Hello. I'm new to the group, so I hope this is the appropriate place to ask this.
Over a year ago, v10.17.1.0 was released, which contained a fix for an LDAP injection vulnerability (CVE-2022-46337 / BDSA-2022-4287). The Jira ticket is DERBY-7147<https://issues.apache.org/jira/browse/DERBY-7147>, which indicates that the fix also went in v10.14.3, v10.15.2.1, and v10.16.1.2. A cursory look at the code seems to confirm this. However, it has been well over a year since the fix was made, yet the only version that was ever released was v10.17.1.0. This effectively has stranded anyone not running Java 21 or later, and there is a lot of software out there that is still using Java 17, 11 and even 8, with those JREs being supported for another 6-8 years. In fact, Java 11's support extends a year beyond 21's, per https://www.azul.com/products/azul-support-roadmap/. We have a product that, for multiple externally-controlled reasons, is stuck at Java 11 for the foreseeable future, and an older one that EOL's 12/2025 that is still using Java 8. I can't imagine we're alone in either of those boats. What does it take to get Derby v10.14.3, v10.15.2.1, and v10.16.1.2 (containing that CVE fix) publicly released? Best regards, Frank Domina
