rpms/hsqldb/F-8 hsqldb-1.8.0-standard-server.properties, 1.1, 1.2 hsqldb-1.8.0-standard.cfg, 1.1, 1.2 hsqldb.spec, 1.36, 1.37
Jon Prindiville (jprindiv)
fedora-extras-commits at redhat.com
Tue Dec 4 20:09:34 UTC 2007
Author: jprindiv
Update of /cvs/pkgs/rpms/hsqldb/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17602
Modified Files:
hsqldb-1.8.0-standard-server.properties
hsqldb-1.8.0-standard.cfg hsqldb.spec
Log Message:
Backport patch, addressing CVE-2007-4576
Resolves: #410891
Index: hsqldb-1.8.0-standard-server.properties
===================================================================
RCS file: /cvs/pkgs/rpms/hsqldb/F-8/hsqldb-1.8.0-standard-server.properties,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- hsqldb-1.8.0-standard-server.properties 31 Aug 2007 14:43:58 -0000 1.1
+++ hsqldb-1.8.0-standard-server.properties 4 Dec 2007 20:08:58 -0000 1.2
@@ -9,3 +9,13 @@
server.port 9001
server.no_system_exit true
+
+# Until the following setting is changed, the HSQLDB service will not accept
+# remote connections. Failing to set a value for server.address at all will
+# result in the service binding itself to 0.0.0.0 and accepting remote
+# connections.
+#
+# IT IS STRONGLY ADVISED that before doing this you alter the password of
+# the default account (username "sa"). By default, no password is required
+# to connect to HSQLDB with the "sa" account.
+server.address localhost
Index: hsqldb-1.8.0-standard.cfg
===================================================================
RCS file: /cvs/pkgs/rpms/hsqldb/F-8/hsqldb-1.8.0-standard.cfg,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- hsqldb-1.8.0-standard.cfg 31 Aug 2007 14:43:58 -0000 1.1
+++ hsqldb-1.8.0-standard.cfg 4 Dec 2007 20:08:58 -0000 1.2
@@ -84,6 +84,12 @@
# In particular, you will want to add classpath elements to give access of
# all of your store procedures (store procedures are documented in the
# HSQLDB User Guide in the SQL Syntax chapter.
+#
+# N.B.!
+# If you're adding files to the classpath in order to be able to call them
+# from SQL queries, you will be unable to access them unless you adjust the
+# value of the system property hsqldb.method_class_names. Please see the
+# comments on SERVER_JVMARGS, at the end of this file.
# SERVER_ADDL_CLASSPATH=/home/blaine/storedprocs.jar:/usr/dev/dbutil/classes
# For TLS encryption for your Server, set these two variables.
@@ -104,4 +110,19 @@
# Any JVM args for the server.
# For multiple args, put quotes around entire value.
-#SERVER_JVMARGS=-Xmx512m
+#
+# N.B.!
+# The default value of SERVER_JVMARGS sets the system property
+# hsqldb.method_class_names to be empty. This is in order to lessen the
+# security risk posed by HSQLDB allowing Java method calls in SQL statements.
+# The implications of changing this value (as explained by the authors of
+# HSQLDB) are as follows:
+# If [it] is not set, then static methods of all available Java classes
+# can be accessed as functions in HSQLDB. If the property is set, then
+# only the list of semicolon seperated method names becomes accessible.
+# An empty property value means no class is accessible.
+# Regardless of the value of hsqldb.method_class_names, methods in
+# org.hsqldb.Library will be accessible.
+# Before making changes to the value below, please be advised of the possible
+# dangers involved in allowing SQL queries to contain Java method calls.
+SERVER_JVMARGS=-Dhsqldb.method_class_names=\"\"
Index: hsqldb.spec
===================================================================
RCS file: /cvs/pkgs/rpms/hsqldb/F-8/hsqldb.spec,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- hsqldb.spec 16 Oct 2007 21:57:13 -0000 1.36
+++ hsqldb.spec 4 Dec 2007 20:08:58 -0000 1.37
@@ -38,7 +38,7 @@
Name: hsqldb
Version: 1.8.0.8
-Release: 1jpp.4%{?dist}
+Release: 1jpp.5{?dist}
Epoch: 1
Summary: Hsqldb Database Engine
License: BSD Style
@@ -52,6 +52,7 @@
Patch0: %{name}-1.8.0-scripts.patch
Patch1: hsqldb-tmp.patch
Patch2: %{name}-1.8.0-specify-su-shell.patch
+Patch3: %{name}-1.8.0-backport.patch
Requires: servletapi5
Requires(post): /bin/rm,/bin/ln
Requires(post): servletapi5
@@ -133,6 +134,7 @@
%patch0
%patch1 -p1
%patch2
+%patch3 -p1
%build
export CLASSPATH=$(build-classpath \
@@ -269,6 +271,10 @@
%{_datadir}/%{name}
%changelog
+* Tue Dec 04 2007 Jon Prindiville <jprindiv at redhat.com> 1.8.0.8-1jpp.5
+- Backport patch, addressing CVE-2007-4576
+- Resolves: #410891
+
* Tue Oct 16 2007 Deepak Bhole <dbhole at redhat.com> 1.8.0.8-1jpp.4
- Rebuild
More information about the fedora-extras-commits
mailing list