[jira] Commented: (DERBY-3083) Network server demands a file called "derbynet.jar" in classpath

Thu, 22 Nov 2007 04:51:05 -0800 

    [ 
https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12544794
 ] 

Aaron Digulla commented on DERBY-3083:
--------------------------------------

>> storing these URLs in the system properties (or any global variable) is okay 
>> too, because this cannot be exploited from a remote attacker
>That's an assumption that's hard to prove

This is very easy to prove: At the time this happens, the Network Server code 
has not yet created a socket, so a remote attacker can't connect -> q.e.d.

> These two statements contradict each other,...

I'm talking about two completely different things here: One talks about taking 
the code from the Derby project unmodified and the other talks about a 
developer building their own Derby server.

My argument is that there is no additional vulnerability if you allow any JAR 
name, it just makes an existing vulnerability more visible (so people who are 
concerned will know about it and can plan against it). This existing 
vulnerability can't be closed by enforcing a specific JAR name, so it doesn't 
matter what the name is and where it comes from.

So far, you have failed to come up with a convincing argument why my argument 
is wrong. If you insist that there might be additional vulnerabilities, list 
them one by one. Talking "grand" when we try to find a way to patch a bug is 
not helping. At the end of the day, the software must work and it must be as 
secure as we can make it; no more and no less.

> Network server demands a file called "derbynet.jar" in classpath
> ----------------------------------------------------------------
>
>                 Key: DERBY-3083
>                 URL: https://issues.apache.org/jira/browse/DERBY-3083
>             Project: Derby
>          Issue Type: Bug
>          Components: Tools
>    Affects Versions: 10.3.1.4
>            Reporter: Aaron Digulla
>         Attachments: derby-3083-01-requireDerbynet-aa.diff, 
> derby-3083-01-requireDerbynet-ab.diff, derby-716-10-datatypesCollation-aa.diff
>
>
> The network server will not start if the derbynet jar is added under a 
> different name than "derbynet.jar" to the classpath. This makes it impossible 
> to use it in maven projects where the jar is renamed to 
> "derbynet-10.3.1.4.jar".
> This did work with 10.2.2.0

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to