[
https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543900
]
Rick Hillegas commented on DERBY-3083:
--------------------------------------
>The fix is described in the description to DERBY-2362, I don't see any windows
>of vulnerability, could you explain what you are thinking?
We seem to be talking about an attacker who has the ability to change system
properties at any point in Derby's processing. Here is the scenario which came
to my mind:
1) Derby sets system properties just before installing a security manager.
2) Blackhat changes the properties.
3) Derby installs the security manager.
4) Blackhat prompts a call to the security manager, which faults in the policy
file and substitutes in the current values of the system properties.
5) Blackhat then changes the properties back to the values which Derby set.
6) Derby then runs the checks described in DERBY-2362 but sees nothing amiss.
> Network server demands a file called "derbynet.jar" in classpath
> ----------------------------------------------------------------
>
> Key: DERBY-3083
> URL: https://issues.apache.org/jira/browse/DERBY-3083
> Project: Derby
> Issue Type: Bug
> Components: Tools
> Affects Versions: 10.3.1.4
> Reporter: Aaron Digulla
> Attachments: derby-716-10-datatypesCollation-aa.diff
>
>
> The network server will not start if the derbynet jar is added under a
> different name than "derbynet.jar" to the classpath. This makes it impossible
> to use it in maven projects where the jar is renamed to
> "derbynet-10.3.1.4.jar".
> This did work with 10.2.2.0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
