The Apache Derby project is pleased to announce release 10.6.1.0. In addition to introducing many new features, this release fixes a security flaw. Please see below for more details.
Apache Derby is a subproject of the Apache DB project. Derby is a pure Java relational database engine which conforms to the ISO/ANSI SQL and JDBC standards. Derby aims to be easy for developers and end-users to work with. Derby 10.6.1.0 can be obtained from the Derby download site: http://db.apache.org/derby/derby_downloads.html. Derby 10.6.1.0 contains the following new features: * Sequence Generators - Named generators for allocating successive, evenly spaced numbers. See feature T176 of the SQL Standard. * User-defined types - Named types bound to serializable Java objects. * Restricted table functions - Limits on the columns and rows returned by table functions. * XPLAIN statistics collection - Query plan statistics stored in tables for later analysis. * GROUP BY ROLLUP - A subset of the SQL Standard ROLLUP functionality on the GROUP BY clause. See feature T431 of the SQL Standard. * CROSS JOIN - CROSS JOIN syntax. See feature F401-04 of the SQL Standard. * Named columns join - USING clauses in joins. * SHOW FUNCTIONS - IJ command that lists stored functions. * In-memory back end enhancements - Numerous improvements, including the ability to delete in-memory databases. * ORDER BY in subqueries - Syntax for explicitly ordering rows returned by subqueries. See features F851, F852, and F855 of the SQL Standard. * OFFSET, FETCH FIRST/NEXT in subqueries - Generalized syntax for retrieving row subsets. See features F856, F857, F858, F859, F861, F862, F863, and F864 of the SQL Standard. * NATURAL JOIN - Support for NATURAL JOIN. See feature T431 of the SQL Standard. * Qualified identifers in ij - Ability to reference cursors and prepared statements in other connections. * Configurable hash algorithm - Ability to customize the hash algorithm used by BUILTIN authentication. * Context-sniffing scripts - Ability of shipped scripts to locate Derby jars when DERBY_HOME isn't set. * Case-insensitive strings - Ability to ignore case in string comparisons and sorts. In addition, Derby 10.6.1.0 contains many bug and documentation fixes. Please try out this new release. -- IMPORTANT SECURITY NOTE -- IMPORTANT SECURITY NOTE -- IMPORTANT SECURITY NOTE -- Derby 10.6.1.0 also fixes a security flaw tracked by the Apache Common Vulnerabilities and Exposures id "CVE-2009-4269". This flaw made it easy to crack passwords managed by Derby's BUILTIN authentication logic. Originally, the BUILTIN logic was intended only for testing purposes. However, Derby's user documentation suggested that this scheme was production-ready and it appears that many users rely on BUILTIN authentication in production. Tracked by DERBY-4483, the flaw is addressed as follows: 1) The bug itself is corrected for newly created 10.6 databases. 2) Password substitution is not allowed when logging into a database where the bug is corrected and BUILTIN passwords are stored in the database. See the release note for DERBY-4483. 3) Derby's default password-hashing scheme is changed from SHA-1 to SHA-256, which is harder to crack. 4) The user guides are glossed with warnings against production use of the BUILTIN authentication mechanism. Users are urged to i) Migrate production systems off the BUILTIN mechanism onto Derby's LDAP and user-customized authentication schemes. ii) Or hard-upgrade to 10.6.1.0 immediately and perform the following additional steps: a) Set derby.authentication.builtin.algorithm to a stronger authentication scheme like SHA-256 or SHA-512. b) Reset all passwords stored in the database. c) Stop using strong password substitution. Instead, encrypt all network traffic using SSL/TLS. -- IMPORTANT SECURITY NOTE -- IMPORTANT SECURITY NOTE -- IMPORTANT SECURITY NOTE --
