[
https://issues.apache.org/jira/browse/DERBY-7178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Richard N. Hillegas updated DERBY-7178:
---------------------------------------
Urgency: Normal
Issue Type: Task (was: Bug)
Priority: Trivial (was: Major)
10.14.2.1 is indeed the version number of the head of the 10.14 branch. If
someone were to volunteer to publish a new, official 10.14 release, the version
number of the release would be bumped to 10.14.3.0 and the version number on
the branch would be bumped to 10.14.3.1.
When you build the 10.14 branch for your own purposes, you are not building an
official Derby release. By not pre-bumping the version number, we reduce the
risk that user-built distributions will have version numbers which conflict
with official releases.
Everything looks correct to me.
> Wrong 10.14 backport patch version for CVE-2022-46337 fix
> ---------------------------------------------------------
>
> Key: DERBY-7178
> URL: https://issues.apache.org/jira/browse/DERBY-7178
> Project: Derby
> Issue Type: Task
> Affects Versions: 10.14.1.0
> Reporter: Yuval Rosen
> Priority: Trivial
> Labels: versioning
> Fix For: 10.14.3
>
>
> The fix for the CVE-2022-46337 vulnerability in Derby was designated to be
> fixed in the unreleased 10.14.3 version.
> Checking on the latest 10.14 branch, it does indeed include the fix commit:
>
> {code:java}
> % svn log
> java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
> ------------------------------------------------------------------------
> r1905586 | rhillegas | 2022-11-29 00:47:15 +0200 (Nov 29 2022) | 1 line
> DERBY-7147: Port derby-7147-02-ab-escapeLDAPsearchFilter.diff from the trunk
> to the 10.14 branch.
> ------------------------------------------------------------------------
> r1808801 | rhillegas | 2017-09-19 04:28:54 +0300 (Sep 19 2017) | 1 line
> Created the 10.14 code branch.
> ------------------------------------------------------------------------
> r1514927 | bpendleton | 2013-08-17 03:24:25 +0300 (Aug 17 2013) | 44 lines
> DERBY-6299: Improve code coverage of org.apache.derby.iapi.services.sanity
> ... {code}
> However when I build this version myself, it says the version is 10.14.2.1:
> {code:java}
> --------- Derby Information --------
> [/Volumes/Volume/workspace/derby-10.14/jars/insane/derby.jar] 10.14.2.1 -
> (1929175)
> [/Volumes/Volume/workspace/derby-10.14/jars/insane/derbytools.jar] 10.14.2.1
> - (1929175)
> [/Volumes/Volume/workspace/derby-10.14/jars/insane/derbynet.jar] 10.14.2.1 -
> (1929175)
> [/Volumes/Volume/workspace/derby-10.14/jars/insane/derbyclient.jar] 10.14.2.1
> - (1929175)
> [/Volumes/Volume/workspace/derby-10.14/jars/insane/derbyoptionaltools.jar]
> 10.14.2.1 - (1929175) {code}
> This poses an issue with CVE detection tools, which rely on the NVD database
> - listing 10.14.2.1 (<10.14.3.0) as a version vulnerable to the
> aforementioned CVE.
> The version of the branch should be updated to 10.14.3.0 to match the fix
> version listed in the CVE pages as well as the original Jira ticket -
> DERBY-7147.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
