8244675: assert(IncrementalInline || (_late_inlines.length() == 0 && !has_mh_late_inlines()))
JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled
JDK-8261579: AArch64: Support for weaker memory ordering in Atomic
JDK-8262031: Create implementation for NSAccessibilityNavigableStaticText protocol
JDK-8262095: NPE in Flow$FlowAnalyzer.visitApply: Cannot invoke getThrownTypes because tree.meth.type is null
JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream
JDK-8263375: Support stack watermarks in Zero VM
JDK-8263773: Reenable German localization for builds at Oracle
JDK-8264286: Create implementation for NSAccessibilityColumn protocol peer
JDK-8264287: Create implementation for NSAccessibilityComboBox protocol peer
JDK-8264291: Create implementation for NSAccessibilityCell protocol peer
JDK-8264292: Create implementation for NSAccessibilityList protocol peer
JDK-8264293: Create implementation for NSAccessibilityMenu protocol peer
JDK-8264294: Create implementation for NSAccessibilityMenuBar protocol peer
JDK-8264295: Create implementation for NSAccessibilityMenuItem protocol peer
JDK-8264296: Create implementation for NSAccessibilityPopUpButton protocol peer
JDK-8264297: Create implementation for NSAccessibilityProgressIndicator protocol peer
JDK-8264298: Create implementation for NSAccessibilityRow protocol peer
JDK-8264303: Create implementation for NSAccessibilityTabGroup protocol peer
JDK-8266239: Some duplicated javac command-line options have repeated effect
JDK-8266510: Nimbus JTree default tree cell renderer does not use selected text color
JDK-8266988: compiler/jvmci/compilerToVM/IsMatureTest.java fails with Unexpected isMature state for multiple times invoked method: expected false to equal true
JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl
JDK-8267385: Create NSAccessibilityElement implementation for JavaComponentAccessibility
JDK-8267387: Create implementation for NSAccessibilityOutline protocol
JDK-8267388: Create implementation for NSAccessibilityTable protocol
JDK-8268284: javax/swing/JComponent/7154030/bug7154030.java fails with “Exception: Failed to hide opaque button”
JDK-8268294: Reusing HttpClient in a WebSocket.Listener hangs.
JDK-8268361: Fix the infinite loop in next_line
JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML
JDK-8268464: Remove dependancy of TestHttpsServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/https/ tests
JDK-8268626: Remove native pre-jdk9 support for jtreg failure handler
JDK-8268860: Windows-Aarch64 build is failing in GitHub actions
JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
JDK-8268885: duplicate checkcast when destination type is not first type of intersection type
JDK-8268893: jcmd to trim the glibc heap
JDK-8268894: forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition
JDK-8268927: Windows: link error: unresolved external symbol “int __cdecl convert_to_unicode(char const ,wchar_t * )”
JDK-8269031: linux x86_64 check for binutils 2.25 or higher after 8265783
JDK-8269113: Javac throws when compiling switch (null)
JDK-8269216: Useless initialization in com/sun/crypto/provider/PBES2Parameters.java
JDK-8269269: [macos11] SystemIconTest fails with ClassCastException
JDK-8269280: (bf) Replace StringBuffer in *Buffer.toString()
JDK-8269481: SctpMultiChannel never releases own file descriptor
JDK-8269637: javax/swing/JFileChooser/FileSystemView/SystemIconTest.java fails on windows
JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles
JDK-8269687: pauth_aarch64.hpp include name is incorrect
JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0
JDK-8269924: Shenandoah: Introduce weak/strong marking asserts
JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked
JDK-8270110: Shenandoah: Add test for JDK-8269661
JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS
JDK-8270171: Shenandoah: Cleanup TestStringDedup and TestStringDedupStress tests
JDK-8270290: NTLM authentication fails if HEAD request is used
JDK-8270317: Large Allocation in CipherSuite
JDK-8270320: JDK-8270110 committed invalid copyright headers
JDK-8270517: Add Zero support for LoongArch
JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS
JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling
JDK-8270893: IndexOutOfBoundsException while reading large TIFF file
JDK-8270901: Typo PHASE_CPP in CompilerPhaseType
JDK-8270946: X509CertImpl.getFingerprint should not return the empty String
JDK-8271071: accessibility of a table on macOS lacks cell navigation
JDK-8271121: ZGC: stack overflow (segv) when -Xlog:gc+start=debug
JDK-8271142: package help is not displayed for missing X11/extensions/Xrandr.h
JDK-8271170: Add unit test for what jpackage app launcher puts in the environment
