db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bpendle...@apache.org
Subject svn propchange: r1828579 - svn:log
Date Sat, 05 May 2018 15:10:31 GMT
Author: bpendleton
Revision: 1828579
Modified property: svn:log

Modified: svn:log at Sat May  5 15:10:31 2018
--- svn:log (original)
+++ svn:log Sat May  5 15:10:31 2018
@@ -1 +1,38 @@
 [RELEASE CHECKIN] Derby release ID set to:
+CVE-2018-1313: Apache Derby externally-controlled input vulnerability
+Severity: Important
+The Apache Software Foundation
+Versions Affected:
+Derby to
+A specially-crafted network packet can be used to request the Derby
+Network Server to boot a database whose location and contents are under
+the user's control. If the Derby Network Server is not running with a
+Java Security Manager policy file, the attack is successful. If the
+server is using a policy file, the policy file must permit the
+database location to be read for the attack to work. The default
+Derby Network Server policy file distributed with the affected releases
+includes a permissive policy as the default Network Server policy, which
+allows the attack to work.
+Users should specify an explicit security policy file, as described here:
+Derby release disallows the specially-crafted network packet,
+and also modifies the default Derby Network Server policy file to be
+significantly less permissive (the default file access policy is now
+limited to the derby.system.home directory and the directory from
+which the Derby jar files were loaded). It is still recommended that
+production installations of the Derby Network Server should specify
+an explicit security policy file.
+This issue was discovered by Grégory Draperi

View raw message