Return-Path: X-Original-To: apmail-db-derby-dev-archive@www.apache.org Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 757071137A for ; Mon, 25 Aug 2014 16:39:59 +0000 (UTC) Received: (qmail 81281 invoked by uid 500); 25 Aug 2014 16:39:59 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 81258 invoked by uid 500); 25 Aug 2014 16:39:59 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 81240 invoked by uid 99); 25 Aug 2014 16:39:59 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Aug 2014 16:39:59 +0000 Date: Mon, 25 Aug 2014 16:39:59 +0000 (UTC) From: "Dag H. Wanvik (JIRA)" To: derby-dev@db.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (DERBY-6619) After silently swallowing SecurityExceptions, Derby can leak class loaders MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/DERBY-6619?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dag H. Wanvik updated DERBY-6619: --------------------------------- Attachment: derby-6619-2b.diff Uploading [^derby-6619-2b]. Added an action in the setUp method of the new decorator ClassLoaderTestSetup to shutdown the engine, so we can be sure the Derby classes are all loaded with the new class loader (the lack thereof revealed by the regression suite). > After silently swallowing SecurityExceptions, Derby can leak class loaders > -------------------------------------------------------------------------- > > Key: DERBY-6619 > URL: https://issues.apache.org/jira/browse/DERBY-6619 > Project: Derby > Issue Type: Bug > Components: Services > Reporter: Rick Hillegas > Assignee: Dag H. Wanvik > Fix For: 10.11.1.2, 10.12.0.0 > > Attachments: derby-6619-2.diff, derby-6619-2b.diff, derby-6619.diff, derby-6619.status, derby-6619b.diff, derby-6619c.diff, derby.log, system-loader.diff > > > As part of the fix for DERBY-3745, Derby silently swallows security exceptions and leaks class loaders. This can give rise to denial-of-service attacks. At a minimum, Derby should report the swallowed exceptions so that the security policy can be corrected and the application can be hardened against this attack. The swallowing occurs at these locations: > {noformat} > org.apache.derby.impl.services.timer.SingletonTimerFactory run Catch java.lang.SecurityException 0 line 175 > org.apache.derby.impl.services.timer.SingletonTimerFactory run Catch java.lang.SecurityException 1 line 158 > {noformat} -- This message was sent by Atlassian JIRA (v6.2#6252)