Your message dated Sun, 26 Nov 2023 06:04:38 +0000
with message-id <[email protected]>
and subject line Bug#1056755: fixed in derby 10.14.2.0-3
has caused the Debian Bug report #1056755,
regarding derby: CVE-2022-46337
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1056755: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056755
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: derby
Version: 10.14.2.0-2
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/DERBY-7147
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for derby.
CVE-2022-46337[0]:
| A cleverly devised username might bypass LDAP authentication checks.
| In LDAP-authenticated Derby installations, this could let an
| attacker fill up the disk by creating junk Derby databases. In
| LDAP-authenticated Derby installations, this could also allow the
| attacker to execute malware which was visible to and executable by
| the account which booted the Derby server. In LDAP-protected
| databases which weren't also protected by SQL GRANT/REVOKE
| authorization, this vulnerability could also let an attacker view
| and corrupt sensitive data and run sensitive database functions and
| procedures. Mitigation: Users should upgrade to Java 21 and Derby
| 10.17.1.0. Alternatively, users who wish to remain on older Java
| versions should build their own Derby distribution from one of the
| release families to which the fix was backported: 10.16, 10.15, and
| 10.14. Those are the releases which correspond, respectively, with
| Java LTS versions 17, 11, and 8.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-46337
https://www.cve.org/CVERecord?id=CVE-2022-46337
[1] https://issues.apache.org/jira/browse/DERBY-7147
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: derby
Source-Version: 10.14.2.0-3
Done: tony mancill <[email protected]>
We believe that the bug you reported is fixed in the latest version of
derby, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <[email protected]> (supplier of updated derby package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 25 Nov 2023 21:25:10 -0800
Source: derby
Architecture: source
Version: 10.14.2.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: tony mancill <[email protected]>
Closes: 1056755
Changes:
derby (10.14.2.0-3) unstable; urgency=medium
.
* Team upload.
* Add patch for CVE-2022-46337 (Closes: #1056755)
* Update lintian-overrides for derby source package
Checksums-Sha1:
ca77ec0e284c8283fa0af24c1ce036ed9faa4fe8 2287 derby_10.14.2.0-3.dsc
6630d887edbd7fbe9031c57f8dfa470dc95c8e51 15940 derby_10.14.2.0-3.debian.tar.xz
e136058fcafa29cd0f431fefc42df29d020d2f4f 10438
derby_10.14.2.0-3_amd64.buildinfo
Checksums-Sha256:
8d0d61062d367dbdf41692338333e3b0d39ba3c41d35c684ad98d6f838cb77f4 2287
derby_10.14.2.0-3.dsc
696f352282712ad691ff42bc60ce49dbd55143db4b61cdad4ecc2a466cd224d3 15940
derby_10.14.2.0-3.debian.tar.xz
234edb52507cb910095799b76892797fe18f9d000a6f1d650cd35ea4d3b62157 10438
derby_10.14.2.0-3_amd64.buildinfo
Files:
9451345f45a5b977e957bb012b35e731 2287 java optional derby_10.14.2.0-3.dsc
81224eb32a62fe3f8cdbf683958d2301 15940 java optional
derby_10.14.2.0-3.debian.tar.xz
d8c744964d87cae1cf325621746ceb3d 10438 java optional
derby_10.14.2.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmVi2ZkUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpb1gw/9E6yNxjijj0K3dcrxTkDP9H9fjcH7
6MXB2LwKRiofgXleRdL4covWHbXeFLui+oXFjgpQEmPGu1pTk13xoy0qw8YuZ8LK
SRt9OqZMe2a4+2k/dWNkycDV+Z1AqIqb+JIx8fMPfrh/3vqopoRZj51ZRN6UDElE
LJsmC+xcZ4Z4pdSm9RGL3vq3WkY8MOdJdbiTrahArVgGP7Em500Wg8PBkIpV0nV7
JyRh68K2beDRQ4WNEbBgjgpdKTOLYt1E/6rWnIDQxR24CzPfHzCgqfKzgKoFF4hy
wotuEnVR8GBl/TVqyr3cyvY0d+g818kfKe8DIu0IWbIYcgBInoadKmX5aA7qmRMt
vBbT7r6bM5BlY6e/ZsQsEsQ8RNc+TyEaDGJYDYtMx0LTMs4JOJhX3WiBrzsaFpnS
O3LQyNXA3L3rEQSENaCORc4z8L7WAmdnCqM6GnSYJFSdrX/PckN0NNPK01VLB0Ux
2HcFzUBJWLMGeGv8P5Qy3MUGl54wJmYv4I70aXuB3i64QBVI2DTBjG6MODzFOXTD
lxZCQ8bNaiYOLf4Ch0oDJfNti9qA6iLSeaHa5KaEVieypV6hFgxoOiPCFbRgDWp3
vyQnFb/RCsGWtpsEMTitXaVHc8ZiQrxONIDXIH1EmbHG7jAaIRmbqisTmvtsHJmG
JqIReHTW+4Woxm4=
=hJiB
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
