Release Notes for Apache Derby 10.17.1.0

The most up to date information about Derby releases can be found on the Derby download page.

Apache Derby is a pure Java relational database engine using standard SQL and JDBC as its APIs. More information about Derby can be found on the Apache web site. Derby functionality includes:

Embedded engine with JDBC drivers
Network Server
Network client JDBC drivers
Command line tools: ij (SQL scripting), dblook (schema dump) and sysinfo (system info)

The 10.17 release family supports the following Java and JDBC versions:

Java SE 21 and higher with JDBC 4.2.

10.17 does NOT support Java releases prior to Java SE 21.

New Features

Bug Fixes

The following issues are addressed by Derby release 10.17.1.0. These issues are not addressed in the preceding 10.16.1.1 release.

Issue Id	Description
DERBY-7143	HarmonySerialBlob.getBinaryStream(long, long) makes it impossible to retrieve the last character of the Blob.
DERBY-7144	MERGE INSERT failing when target has GENERATED IDENTITY column
DERBY-7147	LDAP injection vulnerability in LDAPAuthenticationImpl
DERBY-7149	Make it possible to build and test Derby cleanly with JDK 20

Issues

Note for DERBY-7147: Denial of service attacks might have been possible when using LDAP authentication.

Compared with the previous release (10.16.1.1), Derby release 10.17.1.0 introduces the following new features and incompatibilities. These merit your special attention.

Note for DERBY-7147

Summary of Change

Denial of service attacks might have been possible when using LDAP authentication.

Symptoms Seen by Applications Affected by Change

An LDAP injection vulnerablilty was identified. It was assigned this id: CVE-2022-46337. Credit for finding the vulnerability goes to 4ra1n and Y4tacker. Someone exploiting this vulnerability might have been able to log on with a bizarre user name which looked like an LDAP protocol string. The user would then have been able to create and populate tables and therefore exhaust disk resources. The vulnerability was closed by escaping LDAP protocol strings.

Application Changes Required

No application changes are necessary.

Build Environment

Derby release 10.17.1.0 was built using the following environment:

Branch - Source code came from the 10.17 branch.
Machine - Mac OSX 11.2.3.
Ant - Apache Ant(TM) version 1.10.14 compiled on August 16 2023.
Compiler - All classes were compiled by the javac from OpenJDK 64-Bit Server VM (build 21+35-2513, mixed mode, sharing).

Verifying Releases

It is essential that you verify the integrity of the downloaded files using the PGP and SHA-512 signatures. SHA-512 verification ensures the file was not corrupted during the download process. PGP verification ensures that the file came from a certain person.

The PGP signatures can be verified using PGP or GPG. First download the Apache Derby KEYS as well as the asc signature file for the particular distribution. It is important that you get these files from the ultimate trusted source - the main ASF distribution site, rather than from a mirror. Then verify the signatures using ...

% pgpk -a KEYS
% pgpv db-derby-X.Y.tar.gz.asc

or

% pgp -ka KEYS
% pgp db-derby-X.Y.tar.gz.asc

or

% gpg --import KEYS
% gpg --verify db-derby-X.Y.tar.gz.asc

To verify the SHA-512 checksums on the files, you need to use a platform-specific program. On Mac OSX, this program is called shasum, on Linux it is called sha512sum, and on Windows it is called CertUtil.

We strongly recommend that you verify your downloads with both PGP and SHA-512.