db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Digulla (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-3083) Network server demands a file called "derbynet.jar" in classpath
Date Thu, 22 Nov 2007 12:50:43 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12544794
] 

Aaron Digulla commented on DERBY-3083:
--------------------------------------

>> storing these URLs in the system properties (or any global variable) is okay too,
because this cannot be exploited from a remote attacker
>That's an assumption that's hard to prove

This is very easy to prove: At the time this happens, the Network Server code has not yet
created a socket, so a remote attacker can't connect -> q.e.d.

> These two statements contradict each other,...

I'm talking about two completely different things here: One talks about taking the code from
the Derby project unmodified and the other talks about a developer building their own Derby
server.

My argument is that there is no additional vulnerability if you allow any JAR name, it just
makes an existing vulnerability more visible (so people who are concerned will know about
it and can plan against it). This existing vulnerability can't be closed by enforcing a specific
JAR name, so it doesn't matter what the name is and where it comes from.

So far, you have failed to come up with a convincing argument why my argument is wrong. If
you insist that there might be additional vulnerabilities, list them one by one. Talking "grand"
when we try to find a way to patch a bug is not helping. At the end of the day, the software
must work and it must be as secure as we can make it; no more and no less.

> Network server demands a file called "derbynet.jar" in classpath
> ----------------------------------------------------------------
>
>                 Key: DERBY-3083
>                 URL: https://issues.apache.org/jira/browse/DERBY-3083
>             Project: Derby
>          Issue Type: Bug
>          Components: Tools
>    Affects Versions: 10.3.1.4
>            Reporter: Aaron Digulla
>         Attachments: derby-3083-01-requireDerbynet-aa.diff, derby-3083-01-requireDerbynet-ab.diff,
derby-716-10-datatypesCollation-aa.diff
>
>
> The network server will not start if the derbynet jar is added under a different name
than "derbynet.jar" to the classpath. This makes it impossible to use it in maven projects
where the jar is renamed to "derbynet-10.3.1.4.jar".
> This did work with 10.2.2.0

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message