JDK-8271215: Fix data races in G1PeriodicGCTask
JDK-8271254: javac generates unreachable code when using empty semicolon statement
JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with “lists don’t have the same size expected”
JDK-8271308: (fc) FileChannel.transferTo() transfers no more than Integer.MAX_VALUE bytes in one call
JDK-8271315: Redo: Nimbus JTree renderer properties persist across L&F changes
JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -XX:TieredStopAtLevel=1
JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop
JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java
JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
JDK-8271463: Updating RE Configs for Upcoming CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos.
JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling
JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to “An established connection was aborted by the software in your host machine”
JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions
JDK-8271600: C2: CheckCastPP which should closely follow Allocate is sunk of a loop
JDK-8271605: Update JMH devkit to 1.32
JDK-8271718: Crash when during color transformation the color profile is replaced
JDK-8271722: [TESTBUG] gc/g1/TestMixedGCLiveThreshold.java can fail if G1 Full GC uses >1 workers
JDK-8271855: [TESTBUG] Wrong weakCompareAndSet assumption in UnsafeIntrinsicsTest
JDK-8271862: C2 intrinsic for Reference.refersTo() is often not used
JDK-8271868: Warn user when using mac-sign option with unsigned app-image.
JDK-8271895: UnProblemList javax/swing/JComponent/7154030/bug7154030.java in JDK18
JDK-8271954: C2: assert(false) failed: Bad graph detected in build_loop_late
JDK-8272047: java/nio/channels/FileChannel/Transfer2GPlus.java failed with Unexpected transfer size: 2147418112
JDK-8272095: ProblemList java/nio/channels/FileChannel/Transfer2GPlus.java on linux-aarch64
JDK-8272114: Unused _last_state in osThread_windows
JDK-8272170: Missing memory barrier when checking active state for regions
JDK-8272305: several hotspot runtime/modules don’t check exit codes
JDK-8272318: Improve performance of HeapDumpAllTest
JDK-8272328: java.library.path is not set properly by Windows jpackage app launcher
JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn’t check exit codes
JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions
JDK-8272345: macos doesn’t check os::set_boot_path() result
JDK-8272369: java/io/File/GetXSpace.java failed with “RuntimeException: java.nio.file.NoSuchFileException: /run/user/0”
JDK-8272391: Undeleted debug information
JDK-8272413: Incorrect num of element count calculation for vector cast
JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
JDK-8272562: C2: assert(false) failed: Bad graph detected in build_loop_late
JDK-8272570: C2: crash in PhaseCFG::global_code_motion
JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late
JDK-8272639: jpackaged applications using microphone on mac
JDK-8272703: StressSeed should be set via FLAG_SET_ERGO
JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit
JDK-8272783: Epsilon: Refactor tests to improve performance
JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests
JDK-8272838: Move CriticalJNI tests out of tier1
JDK-8272846: Move some runtime/Metaspace/elastic/ tests out of tier1
JDK-8272850: Drop zapping values in the Zap* option descriptions
JDK-8272854: split runtime/CommandLine/PrintTouchedMethods.java test
JDK-8272856: DoubleFlagWithIntegerValue uses G1GC-only flag
JDK-8272859: Javadoc external links should only have feature version number in URL
JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups
JDK-8272970: Parallelize runtime/InvocationTests/
JDK-8272973: Incorrect compile command used by TestIllegalArrayCopyBeforeInfiniteLoop
JDK-8273021: C2: Improve Add and Xor ideal optimizations
JDK-8273026: Slow LoginContext.login() on multi threading application
JDK-8273135: java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java crashes in liblcms.dylib with NULLSeek+0x7
JDK-8273165: GraphKit::combine_exception_states fails with “matching stack sizes” assert
JDK-8273176: handle latest VS2019 in abstract_vm_version
JDK-8273229: Update OS detection code to recognize Windows Server 2022
JDK-8273234: extended ‘for’ with expression of type tvar causes the compiler to crash
JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit
JDK-8273278: Support XSLT on GraalVM Native Image–deterministic bytecode generation in XSLT
JDK-8273308: PatternMatchTest.java fails on CI
JDK-8273314: Add tier4 test groups
JDK-8273315: Parallelize and increase timeouts for java/foreign/TestMatrix.java test
JDK-8273318: Some containers/docker/TestJFREvents.java configs are running out of memory
