[
https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543730
]
Daniel John Debrunner commented on DERBY-3083:
----------------------------------------------
> By "private to Derby" I mean that the properties cannot be overridden by any
> scheme that I'm aware of.
But any code that could execute in the window described previously could change
those properties, thus they are not private to derby since they are system
properties.
> Fixing DERBY-2362 could reduce the vulnerability. However, I don't understand
> how to fix DERBY-2362. The solutions which come to my mind seem to have the
> same small windows of vulnerability
The fix is described in the description to DERBY-2362, I don't see any windows
of vulnerability, could you explain what you are thinking?
> As you note, if there is a way to exploit this window, then it can be used to
> subvert the value of "derby.install.url" today. The incremental exposure
> seems very small to me.
To my thinking increasing a security hole in any way is not a good direction to
go in.
> Network server demands a file called "derbynet.jar" in classpath
> ----------------------------------------------------------------
>
> Key: DERBY-3083
> URL: https://issues.apache.org/jira/browse/DERBY-3083
> Project: Derby
> Issue Type: Bug
> Components: Tools
> Affects Versions: 10.3.1.4
> Reporter: Aaron Digulla
> Attachments: derby-716-10-datatypesCollation-aa.diff
>
>
> The network server will not start if the derbynet jar is added under a
> different name than "derbynet.jar" to the classpath. This makes it impossible
> to use it in maven projects where the jar is renamed to
> "derbynet-10.3.1.4.jar".
> This did work with 10.2.2.0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
