--- /etc/java-11-openjdk/security/java.security	2022-05-20 07:28:54.136623795 +0000
+++ /etc/java-11-openjdk/security/java.security.dpkg-new	2023-01-27 14:52:45.000000000 +0000
@@ -1,9 +1,4 @@
-# NOTE: This file is managed by Puppet.
 #
-# The following WMF-specific changes are made compared to the
-# upstream file:
-# jdk.security.legacyAlgorithms: Add DSA, SHA1, SHA224
-
 # This is the "master security properties file".
 #
 # An alternate java.security properties file may be specified
@@ -435,21 +428,22 @@
 # Policy for failed Kerberos KDC lookups:
 #
 # When a KDC is unavailable (network error, service failure, etc), it is
-# put inside a blacklist and accessed less often for future requests. The
+# put inside a secondary list and accessed less often for future requests. The
 # value (case-insensitive) for this policy can be:
 #
 # tryLast
-#    KDCs in the blacklist are always tried after those not on the list.
+#    KDCs in the secondary list are always tried after those not on the list.
 #
 # tryLess[:max_retries,timeout]
-#    KDCs in the blacklist are still tried by their order in the configuration,
-#    but with smaller max_retries and timeout values. max_retries and timeout
-#    are optional numerical parameters (default 1 and 5000, which means once
-#    and 5 seconds). Please notes that if any of the values defined here is
-#    more than what is defined in krb5.conf, it will be ignored.
+#    KDCs in the secondary list are still tried by their order in the
+#    configuration, but with smaller max_retries and timeout values.
+#    max_retries and timeout are optional numerical parameters (default 1 and
+#    5000, which means once and 5 seconds). Please note that if any of the
+#    values defined here are more than what is defined in krb5.conf, it will be
+#    ignored.
 #
-# Whenever a KDC is detected as available, it is removed from the blacklist.
-# The blacklist is reset when krb5.conf is reloaded. You can add
+# Whenever a KDC is detected as available, it is removed from the secondary
+# list. The secondary list is reset when krb5.conf is reloaded. You can add
 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
 # reloaded whenever a JAAS authentication is attempted.
 #
@@ -560,7 +554,7 @@
 # can be included in the disabledAlgorithms properties.  These properties are
 # to help manage common actions easier across multiple disabledAlgorithm
 # properties.
-# There is one defined security property:  jdk.disabled.NamedCurves
+# There is one defined security property:  jdk.disabled.namedCurves
 # See the property for more specific details.
 #
 #
@@ -635,8 +629,9 @@
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1, SHA224, DSA, SHA1 jdkCA & usage TLSServer, \
-    RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224, \
+jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
+    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
+    SHA1 usage SignedJAR & denyAfter 2019-01-01, \
     include jdk.disabled.namedCurves
 
 #
@@ -656,7 +651,7 @@
 # implementation. It is not guaranteed to be examined and used by other
 # implementations.
 
-jdk.security.legacyAlgorithms=SHA1, SHA224, DSA, \
+jdk.security.legacyAlgorithms=SHA1, \
     RSA keySize < 2048, DSA keySize < 2048
 
 #
@@ -701,7 +696,8 @@
 # See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
 #
 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
-      DSA keySize < 1024, include jdk.disabled.namedCurves
+      DSA keySize < 1024, SHA1 denyAfter 2019-01-01, \
+      include jdk.disabled.namedCurves
 
 #
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
@@ -1132,6 +1128,77 @@
   java.base/java.security.KeyRep$Type;java.base/javax.crypto.spec.SecretKeySpec;!*
 
