Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 93710 invoked from network); 20 Nov 2007 14:20:08 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 20 Nov 2007 14:20:08 -0000 Received: (qmail 93309 invoked by uid 500); 20 Nov 2007 14:19:55 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 93153 invoked by uid 500); 20 Nov 2007 14:19:54 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 93144 invoked by uid 99); 20 Nov 2007 14:19:54 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Nov 2007 06:19:54 -0800 X-ASF-Spam-Status: No, hits=-100.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Nov 2007 14:20:04 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 6A1A871420E for ; Tue, 20 Nov 2007 06:19:43 -0800 (PST) Message-ID: <15795674.1195568383431.JavaMail.jira@brutus> Date: Tue, 20 Nov 2007 06:19:43 -0800 (PST) From: "Rick Hillegas (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Commented: (DERBY-3083) Network server demands a file called "derbynet.jar" in classpath In-Reply-To: <17082838.1190192623682.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543900 ] Rick Hillegas commented on DERBY-3083: -------------------------------------- >The fix is described in the description to DERBY-2362, I don't see any windows of vulnerability, could you explain what you are thinking? We seem to be talking about an attacker who has the ability to change system properties at any point in Derby's processing. Here is the scenario which came to my mind: 1) Derby sets system properties just before installing a security manager. 2) Blackhat changes the properties. 3) Derby installs the security manager. 4) Blackhat prompts a call to the security manager, which faults in the policy file and substitutes in the current values of the system properties. 5) Blackhat then changes the properties back to the values which Derby set. 6) Derby then runs the checks described in DERBY-2362 but sees nothing amiss. > Network server demands a file called "derbynet.jar" in classpath > ---------------------------------------------------------------- > > Key: DERBY-3083 > URL: https://issues.apache.org/jira/browse/DERBY-3083 > Project: Derby > Issue Type: Bug > Components: Tools > Affects Versions: 10.3.1.4 > Reporter: Aaron Digulla > Attachments: derby-716-10-datatypesCollation-aa.diff > > > The network server will not start if the derbynet jar is added under a different name than "derbynet.jar" to the classpath. This makes it impossible to use it in maven projects where the jar is renamed to "derbynet-10.3.1.4.jar". > This did work with 10.2.2.0 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.