db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mamta A. Satoor (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-6764) analyze impact of poodle security alert on Derby client - server ssl support
Date Tue, 04 Nov 2014 17:46:34 GMT

    [ https://issues.apache.org/jira/browse/DERBY-6764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14196437#comment-14196437
] 

Mamta A. Satoor commented on DERBY-6764:
----------------------------------------

It is possible with some jvms to have both SSLv3 and SSLv2Hello enabled so I will change the
System.arraycopy to not assume that only one protocol was removed. Instead, it will use the
counter removedProtocolsCount  which maintains how many exact protocols were removed. Will
commit these changes soon. Also, I am wondering if there is any regression test we can write
for this jira? I do plan to fix DERBY-6768 today so atleast the list of enabled protocols
on the server side will be in the log file.

> analyze impact of poodle security alert on Derby client - server ssl support
> ----------------------------------------------------------------------------
>
>                 Key: DERBY-6764
>                 URL: https://issues.apache.org/jira/browse/DERBY-6764
>             Project: Derby
>          Issue Type: Task
>    Affects Versions: 10.12.0.0
>            Reporter: Myrna van Lunteren
>            Assignee: Mamta A. Satoor
>             Fix For: 10.12.0.0
>
>         Attachments: DERBY6764_patch1_diff.txt, DERBY6764_patch1_stat.txt
>
>
> Recently, a security weakness was found in SSLv3, POODLE: SSLv3 vulnerability (CVE-2014-3566)
> Derby supports ssl between the client and network server.
> We should investigate this and decide if we need to change our product, e.g. to eliminate
support for SSL in favor of its successor TLS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message