[
https://issues.apache.org/jira/browse/DERBY-3585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12584438#action_12584438
]
John H. Embretsen commented on DERBY-3585:
------------------------------------------
I'm wondering if the release note's description of the previous state may lead
to impressions that the security issue was more severe than it actually was.
Specifically, the release note says:
"Any user could shut down the server..."
and
"The previous behavior represented a security issue, because any client,
without providing user credentials, could shut down a network server running
with user authentication."
Should we mention the fact that only local users/clients (users/clients on the
same host as the host running the server) could shut down the server? (Which as
far as I know is still true).
> Document user authentication support for network server shutdown
> ----------------------------------------------------------------
>
> Key: DERBY-3585
> URL: https://issues.apache.org/jira/browse/DERBY-3585
> Project: Derby
> Issue Type: Sub-task
> Components: Documentation
> Reporter: Martin Zaun
> Assignee: Martin Zaun
> Fix For: 10.4.0.0
>
> Attachments: releaseNote.html, releaseNote.html
>
>
> As part of the System Privileges work in DERBY-2109, the support of user
> authentication for network server shutdown was discussed, implemented, and
> committed (revision 632502).
> In order to address a security issue (missing user authentication for
> shutdown), this feature introduces a few incompatibilities with the usage of
> NetworkServerControl, which need to be documented.
> This JIRA is to provide for the user documentation and the release notes
> describing the usage changes and incompatibilities.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