JDK-8273333: Zero should warn about unimplemented -XX:+LogTouchedMethods
JDK-8273335: compiler/blackhole tests should not run with interpreter-only VMs
JDK-8273342: Null pointer dereference in classFileParser.cpp:2817
JDK-8273359: CI: ciInstanceKlass::get_canonical_holder() doesn’t respect instance size
JDK-8273361: InfoOptsTest is failing in tier1
JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero
JDK-8273375: Remove redundant ‘new String’ calls after concatenation in java.desktop
JDK-8273376: Zero: Disable vtable/itableStub gtests
JDK-8273378: Shenandoah: Remove the remaining uses of os::is_MP
JDK-8273408: java.lang.AssertionError: typeSig ERROR on generated class property of record
JDK-8273416: C2: assert(false) failed: bad AD file after JDK-8252372 with UseSSE={0,1}
JDK-8273440: Zero: Disable runtime/Unsafe/InternalErrorTest.java
JDK-8273450: Fix the copyright header of SVML files
JDK-8273451: Remove unreachable return in mutexLocker::wait
JDK-8273483: Zero: Clear pending JNI exception check in native method handler
JDK-8273486: Zero: Handle DiagnoseSyncOnValueBasedClasses VM option
JDK-8273487: Zero: Handle “zero” variant in runtime tests
JDK-8273489: Zero: Handle UseHeavyMonitors on all monitorenter paths
JDK-8273498: compiler/c2/Test7179138_1.java timed out
JDK-8273505: runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes
JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure
JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated
JDK-8273592: Backout JDK-8271868
JDK-8273593: [REDO] Warn user when using mac-sign option with unsigned app-image.
JDK-8273595: tools/jpackage tests do not work on apt-based Linux distros like Debian
JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch
JDK-8273614: Shenandoah: intermittent timeout with ConcurrentGCBreakpoint tests
JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher
JDK-8273678: TableAccessibility and TableRowAccessibility miss autorelease
JDK-8273695: Safepoint deadlock on VMOperation_lock
JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem
JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should test for CPU feature explicitly
JDK-8273807: Zero: Drop incorrect test block from compiler/startup/NumCompilerThreadsCheck.java
JDK-8273808: Cleanup AddFontsToX11FontPath
JDK-8273826: Correct Manifest file name and NPE checks
JDK-8273887: [macos] java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java timed out
JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral
JDK-8273902: Memory leak in OopStorage due to bug in OopHandle::release()
JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add()
JDK-8273935: (zipfs) Files.getFileAttributeView() throws UOE instead of returning null when view not supported
JDK-8273958: gtest/MetaspaceGtests executes unnecessary tests in debug builds
JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains ‘+’ character
JDK-8273965: some testlibrary_tests/ir_framework tests fail when c1 disabled
JDK-8273968: JCK javax_xml tests fail in CI
JDK-8274056: JavaAccessibilityUtilities leaks JNI objects
JDK-8274074: SIGFPE with C2 compiled code with -XX:+StressGCM
JDK-8274083: Update testing docs to mention tiered testing
JDK-8274087: Windows DLL path not set correctly.
JDK-8274145: C2: condition incorrectly made redundant with dominating main loop exit condition
JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
JDK-8274215: Remove globalsignr2ca root from 17.0.2
JDK-8274242: Implement fast-path for ASCII-compatible CharsetEncoders on x86
JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp
JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated
JDK-8274325: C4819 warning at vm_version_x86.cpp on Windows after JDK-8234160
JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m
JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern
JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed “assert(m != __null) failed: NULL mirror”
JDK-8274347: Passing a nested switch expression as a parameter causes an NPE during compile
JDK-8274349: ForkJoinPool.commonPool() does not work with 1 CPU
JDK-8274381: missing CAccessibility definitions in JNI code
JDK-8274383: JNI call of getAccessibleSelection on a wrong thread
JDK-8274401: C2: GraphKit::load_array_element bypasses Access API
JDK-8274406: RunThese30M.java failed “assert(!LCA_orig->dominates(pred_block) || early->dominates(pred_block)) failed: early is high enough”
JDK-8274407: (tz) Update Timezone Data to 2021c
JDK-8274435: EXCEPTION_ACCESS_VIOLATION in BFSClosure::closure_impl
JDK-8274467: TestZoneInfo310.java fails with tzdata2021b
JDK-8274468: TimeZoneTest.java fails with tzdata2021b
JDK-8274501: c2i entry barriers read int as long on AArch64
JDK-8274521: jdk/jfr/event/gc/detailed/TestGCLockerEvent.java fails when other GC is selected
JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah
JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah
JDK-8274550: c2i entry barriers read int as long on PPC
JDK-8274560: JFR: Add test for OldObjectSample event when using Shenandoah
JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test
JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287
JDK-8274716: JDWP Spec: the description for the Dispose command confuses suspend with resume.
JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
JDK-8274770: [PPC64] resolve_jobject needs a generic implementation to support load barriers
JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform
JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
JDK-8274840: Update OS detection code to recognize Windows 11
JDK-8274848: LambdaMetaFactory::metafactory on REF_invokeSpecial impl method has incorrect behavior
JDK-8274851: [ppc64] Port zgc to linux on ppc64le
JDK-8274942: AssertionError at jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155)
JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11
JDK-8275049: [ZGC] missing null check in ZNMethod::log_register
JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag
JDK-8275071: [macos] A11y cursor gets stuck when combobox is closed
JDK-8275104: IR framework does not handle client VM builds correctly
JDK-8275110: Correct RE Configs for CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos.
JDK-8275131: Exceptions after a touchpad gesture on macOS
JDK-8275141: recover corrupted line endings for the version-numbers.conf
JDK-8275145: file.encoding system property has an incorrect value on Windows
JDK-8275226: Shenandoah: Relax memory constraint for worker claiming tasks/ranges
JDK-8275302: unexpected compiler error: cast, intersection types and sealed
JDK-8275426: PretouchTask num_chunks calculation can overflow
JDK-8275604: Zero: Reformat opclabels_data
JDK-8275666: serviceability/jvmti/GetObjectSizeClass.java shouldn’t have vm.flagless
JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem
JDK-8275720: CommonComponentAccessibility.createWithParent isWrapped causes mem leak
JDK-8275766: (tz) Update Timezone Data to 2021e
JDK-8275809: crash in [CommonComponentAccessibility getCAccessible:withEnv:]
JDK-8275811: Incorrect instance to dispose
JDK-8275819: [TableRowAccessibility accessibilityChildren] method is ineffective
JDK-8275849: TestZoneInfo310.java fails with tzdata2021e
JDK-8275863: Use encodeASCII for ASCII-compatible DoubleByte encodings
JDK-8275872: Sync J2DBench run and analyze Makefile targets with build.xml
JDK-8276025: Hotspot’s libsvml.so may conflict with user dependency
JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance
JDK-8276076: Updating RE Configs for BUILD REQUEST 17.0.2+3
JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly
JDK-8276112: Inconsistent scalar replacement debug info at safepoints
JDK-8276122: Change openjdk project in jcheck to jdk-updates
JDK-8276130: Fix Github Actions of JDK17u to account for update version scheme
JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32
JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point
JDK-8276205: Shenandoah: CodeCache_lock should always be held for initializing code cache iteration
JDK-8276306: jdk/jshell/CustomInputToolBuilder.java fails intermittently on storage acquisition
JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766
JDK-8276550: Use SHA256 hash in build.tools.depend.Depend
JDK-8276572: Fake libsyslookup.so library causes tooling issues
JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie
JDK-8276801: gc/stress/CriticalNativeStress.java fails intermittently with Shenandoah
JDK-8276805: java/awt/print/PrinterJob/CheckPrivilege.java fails due to disabled SecurityManager
JDK-8276845: (fs) java/nio/file/spi/SetDefaultProvider.java fails on x86_32
JDK-8276846: JDK-8273416 is incomplete for UseSSE=1
JDK-8276854: Windows GHA builds fail due to broken Cygwin
JDK-8276864: Update boot JDKs to 17.0.1 in GHA
JDK-8276905: Use appropriate macosx_version_minimum value while compiling metal shaders
JDK-8276927: [ppc64] Port shenandoahgc to linux on ppc64le
JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes
JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element
JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points
JDK-8277195: missing CAccessibility definition in [CommonComponentAccessibility accessibilityHitTest]
JDK-8277212: GC accidentally cleans valid megamorphic vtable inline caches
JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE
JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint
JDK-8277981: String Deduplication table is never cleaned up due to bad dead_factor_for_cleanup

