Source: derby Version: 10.14.2.0-2 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/DERBY-7147 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for derby. CVE-2022-46337[0]: | A cleverly devised username might bypass LDAP authentication checks. | In LDAP-authenticated Derby installations, this could let an | attacker fill up the disk by creating junk Derby databases. In | LDAP-authenticated Derby installations, this could also allow the | attacker to execute malware which was visible to and executable by | the account which booted the Derby server. In LDAP-protected | databases which weren't also protected by SQL GRANT/REVOKE | authorization, this vulnerability could also let an attacker view | and corrupt sensitive data and run sensitive database functions and | procedures. Mitigation: Users should upgrade to Java 21 and Derby | 10.17.1.0. Alternatively, users who wish to remain on older Java | versions should build their own Derby distribution from one of the | release families to which the fix was backported: 10.16, 10.15, and | 10.14. Those are the releases which correspond, respectively, with | Java LTS versions 17, 11, and 8. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-46337 https://www.cve.org/CVERecord?id=CVE-2022-46337 [1] https://issues.apache.org/jira/browse/DERBY-7147 Please adjust the affected versions in the BTS as needed. Regards, Salvatore