[jira] [Updated] (DERBY-7178) Wrong 10.14 backport patch version for CVE-2022-46337 fix

Tue, 28 Oct 2025 16:43:00 -0700 


     [ 
https://issues.apache.org/jira/browse/DERBY-7178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Richard N. Hillegas updated DERBY-7178:
---------------------------------------
    Fix Version/s:     (was: 10.14.3)

> Wrong 10.14 backport patch version for CVE-2022-46337 fix
> ---------------------------------------------------------
>
>                 Key: DERBY-7178
>                 URL: https://issues.apache.org/jira/browse/DERBY-7178
>             Project: Derby
>          Issue Type: Task
>    Affects Versions: 10.14.1.0
>            Reporter: Yuval Rosen
>            Priority: Trivial
>              Labels: versioning
>
> The fix for the CVE-2022-46337 vulnerability in Derby was designated to be 
> fixed in the unreleased 10.14.3 version.
> Checking on the latest 10.14 branch, it does indeed include the fix commit:
>  
> {code:java}
> % svn log 
> java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
> ------------------------------------------------------------------------
> r1905586 | rhillegas | 2022-11-29 00:47:15 +0200 (Nov 29 2022) | 1 line
> DERBY-7147: Port derby-7147-02-ab-escapeLDAPsearchFilter.diff from the trunk 
> to the 10.14 branch.
> ------------------------------------------------------------------------
> r1808801 | rhillegas | 2017-09-19 04:28:54 +0300 (Sep 19 2017) | 1 line
> Created the 10.14 code branch.
> ------------------------------------------------------------------------
> r1514927 | bpendleton | 2013-08-17 03:24:25 +0300 (Aug 17 2013) | 44 lines
> DERBY-6299: Improve code coverage of org.apache.derby.iapi.services.sanity
> ... {code}
> However when I build this version myself, it says the version is 10.14.2.1:
> {code:java}
> --------- Derby Information --------
> [/Volumes/Volume/workspace/derby-10.14/jars/insane/derby.jar] 10.14.2.1 - 
> (1929175)
> [/Volumes/Volume/workspace/derby-10.14/jars/insane/derbytools.jar] 10.14.2.1 
> - (1929175)
> [/Volumes/Volume/workspace/derby-10.14/jars/insane/derbynet.jar] 10.14.2.1 - 
> (1929175)
> [/Volumes/Volume/workspace/derby-10.14/jars/insane/derbyclient.jar] 10.14.2.1 
> - (1929175)
> [/Volumes/Volume/workspace/derby-10.14/jars/insane/derbyoptionaltools.jar] 
> 10.14.2.1 - (1929175) {code}
> This poses an issue with CVE detection tools, which rely on the NVD database 
> - listing 10.14.2.1 (<10.14.3.0) as a version vulnerable to the 
> aforementioned CVE.
> The version of the branch should be updated to 10.14.3.0 to match the fix 
> version listed in the CVE pages as well as the original Jira ticket - 
> DERBY-7147.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to