Notes on individual issues:

core-libs/java.io:serialization:

JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element

java.util.Vector is updated to correctly report
ClassNotFoundException that occurs during deserialization usingjava.io.ObjectInputStream.GetField.get(name, object)when the class
of an element of the Vector is not found. Without this fix, aStreamCorruptedException` is thrown that does not provide information
about the missing class.

security-libs/java.security:

JDK-8272535: Removed Google’s GlobalSign Root Certificate

The following root certificate from Google has been removed from the
cacerts keystore:

Alias Name: globalsignr2ca [jdk]
Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA – R2

core-libs/java.io:

JDK-8275343: file.encoding System Property Has an Incorrect Value on Windows

The initialization of the file.encoding system property on non macOS
platforms has been reverted to align with the behavior on or before
JDK 11. This has been an issue especially on Windows where the system
and user’s locales are not the same.

hotspot/gc:

JDK-8277533: ZGC: Fixed long Process Non-Strong References times

A bug has been fixed that could cause long “Concurrent Process
Non-Strong References” times with ZGC. The bug blocked the GC from
making significant progress, and caused both latency and throughput
issues for the Java application.

The long times could be seen in the GC logs when running with -Xlog:gc* e.g.

[17606.140s][info][gc,phases ] GC(719) Concurrent Process Non-Strong References 25781.928ms

core-libs/java.time:

JDK-8274857: Update Timezone Data to 2021c

IANA Time Zone Database, on which JDK’s Date/Time libraries are based,
has been updated to version 2021c
(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note
that with this update, some of the time zone rules prior to the year
1970 have been modified according to the changes which were introduced
with 2021b. For more detail, refer to the announcement of 2021b
(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html)

Read More

News

10 Things cybercriminals love about you

Read Time:3 Minute, 28 Second

10 Ways organizations make attacks easy

What do cybercriminals love? (Mostly themselves, but that is beside the point.) They love organizations that have unmitigated risks in their web applications and application program interfaces (APIs). With the entire world connected via the internet, the easiest and quickest way for threat actors to infiltrate your systems or steal customer data is through web applications. Basically, everything from the code used to build the application or the API used to connect things to configurations and authentications are fair game.

The top 10 web application security risks cybercriminals love

The areas most often targeted for attack can vary and may change frequently as cybercriminals invent newer and more stealthy ways to worm their way into systems. According to the OWASP, the 2021 Top 10 Web Application Security Risks are:

Broken Access Control
Cryptographic Failures (Sensitive Data Exposure)
Injections (including Cross-site Scripting)
Insecure Design
Security Misconfigurations
Vulnerabilities and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-side Request Forgeries

Most common attack types

Based on the risks listed above, criminals are most likely to employ the following attack types in their bid to infiltrate systems or steal sensitive customer credentials:

Client-side attacks (data breaches and credential compromise)

Client-side attacks include formjacking, credit card skimming, and Magecart attacks. Cybercriminals use client-side attacks to steal information directly from customers or other website users as they input information into websites. Stolen data includes credit card information and personally identifiable information (PII).

