Bug 298051 (CVE-2007-4575-b)
Summary: | CVE-2007-4575 HSQLDB DoS and information disclosure | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marc Schoenefeld <mschoene> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | dbhole, fnasser, kreilly, patrickm, rbiba, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-02-07 18:31:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 303551, 303561, 303581, 303591, 410891 | ||
Bug Blocks: |
Description
Marc Schoenefeld
2007-09-20 13:02:25 UTC
I've been told by the maintainer, Fred Toussi (fredt.net), that there will be no mechanism in place to restrict connections to the server until 1.9.0. Despite that, I convinced hsqldb 1.8.0.7 on RHEL 5 to ignore remote connection attempts by having it bind to 127.0.0.1 rather than 0.0.0.0. To achieve this, you can set the (undocumented) property "server.address" in /var/lib/hsqldb/server.properties. Additionally, I've been told that there is no way to disable the default "sa" user. I think that the best we can do is probably to change the password during install to something random. |