These notes describe the difference between Apache Derby release 10.17.1.0 and the preceding release 10.16.1.1.
The most up to date information about Derby releases can be found on the Derby download page.
Apache Derby is a pure Java relational database engine using standard SQL and JDBC as its APIs. More information about Derby can be found on the Apache web site. Derby functionality includes:
The 10.17 release family supports the following Java and JDBC versions:
10.17 does NOT support Java releases prior to Java SE 21.
The major feature of this release is support for Java SE 21.
New users should consult the 10.17 documentation, especially the Getting Started With Derby guide.
The following issues are addressed by Derby release 10.17.1.0. These issues are not addressed in the preceding 10.16.1.1 release.
Issue Id
| Description |
---|---|
DERBY-7143 | HarmonySerialBlob.getBinaryStream(long, long) makes it impossible to retrieve the last character of the Blob. |
DERBY-7144 | MERGE INSERT failing when target has GENERATED IDENTITY column |
DERBY-7147 | LDAP injection vulnerability in LDAPAuthenticationImpl |
DERBY-7149 | Make it possible to build and test Derby cleanly with JDK 20 |
Compared with the previous release (10.16.1.1), Derby release 10.17.1.0 introduces the following new features and incompatibilities. These merit your special attention.
Denial of service attacks might have been possible when using LDAP authentication.
An LDAP injection vulnerablilty was identified. It was assigned this id: CVE-2022-46337. Credit for finding the vulnerability goes to 4ra1n and Y4tacker. Someone exploiting this vulnerability might have been able to log on with a bizarre user name which looked like an LDAP protocol string. The user would then have been able to create and populate tables and therefore exhaust disk resources. The vulnerability was closed by escaping LDAP protocol strings.
No application changes are necessary.
Derby release 10.17.1.0 was built using the following environment:
It is essential that you verify the integrity of the downloaded files using the PGP and SHA-512 signatures. SHA-512 verification ensures the file was not corrupted during the download process. PGP verification ensures that the file came from a certain person.
The PGP signatures can be verified using
PGP or
GPG.
First download the Apache Derby
KEYS
as well as the asc
signature file for the particular
distribution. It is important that you get these files from the ultimate
trusted source - the main ASF distribution site, rather than from a mirror.
Then verify the signatures using ...
% pgpk -a KEYS % pgpv db-derby-X.Y.tar.gz.asc or % pgp -ka KEYS % pgp db-derby-X.Y.tar.gz.asc or % gpg --import KEYS % gpg --verify db-derby-X.Y.tar.gz.asc
To verify the SHA-512 checksums on the files, you need to use a
platform-specific program. On Mac OSX, this program is called
shasum
, on Linux it is called sha512sum
,
and on Windows it is called CertUtil
.
We strongly recommend that you verify your downloads with both PGP and SHA-512.