[jira] [Created] (DERBY-7178) Wrong 10.14 backport patch version for CVE-2022-46337 fix

Tue, 28 Oct 2025 10:17:06 -0700 

Yuval Rosen created DERBY-7178:
----------------------------------

             Summary: Wrong 10.14 backport patch version for CVE-2022-46337 fix
                 Key: DERBY-7178
                 URL: https://issues.apache.org/jira/browse/DERBY-7178
             Project: Derby
          Issue Type: Bug
    Affects Versions: 10.14.1.0
            Reporter: Yuval Rosen
             Fix For: 10.14.3


The fix for the CVE-2022-46337 vulnerability in Derby was designated to be 
fixed in the unreleased 10.14.3 version.

Checking on the latest 10.14 branch, it does indeed include the fix commit:

 
{code:java}
% svn log 
java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java

------------------------------------------------------------------------
r1905586 | rhillegas | 2022-11-29 00:47:15 +0200 (Nov 29 2022) | 1 line

DERBY-7147: Port derby-7147-02-ab-escapeLDAPsearchFilter.diff from the trunk to 
the 10.14 branch.
------------------------------------------------------------------------
r1808801 | rhillegas | 2017-09-19 04:28:54 +0300 (Sep 19 2017) | 1 line

Created the 10.14 code branch.
------------------------------------------------------------------------
r1514927 | bpendleton | 2013-08-17 03:24:25 +0300 (Aug 17 2013) | 44 lines

DERBY-6299: Improve code coverage of org.apache.derby.iapi.services.sanity
... {code}
However when I build this version myself, it says the version is 10.14.2.1:
{code:java}
--------- Derby Information --------
[/Volumes/Volume/workspace/derby-10.14/jars/insane/derby.jar] 10.14.2.1 - 
(1929175)
[/Volumes/Volume/workspace/derby-10.14/jars/insane/derbytools.jar] 10.14.2.1 - 
(1929175)
[/Volumes/Volume/workspace/derby-10.14/jars/insane/derbynet.jar] 10.14.2.1 - 
(1929175)
[/Volumes/Volume/workspace/derby-10.14/jars/insane/derbyclient.jar] 10.14.2.1 - 
(1929175)
[/Volumes/Volume/workspace/derby-10.14/jars/insane/derbyoptionaltools.jar] 
10.14.2.1 - (1929175) {code}
This poses an issue with CVE detection tools, which rely on the NVD database - 
listing 10.14.2.1 (<10.14.3.0) as a version vulnerable to the aforementioned 
CVE.

The version of the branch should be updated to 10.14.3.0 to match the fix 
version listed in the CVE pages as well as the original Jira ticket - 
DERBY-7147.

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to