 #
+# PKCS12 KeyStore properties
+#
+# The following properties, if configured, are used by the PKCS12 KeyStore
+# implementation during the creation of a new keystore. Several of the
+# properties may also be used when modifying an existing keystore. The
+# properties can be overridden by a KeyStore API that specifies its own
+# algorithms and parameters.
+#
+# If an existing PKCS12 keystore is loaded and then stored, the algorithm and
+# parameter used to generate the existing Mac will be reused. If the existing
+# keystore does not have a Mac, no Mac will be created while storing. If there
+# is at least one certificate in the existing keystore, the algorithm and
+# parameters used to encrypt the last certificate in the existing keystore will
+# be reused to encrypt all certificates while storing. If the last certificate
+# in the existing keystore is not encrypted, all certificates will be stored
+# unencrypted. If there is no certificate in the existing keystore, any newly
+# added certificate will be encrypted (or stored unencrypted if algorithm
+# value is "NONE") using the "keystore.pkcs12.certProtectionAlgorithm" and
+# "keystore.pkcs12.certPbeIterationCount" values defined here. Existing private
+# and secret key(s) are not changed. Newly set private and secret key(s) will
+# be encrypted using the "keystore.pkcs12.keyProtectionAlgorithm" and
+# "keystore.pkcs12.keyPbeIterationCount" values defined here.
+#
+# In order to apply new algorithms and parameters to all entries in an
+# existing keystore, one can create a new keystore and add entries in the
+# existing keystore into the new keystore. This can be achieved by calling the
+# "keytool -importkeystore" command.
+#
+# If a system property of the same name is also specified, it supersedes the
+# security property value defined here.
+#
+# If the property is set to an illegal value,
+# an iteration count that is not a positive integer, or an unknown algorithm
+# name, an exception will be thrown when the property is used.
+# If the property is not set or empty, a default value will be used.
+#
+# Note: These properties are currently used by the JDK Reference implementation.
+# They are not guaranteed to be examined and used by other implementations.
+
+# The algorithm used to encrypt a certificate. This can be any non-Hmac PBE
+# algorithm defined in the Cipher section of the Java Security Standard
+# Algorithm Names Specification. When set to "NONE", the certificate
+# is not encrypted. The default value is "PBEWithHmacSHA256AndAES_256".
+#keystore.pkcs12.certProtectionAlgorithm = PBEWithHmacSHA256AndAES_256
+
+# The iteration count used by the PBE algorithm when encrypting a certificate.
+# This value must be a positive integer. The default value is 10000.
+#keystore.pkcs12.certPbeIterationCount = 10000
+
+# The algorithm used to encrypt a private key or secret key. This can be
+# any non-Hmac PBE algorithm defined in the Cipher section of the Java
+# Security Standard Algorithm Names Specification. The value must not be "NONE".
+# The default value is "PBEWithHmacSHA256AndAES_256".
+#keystore.pkcs12.keyProtectionAlgorithm = PBEWithHmacSHA256AndAES_256
+
+# The iteration count used by the PBE algorithm when encrypting a private key
+# or a secret key. This value must be a positive integer. The default value
+# is 10000.
+#keystore.pkcs12.keyPbeIterationCount = 10000
+
+# The algorithm used to calculate the optional MacData at the end of a PKCS12
+# file. This can be any HmacPBE algorithm defined in the Mac section of the
+# Java Security Standard Algorithm Names Specification. When set to "NONE",
+# no Mac is generated. The default value is "HmacPBESHA256".
+#keystore.pkcs12.macAlgorithm = HmacPBESHA256
+
+# The iteration count used by the MacData algorithm. This value must be a
+# positive integer. The default value is 10000.
+#keystore.pkcs12.macIterationCount = 10000
+
+#
 # Enhanced exception message information
 #
 # By default, exception messages should not include potentially sensitive
@@ -1236,7 +1303,6 @@
 # There are 3 possible values:
 #
 #  no-impersonate     - Ignore this configuration entry, and always act as
-
 #                       the owner of the TGT (if it exists).
 #
 #  try-impersonate    - Try impersonation when this configuration entry exists.
@@ -1267,69 +1333,34 @@
 #
 #jdk.security.allowNonCaAnchor=true
 
