db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-4483) Provide a way to change the hash algorithm used by BUILTIN authentication
Date Tue, 08 Jun 2010 13:36:14 GMT

     [ https://issues.apache.org/jira/browse/DERBY-4483?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Rick Hillegas updated DERBY-4483:
---------------------------------

    Description: 
The BUILTIN authentication scheme protects the passwords by hashing them with the SHA-1 algorithm.
It would be nice to have way to specify a different algorithm so that users can take advantage
of new, stronger algorithms provided by their JCE provider if so desired.

This issue tracks our response to security vulnerability CVE-2009-4269, which Marcell Major
identified. See http://marcellmajor.com/derbyhash.html

  was:
The BUILTIN authentication scheme protects the passwords by hashing them with the SHA-1 algorithm.
It would be nice to have way to specify a different algorithm so that users can take advantage
of new, stronger algorithms provided by their JCE provider if so desired.

This issue tracks our response to a security vulnerability, which Marcell Major identified.
See http://marcellmajor.com/derbyhash.html


> Provide a way to change the hash algorithm used by BUILTIN authentication
> -------------------------------------------------------------------------
>
>                 Key: DERBY-4483
>                 URL: https://issues.apache.org/jira/browse/DERBY-4483
>             Project: Derby
>          Issue Type: Improvement
>          Components: Services
>    Affects Versions: 10.5.3.0
>            Reporter: Knut Anders Hatlen
>            Assignee: Knut Anders Hatlen
>            Priority: Minor
>             Fix For: 10.6.1.0
>
>         Attachments: comments.diff, derby-4483-1a.diff, derby-4483-1a.stat, derby-4483-2a.diff,
derby-4483-2a.stat, errormsg.diff, experiment.diff, releaseNote.html, releaseNote.html, toHexByte.diff,
upgrade-test.diff
>
>
> The BUILTIN authentication scheme protects the passwords by hashing them with the SHA-1
algorithm. It would be nice to have way to specify a different algorithm so that users can
take advantage of new, stronger algorithms provided by their JCE provider if so desired.
> This issue tracks our response to security vulnerability CVE-2009-4269, which Marcell
Major identified. See http://marcellmajor.com/derbyhash.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message