db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel John Debrunner (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-3083) Network server demands a file called "derbynet.jar" in classpath
Date Mon, 19 Nov 2007 23:22:43 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543730
] 

Daniel John Debrunner commented on DERBY-3083:
----------------------------------------------

> By "private to Derby" I mean that the properties cannot be overridden by any scheme that
I'm aware of. 

But any code that could execute in the window described previously could change those properties,
thus they are not private to derby since they are system properties.

> Fixing DERBY-2362 could reduce the vulnerability. However, I don't understand how to
fix DERBY-2362. The solutions which come to my mind seem to have the same small windows of
vulnerability 

The fix is described in the description to DERBY-2362, I don't see any windows of vulnerability,
could you explain what you are thinking?

> As you note, if there is a way to exploit this window, then it can be used to subvert
the value of "derby.install.url" today. The incremental exposure seems very small to me.

To my thinking increasing a security hole in any way is not a good direction to go in.

> Network server demands a file called "derbynet.jar" in classpath
> ----------------------------------------------------------------
>
>                 Key: DERBY-3083
>                 URL: https://issues.apache.org/jira/browse/DERBY-3083
>             Project: Derby
>          Issue Type: Bug
>          Components: Tools
>    Affects Versions: 10.3.1.4
>            Reporter: Aaron Digulla
>         Attachments: derby-716-10-datatypesCollation-aa.diff
>
>
> The network server will not start if the derbynet jar is added under a different name
than "derbynet.jar" to the classpath. This makes it impossible to use it in maven projects
where the jar is renamed to "derbynet-10.3.1.4.jar".
> This did work with 10.2.2.0

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message