[jira] Updated: (XALANJ-2008) non-private non-final static variables and mutable static variables open potential security holes in Xalan

[Henry Zongaro (JIRA)]

     [ http://nagoya.apache.org/jira/browse/XALANJ-2008?page=history ]

Henry Zongaro updated XALANJ-2008:
----------------------------------

       Description: 
According to Sun's Security Code Guidelines 
[http://java.sun.com/security/seccodeguide.html#gcg2], non-final static 
variables and mutable static variables can cause unintended interactions within 
the system. This problem appears in many classes in the current Xalan code. 

This security issue becomes more severe when Xalan are distributed as part of 
the JRE 1.4+; It is loaded by the system class loader and stay in the JVM as 
long as the JVM is alive, malicious code can change the behavior of a processor 
by modifying those static variables.

  was:
According to Sun�s Security Code Guidelines 
[http://java.sun.com/security/seccodeguide.html#gcg2], non-final static 
variables and mutable static variables can cause unintended interactions within 
the system. This problem appears in many classes in the current Xalan code. 

This security issue becomes more severe when Xalan are distributed as part of 
the JRE 1.4+; It is loaded by the system class loader and stay in the JVM as 
long as the JVM is alive, malicious code can change the behavior of a processor 
by modifying those static variables.

    Xalan-keywords: PatchAvailable

> non-private non-final static variables and mutable static variables open 
> potential security holes in Xalan
> ----------------------------------------------------------------------------------------------------------
>
>          Key: XALANJ-2008
>          URL: http://nagoya.apache.org/jira/browse/XALANJ-2008
>      Project: XalanJ2
>         Type: Bug
>   Components: Xalan
>     Versions: CurrentCVS
>  Environment: Distributed with JDK 1.4+
>     Reporter: Christine Li
>  Attachments: SecurityFixes.txt
>
> According to Sun's Security Code Guidelines 
> [http://java.sun.com/security/seccodeguide.html#gcg2], non-final static 
> variables and mutable static variables can cause unintended interactions 
> within the system. This problem appears in many classes in the current Xalan 
> code. 
> This security issue becomes more severe when Xalan are distributed as part of 
> the JRE 1.4+; It is loaded by the system class loader and stay in the JVM as 
> long as the JVM is alive, malicious code can change the behavior of a 
> processor by modifying those static variables.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]