camel-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From MrLion <...@git.apache.org>
Subject camel pull request: VERACODE-992: fix of CWE ID 404 improper resource shutd...
Date Fri, 20 Dec 2013 16:07:03 GMT
GitHub user MrLion opened a pull request:

    https://github.com/apache/camel/pull/74

    VERACODE-992: fix of CWE ID 404 improper resource shutdown or release in FileLockExclusiveReadLockStrategy

    https://issues.apache.org/jira/browse/CAMEL-7088
    
    During Veracode scan of our application we discover issue with security in Camel. Please
review our fix and apply it in future versions.
    Quote from Veracode report below:
    Improper Resource Shutdown or Release (CWE ID 404)(1 flaw)
    Description
    The application fails to release (or incorrectly releases) a system resource before it
is made available for re-use. This
    condition often occurs with resources such as database connections or file handles. Most
unreleased resource issues
    result in general software reliability problems, but if an attacker can intentionally
trigger a resource leak, it may be
    possible to launch a denial of service attack by depleting the resource pool.
    Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix.
    Recommendations
    When a resource is created or allocated, the developer is responsible for properly releasing
the resource as well as
    accounting for all potential paths of expiration or invalidation. Ensure that all code
paths properly release resources.
    Instances found via Static Scan
    .../FileLockExclusiveReadLockStrategy.java line 68

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/engagepoint/camel feature-ENT-992-12

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/camel/pull/74.patch

----
commit 94cd55030ea138b42e86246dae43eec1d0529f64
Author: leonid.marushevskiy <leonid.marushevskiy@engagepoint.com>
Date:   2013-12-20T13:52:14Z

    VERACODE-992: fix of CWE ID 404 improper resource shutdown or release in FileLockExclusiveReadLockStrategy

----


Mime
View raw message