[DERBY-4483] Provide a way to change the hash algorithm used by BUILTIN authentication - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 10.5.3.0
Fix Version/s: 10.6.1.0
Component/s: Services
Labels:
None

Issue & fix info:

Release Note Needed
Bug behavior facts:

Security

Description

The BUILTIN authentication scheme protects the passwords by hashing them with the SHA-1 algorithm. It would be nice to have way to specify a different algorithm so that users can take advantage of new, stronger algorithms provided by their JCE provider if so desired.

This issue tracks our response to security vulnerability CVE-2009-4269, which Marcell Major identified. See http://marcellmajor.com/derbyhash.html

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

upgrade-test.diff
03/Mar/10 14:18
7 kB
Knut Anders Hatlen
toHexByte.diff
22/Mar/10 12:44
5 kB
Knut Anders Hatlen
releaseNote.html
23/Mar/10 16:25
7 kB
Knut Anders Hatlen
releaseNote.html
25/Mar/10 12:40
7 kB
Knut Anders Hatlen
experiment.diff
26/Feb/10 12:37
13 kB
Knut Anders Hatlen
errormsg.diff
24/Mar/10 13:15
3 kB
Knut Anders Hatlen
derby-4483-2a.stat
23/Mar/10 16:25
0.4 kB
Knut Anders Hatlen
derby-4483-2a.diff
23/Mar/10 16:25
6 kB
Knut Anders Hatlen
derby-4483-1a.stat
12/Mar/10 12:24
0.7 kB
Knut Anders Hatlen
derby-4483-1a.diff
12/Mar/10 12:24
33 kB
Knut Anders Hatlen
comments.diff
18/Mar/10 12:09
5 kB
Knut Anders Hatlen

Issue Links

is related to

DERBY-4602 10 failures and 11 errors with IBM weme6.2/j9/cdc-foundation after revision 922304 for DERBY-4483

Closed

relates to

DERBY-4468 Security weaknesses

Closed

DERBY-4579 Document the configurable hash authentication scheme

Closed

Activity

People

Assignee:: Knut Anders Hatlen

Reporter:: Knut Anders Hatlen

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 18/Dec/09 12:26

Updated:: 08/Jun/10 13:45

Resolved:: 20/Apr/10 07:59