The Apache Calcite team is pleased to announce the release of Apache
Calcite Avatica 1.22.0.
Avatica is a framework for building database drivers. Avatica defines a
wire API and serialization mechanism for clients to communicate with a
server as a proxy to a database. The reference Avatica client and server
are implemented in Java and communicate over HTTP. Avatica is a
sub-project of Apache Calcite.
Apache Calcite Avatica 1.22.0 is a maintenance release to resolve
CVE-2022-36364: Apache Calcite Avatica JDBC driver httpclient_impl
connection property can be used as an RCE vector. Users of previous
versions of Avatica MUST upgrade to mitigate this vulnerability. For a
full list of changes, please see the release notes:
https://calcite.apache.org/avatica/docs/history.html#v1-22-0
The release is available here:
https://calcite.apache.org/avatica/downloads/avatica.html
We welcome your help and feedback. For more information on how to report
problems and get involved, visit the project website at:
https://calcite.apache.org/avatica/
or the Apache Calcite project website:
https://calcite.apache.org/
Thanks to everyone involved!
Francis Chuang, on behalf of the Apache Calcite team.