db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (DERBY-6619) After silently swallowing SecurityExceptions, Derby can leak class loaders
Date Mon, 25 Aug 2014 16:39:59 GMT

     [ https://issues.apache.org/jira/browse/DERBY-6619?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Dag H. Wanvik updated DERBY-6619:
---------------------------------

    Attachment: derby-6619-2b.diff

Uploading [^derby-6619-2b]. Added an action in the setUp method of the new decorator ClassLoaderTestSetup
to shutdown the engine, so we can be sure the Derby classes are all loaded with the new class
loader (the lack thereof revealed by the regression suite).

> After silently swallowing SecurityExceptions, Derby can leak class loaders
> --------------------------------------------------------------------------
>
>                 Key: DERBY-6619
>                 URL: https://issues.apache.org/jira/browse/DERBY-6619
>             Project: Derby
>          Issue Type: Bug
>          Components: Services
>            Reporter: Rick Hillegas
>            Assignee: Dag H. Wanvik
>             Fix For: 10.11.1.2, 10.12.0.0
>
>         Attachments: derby-6619-2.diff, derby-6619-2b.diff, derby-6619.diff, derby-6619.status,
derby-6619b.diff, derby-6619c.diff, derby.log, system-loader.diff
>
>
> As part of the fix for DERBY-3745, Derby silently swallows security exceptions and leaks
class loaders. This can give rise to denial-of-service attacks. At a minimum, Derby should
report the swallowed exceptions so that the security policy can be corrected and the application
can be hardened against this attack. The swallowing occurs at these locations:
> {noformat}
> org.apache.derby.impl.services.timer.SingletonTimerFactory run Catch java.lang.SecurityException
0 line 175
> org.apache.derby.impl.services.timer.SingletonTimerFactory run Catch java.lang.SecurityException
1 line 158
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message