Supply chain attacks (JavaScript and software)

According to recent research, supply chain attacks surged by more than 650% over the last year. Threat actors are leveraging existing vulnerabilities in open-source and third-party code or injecting their own malicious scripts into software and JavaScript code to conduct hostile attacks against organizations and industries connected via the supply chain.

Vulnerable application attacks (Unpatched bugs/vulnerabilities and legacy applications)

New bugs and vulnerabilities are discovered on a daily basis and cybercriminals love to exploit them. Equally, criminals are attracted to legacy applications that may contain unpatchable vulnerabilities. Sometimes attackers discover the vulnerabilities before security researchers, and these ‘zero days’ enable application and system compromise often without the organization even knowing it had been attacked. Common attack types that target vulnerabilities include cross-site scripting, injections (JavaScript, SQL, CSS, and HTML).

Automated attacks (Bots and DDoS)

Threat actors use automated techniques, such as botnets and distributed denial of service (DDOS) for attacks that include credential stuffing, content scraping, ticket/product scalping, gift card abuse, and business interruption.

Protect your organization from the risks and attacks that cybercriminals love

There are purpose-built solutions that safeguard organizations, consumers, and internet users from the very things that criminals love to use to their advantage. Two tools that are a part of AT&T Managed Vulnerability Program from Feroot provide client-side application security solutions. These tools are:

Feroot Security PageGuard—Based on the Zero Trust model, PageGuard runs continuously in the background to automatically detect the types of unauthorized scripts and anomalous code behavior found in client-side, application, supply chain and automated attack types. If threats are detected, PageGuard blocks all unauthorized and unwanted behavior in real-time across the organization. PageGuard also automatically applies security configurations and permissions for continuous monitoring of and protection from malicious client-side activities and third-party scripts.

Feroot Security Inspector—In just seconds, Inspector automatically discovers all web assets a company utilizes and reports on their data access. Inspector finds all security vulnerabilities on the client-side and provides specific client-side threat remediation advice to application developers and security teams in real-time.

Next steps

Modern web applications are useful, but they can carry potentially dangerous vulnerabilities and bugs. Protect your customers and your websites and applications from client-side security threats, like Magecart and script attacks with security tools like Feroot’s Inspector and PageGuard. These services offered by AT&T’s Managed Vulnerability Program (MVP) allows the MVP team to inspect and monitor customer web applications for malicious JavaScript code that could jeopardize customer and organization security.

Read More

News

Using Windows Defender Application Control to block malicious applications and drivers

Read Time:40 Second

Ideally, we would lock down our operating systems to allow only those applications we want to have running. For many companies, however, investigating what software is running in their networks takes resources and research that they often don’t have.

A tool built into Windows can provide better control over what runs on your system. Windows Defender Application Control (WDAC), also referred to as Microsoft Defender Application Control (MDAC), was introduced with Windows 10 and allows you to control drivers and applications on your Windows clients. Some WDAC capabilities are available only on specific Windows versions. Cmdlets are available on all SKUs since 1909. An older Microsoft whitelisting technology, AppLocker, is no longer being developed and will receive security fixes but no new features.

To read this article in full, please click here

Read More

News

FIDO enters the consumer identity space

Read Time:45 Second

For as long as I have been in the security industry, a good quarter of a century, the conundrum of security versus usability has reigned. Attempts at redressing this balance have arisen. Mobile-based authentication has been added to the security armory of both the consumer and the enterprise login credentials. Further attempts at hardening login whilst balancing usability, have seen the advent of biometric authentication methods; all attempt to cope with the infinite “phishability” of the humble password. Yet still, authentication remains the bugbear of the consumer and the identity industry.

The FIDO Alliance has been working to crack this security/usability riddle since 2012. Until now, their efforts have been chiefly aimed at the enterprise. However, as consumer identity and remote working creates a fuzzy identity landscape, FIDO has turned its sights on fixing authentication for consumers.

To read this article in full, please click here

Read More