[GemStone-Smalltalk] Critical bug: Password/login control features may cause repository corruption in 3.7.x

Lisa Almarode lisa.almarode at gemtalksystems.com
Mon Jul 14 15:39:22 PDT 2025 

A bug has been uncovered that can cause repository corruption in 
versions 3.7.0 through 3.4.7.2 only, bug #51494.

If the SymbolGem is committing new symbols concurrently with a user 
login for a userProfile that has certain password security features 
enabled, other Gems may commit references to oops that were provided by 
the SymbolGem for new symbols, but the SymbolGem failed to commit. These 
oops may end up not existing, or being reused for unrelated objects.

The circumstances that expose this bug are password/login control 
features that cause updates to a UserProfile's security data, to update 
the last login time or the disabled state of the UserProfile. The 
following are the conditions that cause risk:
- a login hits a limit specified by a UserProfile's
     loginsAllowedBeforeExpiration, and passwordNeverExpires is false.
- passwordAgeLimit is set to a nonzero value for the UserProfile
     or AllUsers, and a login either succeeds or fails due to the
     age limit.
- passwordAgeWarning is set to a nonzero value for the UserProfile
     or AllUsers, and a login succeeds.
- staleAccountAgeLimit is set to a nonzero value for the UserProfile
     or AllUsers, and a login either succeeds or fails due to the
     age limit.
- the Stone configuration parameters STN_DISABLE_LOGIN_FAILURE_LIMIT
     and STN_DISABLE_LOGIN_FAILURE_TIME_LIMIT are set, and a user login
     fails the specified number of times within the specified time limit.
     Note that these parameters are enabled by default, to 15 login
     failures within 15 minutes.

This bug does not apply to 3.6.x, 3.5.x, or earlier versions.

It is strongly recommended to disable the specified security features if 
you are using them in a 3.7.x repository. A 3.4.7.3 release with fixes 
will be available soon.

See the bugnote, https://gemtalksystems.com/data/bugnotes/51494.html, 
for more details, and contact GemTalk Technical Support if you have 
further questions or for a early access version of 3.4.7.3.

We apologize for this bug!

The GemStone/S team

More information about the GemStone-Smalltalk mailing list