+# JNDI Object Factories Filter
 #
-# PKCS12 KeyStore properties
-#
-# The following properties, if configured, are used by the PKCS12 KeyStore
-# implementation during the creation of a new keystore. Several of the
-# properties may also be used when modifying an existing keystore. The
-# properties can be overridden by a KeyStore API that specifies its own
-# algorithms and parameters.
-#
-# If an existing PKCS12 keystore is loaded and then stored, the algorithm and
-# parameter used to generate the existing Mac will be reused. If the existing
-# keystore does not have a Mac, no Mac will be created while storing. If there
-# is at least one certificate in the existing keystore, the algorithm and
-# parameters used to encrypt the last certificate in the existing keystore will
-# be reused to encrypt all certificates while storing. If the last certificate
-# in the existing keystore is not encrypted, all certificates will be stored
-# unencrypted. If there is no certificate in the existing keystore, any newly
-# added certificate will be encrypted (or stored unencrypted if algorithm
-# value is "NONE") using the "keystore.pkcs12.certProtectionAlgorithm" and
-# "keystore.pkcs12.certPbeIterationCount" values defined here. Existing private
-# and secret key(s) are not changed. Newly set private and secret key(s) will
-# be encrypted using the "keystore.pkcs12.keyProtectionAlgorithm" and
-# "keystore.pkcs12.keyPbeIterationCount" values defined here.
+# This filter is used by the JNDI runtime to control the set of object factory classes
+# which will be allowed to instantiate objects from object references returned by
+# naming/directory systems. The factory class named by the reference instance will be
+# matched against this filter. The filter property supports pattern-based filter syntax
+# with the same format as jdk.serialFilter.
+#
+# Each pattern is matched against the factory class name to allow or disallow it's
+# instantiation. The access to a factory class is allowed unless the filter returns
+# REJECTED.
 #
-# In order to apply new algorithms and parameters to all entries in an
-# existing keystore, one can create a new keystore and add entries in the
-# existing keystore into the new keystore. This can be achieved by calling the
-# "keytool -importkeystore" command.
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be examined and used by other implementations.
 #
-# If a system property of the same name is also specified, it supersedes the
-# security property value defined here.
+# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes
+# the security property value defined here. The default value of the property is "*".
 #
-# If the property is set to an illegal value,
-# an iteration count that is not a positive integer, or an unknown algorithm
-# name, an exception will be thrown when the property is used.
-# If the property is not set or empty, a default value will be used.
+# The default pattern value allows any object factory class specified by the reference
+# instance to recreate the referenced object.
+#jdk.jndi.object.factoriesFilter=*
+
+#
+# The default Character set name (java.nio.charset.Charset.forName())
+# for converting TLS ALPN values between byte arrays and Strings.
+# Prior versions of the JDK may use UTF-8 as the default charset. If
+# you experience interoperability issues, setting this property to UTF-8
+# may help.
 #
-# Note: These properties are currently used by the JDK Reference implementation.
-# They are not guaranteed to be examined and used by other implementations.
-
-# The algorithm used to encrypt a certificate. This can be any non-Hmac PBE
-# algorithm defined in the Cipher section of the Java Security Standard
-# Algorithm Names Specification. When set to "NONE", the certificate
-# is not encrypted. The default value is "PBEWithHmacSHA256AndAES_256".
-#keystore.pkcs12.certProtectionAlgorithm = PBEWithHmacSHA256AndAES_256
-
-# The iteration count used by the PBE algorithm when encrypting a certificate.
-# This value must be a positive integer. The default value is 10000.
-#keystore.pkcs12.certPbeIterationCount = 10000
-
-# The algorithm used to encrypt a private key or secret key. This can be
-# any non-Hmac PBE algorithm defined in the Cipher section of the Java
-# Security Standard Algorithm Names Specification. The value must not be "NONE".
-# The default value is "PBEWithHmacSHA256AndAES_256".
-#keystore.pkcs12.keyProtectionAlgorithm = PBEWithHmacSHA256AndAES_256
-
-# The iteration count used by the PBE algorithm when encrypting a private key
-# or a secret key. This value must be a positive integer. The default value
-# is 10000.
-#keystore.pkcs12.keyPbeIterationCount = 10000
-
-# The algorithm used to calculate the optional MacData at the end of a PKCS12
-# file. This can be any HmacPBE algorithm defined in the Mac section of the
-# Java Security Standard Algorithm Names Specification. When set to "NONE",
-# no Mac is generated. The default value is "HmacPBESHA1".
-#keystore.pkcs12.macAlgorithm = HmacPBESHA1
+# jdk.tls.alpnCharset=UTF-8
+jdk.tls.alpnCharset=ISO_8859_1