apache > db
Apache DB Project
 
Font size:      

Apache Derby 10.17.1.0 Release

Distributions

Use the links below to download a distribution of Apache Derby. You should always verify the integrity of distribution files downloaded from a mirror.

You are currently using https://dlcdn.apache.org/. If you encounter a problem with this mirror, then please select another. If all mirrors are failing, there are backup mirrors at the end of the list. See status of mirrors.

Other mirrors:

There are four different distributions:

  • bin distribution - contains the documentation, javadoc, and jar files for Derby.
  • lib distribution - contains only the jar files for Derby.
  • lib-debug distribution - contains jar files for Derby with source line numbers.
  • src distribution - contains the Derby source tree at the point which the binaries were built.

db-derby-10.17.1.0-bin.zip [PGP] [SHA-512]
db-derby-10.17.1.0-bin.tar.gz [PGP] [SHA-512]

db-derby-10.17.1.0-lib.zip [PGP] [SHA-512]
db-derby-10.17.1.0-lib.tar.gz [PGP] [SHA-512]

db-derby-10.17.1.0-lib-debug.zip [PGP] [SHA-512]
db-derby-10.17.1.0-lib-debug.tar.gz [PGP] [SHA-512]

db-derby-10.17.1.0-src.zip [PGP] [SHA-512]
db-derby-10.17.1.0-src.tar.gz [PGP] [SHA-512] (Note that, due to long filenames, you will need gnu tar to unravel this tarball.)

Release Notes for Apache Derby 10.17.1.0

These notes describe the difference between Apache Derby release 10.17.1.0 and the preceding release 10.16.1.1.

Overview

The most up to date information about Derby releases can be found on the Derby download page.

Apache Derby is a pure Java relational database engine using standard SQL and JDBC as its APIs. More information about Derby can be found on the Apache web site. Derby functionality includes:

  • Embedded engine with JDBC drivers
  • Network Server
  • Network client JDBC drivers
  • Command line tools: ij (SQL scripting), dblook (schema dump) and sysinfo (system info)

The 10.17 release family supports the following Java and JDBC versions:

  • Java SE 21 and higher with JDBC 4.2.

10.17 does NOT support Java releases prior to Java SE 21.

New Features

The major feature of this release is support for Java SE 21.

New users should consult the 10.17 documentation, especially the Getting Started With Derby guide.

Bug Fixes

The following issues are addressed by Derby release 10.17.1.0. These issues are not addressed in the preceding 10.16.1.1 release.

Issue Id
Description
DERBY-7143HarmonySerialBlob.getBinaryStream(long, long) makes it impossible to retrieve the last character of the Blob.
DERBY-7144MERGE INSERT failing when target has GENERATED IDENTITY column
DERBY-7147LDAP injection vulnerability in LDAPAuthenticationImpl
DERBY-7149Make it possible to build and test Derby cleanly with JDK 20

Issues

Compared with the previous release (10.16.1.1), Derby release 10.17.1.0 introduces the following new features and incompatibilities. These merit your special attention.


Note for DERBY-7147

Summary of Change

Denial of service attacks might have been possible when using LDAP authentication.

Symptoms Seen by Applications Affected by Change

An LDAP injection vulnerablilty was identified. It was assigned this id: CVE-2022-46337. Credit for finding the vulnerability goes to 4ra1n and Y4tacker. Someone exploiting this vulnerability might have been able to log on with a bizarre user name which looked like an LDAP protocol string. The user would then have been able to create and populate tables and therefore exhaust disk resources. The vulnerability was closed by escaping LDAP protocol strings.

Application Changes Required

No application changes are necessary.

Build Environment

Derby release 10.17.1.0 was built using the following environment:

  • Branch - Source code came from the 10.18 branch.
  • Machine - Mac OSX 11.2.3.
  • Ant - Apache Ant(TM) version 1.10.14 compiled on August 16 2023.
  • Compiler - All classes were compiled by the javac from OpenJDK 64-Bit Server VM (build 21+35-2513, mixed mode, sharing).

Verifying Releases

It is essential that you verify the integrity of the downloaded files using the PGP and SHA-512 signatures. SHA-512 verification ensures the file was not corrupted during the download process. PGP verification ensures that the file came from a certain person.

The PGP signatures can be verified using PGP or GPG. First download the Apache Derby KEYS as well as the asc signature file for the particular distribution. It is important that you get these files from the ultimate trusted source - the main ASF distribution site, rather than from a mirror. Then verify the signatures using ...

% pgpk -a KEYS
% pgpv db-derby-X.Y.tar.gz.asc

or

% pgp -ka KEYS
% pgp db-derby-X.Y.tar.gz.asc

or

% gpg --import KEYS
% gpg --verify db-derby-X.Y.tar.gz.asc

To verify the SHA-512 checksums on the files, you need to use a platform-specific program. On Mac OSX, this program is called shasum, on Linux it is called sha512sum, and on Windows it is called CertUtil.

We strongly recommend that you verify your downloads with both PGP and SHA-512.