db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel John Debrunner (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-3083) Network server demands a file called "derbynet.jar" in classpath
Date Tue, 20 Nov 2007 16:12:43 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543930

Daniel John Debrunner commented on DERBY-3083:

> We seem to be talking about an attacker who has the ability to change system properties
at any point in Derby's processing.

To be precise, not at any point, but while a security manager with Derby's default policy
is not installed. Obviously Derby is installing a security manager because none exists, hence
any code can set any system property.

Interesting case, that does require that step 2) changed the policy file to be used by the
security manager, otherwise step 5) is not possible.
I'll have to investigate if it would be possible for Blackhat to do that without it being
detected by Derby's checks (as-in DERBY-2362).

> Network server demands a file called "derbynet.jar" in classpath
> ----------------------------------------------------------------
>                 Key: DERBY-3083
>                 URL: https://issues.apache.org/jira/browse/DERBY-3083
>             Project: Derby
>          Issue Type: Bug
>          Components: Tools
>    Affects Versions:
>            Reporter: Aaron Digulla
>         Attachments: derby-716-10-datatypesCollation-aa.diff
> The network server will not start if the derbynet jar is added under a different name
than "derbynet.jar" to the classpath. This makes it impossible to use it in maven projects
where the jar is renamed to "derbynet-".
> This did work with

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message