rpms/hsqldb/F-8 hsqldb-1.8.0-standard-server.properties, 1.1, 1.2 hsqldb-1.8.0-standard.cfg, 1.1, 1.2 hsqldb.spec, 1.36, 1.37

Jon Prindiville (jprindiv) fedora-extras-commits at redhat.com
Tue Dec 4 20:09:34 UTC 2007 

Author: jprindiv

Update of /cvs/pkgs/rpms/hsqldb/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17602

Modified Files:
	hsqldb-1.8.0-standard-server.properties 
	hsqldb-1.8.0-standard.cfg hsqldb.spec 
Log Message:
Backport patch, addressing CVE-2007-4576
Resolves: #410891



Index: hsqldb-1.8.0-standard-server.properties
===================================================================
RCS file: /cvs/pkgs/rpms/hsqldb/F-8/hsqldb-1.8.0-standard-server.properties,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- hsqldb-1.8.0-standard-server.properties	31 Aug 2007 14:43:58 -0000	1.1
+++ hsqldb-1.8.0-standard-server.properties	4 Dec 2007 20:08:58 -0000	1.2
@@ -9,3 +9,13 @@
 
 server.port         9001
 server.no_system_exit         true
+
+# Until the following setting is changed, the HSQLDB service will not accept
+# remote connections. Failing to set a value for server.address at all will
+# result in the service binding itself to 0.0.0.0 and accepting remote
+# connections.
+#
+# IT IS STRONGLY ADVISED that before doing this you alter the password of
+# the default account (username "sa"). By default, no password is required
+# to connect to HSQLDB with the "sa" account.
+server.address      localhost


Index: hsqldb-1.8.0-standard.cfg
===================================================================
RCS file: /cvs/pkgs/rpms/hsqldb/F-8/hsqldb-1.8.0-standard.cfg,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- hsqldb-1.8.0-standard.cfg	31 Aug 2007 14:43:58 -0000	1.1
+++ hsqldb-1.8.0-standard.cfg	4 Dec 2007 20:08:58 -0000	1.2
@@ -84,6 +84,12 @@
 # In particular, you will want to add classpath elements to give access of
 # all of your store procedures (store procedures are documented in the 
 # HSQLDB User Guide in the SQL Syntax chapter.
+#
+# N.B.!
+# If you're adding files to the classpath in order to be able to call them
+# from SQL queries, you will be unable to access them unless you adjust the
+# value of the system property hsqldb.method_class_names. Please see the
+# comments on SERVER_JVMARGS, at the end of this file.
 # SERVER_ADDL_CLASSPATH=/home/blaine/storedprocs.jar:/usr/dev/dbutil/classes
 
 # For TLS encryption for your Server, set these two variables.
@@ -104,4 +110,19 @@
 
 # Any JVM args for the server.
 # For multiple args, put quotes around entire value.
-#SERVER_JVMARGS=-Xmx512m
+#
+# N.B.!
+# The default value of SERVER_JVMARGS sets the system property 
+# hsqldb.method_class_names to be empty. This is in order to lessen the
+# security risk posed by HSQLDB allowing Java method calls in SQL statements.
+# The implications of changing this value (as explained by the authors of
+# HSQLDB) are as follows:
+#     If [it] is not set, then static methods of all available Java classes
+#     can be accessed as functions in HSQLDB. If the property is set, then
+#     only the list of semicolon seperated method names becomes accessible.
+#     An empty property value means no class is accessible.
+# Regardless of the value of hsqldb.method_class_names, methods in
+# org.hsqldb.Library will be accessible.
+# Before making changes to the value below, please be advised of the possible
+# dangers involved in allowing SQL queries to contain Java method calls.
+SERVER_JVMARGS=-Dhsqldb.method_class_names=\"\"


Index: hsqldb.spec
===================================================================
RCS file: /cvs/pkgs/rpms/hsqldb/F-8/hsqldb.spec,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- hsqldb.spec	16 Oct 2007 21:57:13 -0000	1.36
+++ hsqldb.spec	4 Dec 2007 20:08:58 -0000	1.37
@@ -38,7 +38,7 @@
 
 Name:		hsqldb
 Version:	1.8.0.8
-Release:	1jpp.4%{?dist}
+Release:	1jpp.5{?dist}
 Epoch:		1
 Summary:	Hsqldb Database Engine
 License:	BSD Style
@@ -52,6 +52,7 @@
 Patch0:     %{name}-1.8.0-scripts.patch
 Patch1:     hsqldb-tmp.patch
 Patch2:     %{name}-1.8.0-specify-su-shell.patch
+Patch3:     %{name}-1.8.0-backport.patch
 Requires:   servletapi5
 Requires(post):   /bin/rm,/bin/ln
 Requires(post):   servletapi5
@@ -133,6 +134,7 @@
 %patch0
 %patch1 -p1
 %patch2
+%patch3 -p1
 
 %build
 export CLASSPATH=$(build-classpath \
@@ -269,6 +271,10 @@
 %{_datadir}/%{name}
 
 %changelog
+* Tue Dec 04 2007 Jon Prindiville <jprindiv at redhat.com> 1.8.0.8-1jpp.5
+- Backport patch, addressing CVE-2007-4576
+- Resolves: #410891
+
 * Tue Oct 16 2007 Deepak Bhole <dbhole at redhat.com> 1.8.0.8-1jpp.4
 - Rebuild

More information about the fedora-extras-commits mailing list