Apache Derby 10.17.1.0 Release
Distributions
Use the links below to download a distribution of Apache Derby. You should always verify the integrity of distribution files downloaded from a mirror.
You are currently using https://dlcdn.apache.org/. If you encounter a problem with this mirror, then please select another. If all mirrors are failing, there are backup mirrors at the end of the list. See status of mirrors.
There are four different distributions:
- bin distribution - contains the documentation, javadoc, and jar files for Derby.
- lib distribution - contains only the jar files for Derby.
- lib-debug distribution - contains jar files for Derby with source line numbers.
- src distribution - contains the Derby source tree at the point which the binaries were built.
db-derby-10.17.1.0-bin.zip [PGP] [SHA-512]
db-derby-10.17.1.0-bin.tar.gz [PGP] [SHA-512]
db-derby-10.17.1.0-lib.zip [PGP] [SHA-512]
db-derby-10.17.1.0-lib.tar.gz [PGP] [SHA-512]
db-derby-10.17.1.0-lib-debug.zip [PGP] [SHA-512]
db-derby-10.17.1.0-lib-debug.tar.gz [PGP] [SHA-512]
db-derby-10.17.1.0-src.zip [PGP] [SHA-512]
db-derby-10.17.1.0-src.tar.gz [PGP] [SHA-512] (Note that, due to long filenames, you will need gnu tar to unravel this tarball.)
Release Notes for Apache Derby 10.17.1.0
These notes describe the difference between Apache Derby release 10.17.1.0 and the preceding release 10.16.1.1.
Overview
The most up to date information about Derby releases can be found on the Derby download page.
Apache Derby is a pure Java relational database engine using standard SQL and JDBC as its APIs. More information about Derby can be found on the Apache web site. Derby functionality includes:
- Embedded engine with JDBC drivers
- Network Server
- Network client JDBC drivers
- Command line tools: ij (SQL scripting), dblook (schema dump) and sysinfo (system info)
The 10.17 release family supports the following Java and JDBC versions:
- Java SE 21 and higher with JDBC 4.2.
10.17 does NOT support Java releases prior to Java SE 21.
New Features
The major feature of this release is support for Java SE 21.
New users should consult the 10.17 documentation, especially the Getting Started With Derby guide.
Bug Fixes
The following issues are addressed by Derby release 10.17.1.0. These issues are not addressed in the preceding 10.16.1.1 release.
Issue Id
| Description |
---|---|
DERBY-7143 | HarmonySerialBlob.getBinaryStream(long, long) makes it impossible to retrieve the last character of the Blob. |
DERBY-7144 | MERGE INSERT failing when target has GENERATED IDENTITY column |
DERBY-7147 | LDAP injection vulnerability in LDAPAuthenticationImpl |
DERBY-7149 | Make it possible to build and test Derby cleanly with JDK 20 |
Issues
Compared with the previous release (10.16.1.1), Derby release 10.17.1.0 introduces the following new features and incompatibilities. These merit your special attention.
Note for DERBY-7147
Summary of Change
Denial of service attacks might have been possible when using LDAP authentication.
Symptoms Seen by Applications Affected by Change
An LDAP injection vulnerablilty was identified. It was assigned this id: CVE-2022-46337. Credit for finding the vulnerability goes to 4ra1n and Y4tacker. Someone exploiting this vulnerability might have been able to log on with a bizarre user name which looked like an LDAP protocol string. The user would then have been able to create and populate tables and therefore exhaust disk resources. The vulnerability was closed by escaping LDAP protocol strings.
Application Changes Required
No application changes are necessary.
Build Environment
Derby release 10.17.1.0 was built using the following environment:
- Branch - Source code came from the 10.18 branch.
- Machine - Mac OSX 11.2.3.
- Ant - Apache Ant(TM) version 1.10.14 compiled on August 16 2023.
- Compiler - All classes were compiled by the javac from OpenJDK 64-Bit Server VM (build 21+35-2513, mixed mode, sharing).
Verifying Releases
It is essential that you verify the integrity of the downloaded files using the PGP and SHA-512 signatures. SHA-512 verification ensures the file was not corrupted during the download process. PGP verification ensures that the file came from a certain person.
The PGP signatures can be verified using PGP or GPG. First download the Apache Derby KEYS as well as the asc signature file for the particular distribution. It is important that you get these files from the ultimate trusted source - the main ASF distribution site, rather than from a mirror. Then verify the signatures using ...
% pgpk -a KEYS % pgpv db-derby-X.Y.tar.gz.asc or % pgp -ka KEYS % pgp db-derby-X.Y.tar.gz.asc or % gpg --import KEYS % gpg --verify db-derby-X.Y.tar.gz.asc
To verify the SHA-512 checksums on the files, you need to use a platform-specific program. On Mac OSX, this program is called shasum, on Linux it is called sha512sum, and on Windows it is called CertUtil.
We strongly recommend that you verify your downloads with both PGP and SHA-512.