From lisa.almarode at gemtalksystems.com Mon Jul 14 15:39:29 2025 From: lisa.almarode at gemtalksystems.com (Lisa Almarode) Date: Mon, 14 Jul 2025 15:39:29 -0700 Subject: [Glass] Critical bug: Password/login control features may cause repository corruption in 3.7.x Message-ID: A bug has been uncovered that can cause repository corruption in versions 3.7.0 through 3.4.7.2 only, bug #51494. If the SymbolGem is committing new symbols concurrently with a user login for a userProfile that has certain password security features enabled, other Gems may commit references to oops that were provided by the SymbolGem for new symbols, but the SymbolGem failed to commit. These oops may end up not existing, or being reused for unrelated objects. The circumstances that expose this bug are password/login control features that cause updates to a UserProfile's security data, to update the last login time or the disabled state of the UserProfile. The following are the conditions that cause risk: - a login hits a limit specified by a UserProfile's loginsAllowedBeforeExpiration, and passwordNeverExpires is false. - passwordAgeLimit is set to a nonzero value for the UserProfile or AllUsers, and a login either succeeds or fails due to the age limit. - passwordAgeWarning is set to a nonzero value for the UserProfile or AllUsers, and a login succeeds. - staleAccountAgeLimit is set to a nonzero value for the UserProfile or AllUsers, and a login either succeeds or fails due to the age limit. - the Stone configuration parameters STN_DISABLE_LOGIN_FAILURE_LIMIT and STN_DISABLE_LOGIN_FAILURE_TIME_LIMIT are set, and a user login fails the specified number of times within the specified time limit. Note that these parameters are enabled by default, to 15 login failures within 15 minutes. This bug does not apply to 3.6.x, 3.5.x, or earlier versions. It is strongly recommended to disable the specified security features if you are using them in a 3.7.x repository. A 3.4.7.3 release with fixes will be available soon. See the bugnote, https://gemtalksystems.com/data/bugnotes/51494.html, for more details, and contact GemTalk Technical Support if you have further questions or for a early access version of 3.4.7.3. We apologize for this bug! The GemStone/S team