[jira] [Commented] (DERBY-7161) Document the need for client-side applications to vet user-supplied connection directives
[ https://issues.apache.org/jira/browse/DERBY-7161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17834550#comment-17834550 ] Bryan Pendleton commented on DERBY-7161: Yes, those seem good. Perhaps also put links to the information in these places? * [https://db.apache.org/derby/docs/10.17/ref/rrefattrib24612.html] * https://db.apache.org/derby/docs/10.17/devguide/cdevdvlp51654.html > Document the need for client-side applications to vet user-supplied > connection directives > - > > Key: DERBY-7161 > URL: https://issues.apache.org/jira/browse/DERBY-7161 > Project: Derby > Issue Type: Task > Components: Documentation, Network Client >Affects Versions: 10.18.0.0 >Reporter: Richard N. Hillegas >Priority: Major > > Somewhere, we should document the fact that client-side applications should > not use user-supplied URLs or Properties objects to connect to remote > databases. Those URLs and Properties objects may contain instructions for > tracing network traffic. If the client-side application runs from a more > privileged account than the user, then this could let the user pollute parts > of the directory system to which the user does not normally have > write-access. Client-side applications should vet all user-supplied > directives before establishing connections. > A related MySQL problem is described by [1]. > [1] > https://github.com/apache/security-site/compare/main...raboof:security-site:mysql -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7161) Document the need for client-side applications to vet user-supplied connection directives
[ https://issues.apache.org/jira/browse/DERBY-7161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17834543#comment-17834543 ] Richard N. Hillegas commented on DERBY-7161: Hi Bryan, I suppose that something should be said in the Server Guide and the Security Guide. What are your thoughts? > Document the need for client-side applications to vet user-supplied > connection directives > - > > Key: DERBY-7161 > URL: https://issues.apache.org/jira/browse/DERBY-7161 > Project: Derby > Issue Type: Task > Components: Documentation, Network Client >Affects Versions: 10.18.0.0 >Reporter: Richard N. Hillegas >Priority: Major > > Somewhere, we should document the fact that client-side applications should > not use user-supplied URLs or Properties objects to connect to remote > databases. Those URLs and Properties objects may contain instructions for > tracing network traffic. If the client-side application runs from a more > privileged account than the user, then this could let the user pollute parts > of the directory system to which the user does not normally have > write-access. Client-side applications should vet all user-supplied > directives before establishing connections. > A related MySQL problem is described by [1]. > [1] > https://github.com/apache/security-site/compare/main...raboof:security-site:mysql -- This message was sent by Atlassian Jira (v8.20.10#820010)
[INFO] DB Report for April, 2024
Hi all, thanks for the project update notes. Below is the report I submitted to the board. Please let me know of any errors or missing parts. thanks, bryan ## Description: The mission of the Apache DB project is to create and maintain commercial-quality, open-source, database solutions based on software licensed to the Foundation, for distribution at no charge to the public. The Apache DB TLP consists of the following subprojects: o Derby: a relational database implemented entirely in Java. o JDO : focused on building the API and the TCK for compatibility testing of Java Data Object implementations providing data persistence. o Torque : an object-relational mapper for Java. ## Project Status: Current project status: Ongoing, with moderate activity Issues for the board: none ## Membership Data: Apache DB was founded 2002-07-16 (22 years ago) There are currently 48 committers and 45 PMC members in this project. The Committer-to-PMC ratio is roughly 1:1. Community changes, past quarter: - No new PMC members. Last addition was Tobias Bouschen on 2023-08-27. - No new committers. Last addition was Max Philipp Wriedt on 2023-04-14. ## Project Activity: Several security issues were brought to the DB project's attention this quarter, and were addressed by various community members: - JDO community addressed an XSS vulnerability in the project's old archived Javadocs by removing the no-longer-required Javadocs from the project website. - DB community addressed an XSS vulnerability in the (retired) ddlutils Javadocs by removing the no-longer-required Javadocs from the project website. - Derby community examined an arbitrary file write vulnerability in the Derby client libraries and determined that it was best addressed via a combination of - documentation of the requirement for users to use this particular log-tracing feature with care, - and notice to known clients. Apache security team assisted with the resolution of these security issues and we are grateful as always for their prompt and thorough help! Torque team are readying a new release and discussing whether it should be classified as a minor release or a major release based on its changes. It would probably become either release 5.2 or 6.0, depending on the outcome of the discussions. Derby team have been verifying Derby compatibility with JDKs 21 and 22. No new problems have been revealed. JDO team have been investigating several issues uncovered by runs of the TCK. ## Community Health: DB project health was good over the winter. All the project teams were actively discussing development issues and working on fixes and enhancements.
[jira] [Commented] (DERBY-7161) Document the need for client-side applications to vet user-supplied connection directives
[ https://issues.apache.org/jira/browse/DERBY-7161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17834537#comment-17834537 ] Bryan Pendleton commented on DERBY-7161: Hi Rick, have you thought much about where we might best document this? My thought is that we might put such documentation in multiple places to give it the best chance of being seen. > Document the need for client-side applications to vet user-supplied > connection directives > - > > Key: DERBY-7161 > URL: https://issues.apache.org/jira/browse/DERBY-7161 > Project: Derby > Issue Type: Task > Components: Documentation, Network Client >Affects Versions: 10.18.0.0 >Reporter: Richard N. Hillegas >Priority: Major > > Somewhere, we should document the fact that client-side applications should > not use user-supplied URLs or Properties objects to connect to remote > databases. Those URLs and Properties objects may contain instructions for > tracing network traffic. If the client-side application runs from a more > privileged account than the user, then this could let the user pollute parts > of the directory system to which the user does not normally have > write-access. Client-side applications should vet all user-supplied > directives before establishing connections. > A related MySQL problem is described by [1]. > [1] > https://github.com/apache/security-site/compare/main...raboof:security-site:mysql -- This message was sent by Atlassian Jira (v8.20.10#820010)
