[
https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543930
]
Daniel John Debrunner commented on DERBY-3083:
----------------------------------------------
> We seem to be talking about an attacker who has the ability to change system
> properties at any point in Derby's processing.
To be precise, not at any point, but while a security manager with Derby's
default policy is not installed. Obviously Derby is installing a security
manager because none exists, hence any code can set any system property.
Interesting case, that does require that step 2) changed the policy file to be
used by the security manager, otherwise step 5) is not possible.
I'll have to investigate if it would be possible for Blackhat to do that
without it being detected by Derby's checks (as-in DERBY-2362).
> Network server demands a file called "derbynet.jar" in classpath
> ----------------------------------------------------------------
>
> Key: DERBY-3083
> URL: https://issues.apache.org/jira/browse/DERBY-3083
> Project: Derby
> Issue Type: Bug
> Components: Tools
> Affects Versions: 10.3.1.4
> Reporter: Aaron Digulla
> Attachments: derby-716-10-datatypesCollation-aa.diff
>
>
> The network server will not start if the derbynet jar is added under a
> different name than "derbynet.jar" to the classpath. This makes it impossible
> to use it in maven projects where the jar is renamed to
> "derbynet-10.3.1.4.jar".
> This did work with 10.2.2.0
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
