Debian Bug report logs -
#1056755
derby: CVE-2022-46337
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1056755; Package src:derby.
(Sat, 25 Nov 2023 22:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 25 Nov 2023 22:00:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: derby
Version: 10.14.2.0-2
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/DERBY-7147
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for derby.
CVE-2022-46337[0]:
| A cleverly devised username might bypass LDAP authentication checks.
| In LDAP-authenticated Derby installations, this could let an
| attacker fill up the disk by creating junk Derby databases. In
| LDAP-authenticated Derby installations, this could also allow the
| attacker to execute malware which was visible to and executable by
| the account which booted the Derby server. In LDAP-protected
| databases which weren't also protected by SQL GRANT/REVOKE
| authorization, this vulnerability could also let an attacker view
| and corrupt sensitive data and run sensitive database functions and
| procedures. Mitigation: Users should upgrade to Java 21 and Derby
| 10.17.1.0. Alternatively, users who wish to remain on older Java
| versions should build their own Derby distribution from one of the
| release families to which the fix was backported: 10.16, 10.15, and
| 10.14. Those are the releases which correspond, respectively, with
| Java LTS versions 17, 11, and 8.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-46337
https://www.cve.org/CVERecord?id=CVE-2022-46337
[1] https://issues.apache.org/jira/browse/DERBY-7147
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#1056755.
(Sun, 26 Nov 2023 05:42:03 GMT) (full text, mbox, link).
Message #8 received at 1056755-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1056755 in derby reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/java-team/derby/-/commit/49c33ccb9191cfc2c38971eea1df491a8a82941e
------------------------------------------------------------------------
Add patch for CVE-2022-46337 (Closes: #1056755)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1056755
Added tag(s) pending.
Request was from Tony Mancill <noreply@salsa.debian.org>
to 1056755-submitter@bugs.debian.org.
(Sun, 26 Nov 2023 05:42:03 GMT) (full text, mbox, link).
Reply sent
to tony mancill <tmancill@debian.org>:
You have taken responsibility.
(Sun, 26 Nov 2023 06:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 26 Nov 2023 06:09:03 GMT) (full text, mbox, link).
Message #15 received at 1056755-close@bugs.debian.org (full text, mbox, reply):
Source: derby
Source-Version: 10.14.2.0-3
Done: tony mancill <tmancill@debian.org>
We believe that the bug you reported is fixed in the latest version of
derby, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1056755@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated derby package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 25 Nov 2023 21:25:10 -0800
Source: derby
Architecture: source
Version: 10.14.2.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Closes: 1056755
Changes:
derby (10.14.2.0-3) unstable; urgency=medium
.
* Team upload.
* Add patch for CVE-2022-46337 (Closes: #1056755)
* Update lintian-overrides for derby source package
Checksums-Sha1:
ca77ec0e284c8283fa0af24c1ce036ed9faa4fe8 2287 derby_10.14.2.0-3.dsc
6630d887edbd7fbe9031c57f8dfa470dc95c8e51 15940 derby_10.14.2.0-3.debian.tar.xz
e136058fcafa29cd0f431fefc42df29d020d2f4f 10438 derby_10.14.2.0-3_amd64.buildinfo
Checksums-Sha256:
8d0d61062d367dbdf41692338333e3b0d39ba3c41d35c684ad98d6f838cb77f4 2287 derby_10.14.2.0-3.dsc
696f352282712ad691ff42bc60ce49dbd55143db4b61cdad4ecc2a466cd224d3 15940 derby_10.14.2.0-3.debian.tar.xz
234edb52507cb910095799b76892797fe18f9d000a6f1d650cd35ea4d3b62157 10438 derby_10.14.2.0-3_amd64.buildinfo
Files:
9451345f45a5b977e957bb012b35e731 2287 java optional derby_10.14.2.0-3.dsc
81224eb32a62fe3f8cdbf683958d2301 15940 java optional derby_10.14.2.0-3.debian.tar.xz
d8c744964d87cae1cf325621746ceb3d 10438 java optional derby_10.14.2.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmVi2ZkUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpb1gw/9E6yNxjijj0K3dcrxTkDP9H9fjcH7
6MXB2LwKRiofgXleRdL4covWHbXeFLui+oXFjgpQEmPGu1pTk13xoy0qw8YuZ8LK
SRt9OqZMe2a4+2k/dWNkycDV+Z1AqIqb+JIx8fMPfrh/3vqopoRZj51ZRN6UDElE
LJsmC+xcZ4Z4pdSm9RGL3vq3WkY8MOdJdbiTrahArVgGP7Em500Wg8PBkIpV0nV7
JyRh68K2beDRQ4WNEbBgjgpdKTOLYt1E/6rWnIDQxR24CzPfHzCgqfKzgKoFF4hy
wotuEnVR8GBl/TVqyr3cyvY0d+g818kfKe8DIu0IWbIYcgBInoadKmX5aA7qmRMt
vBbT7r6bM5BlY6e/ZsQsEsQ8RNc+TyEaDGJYDYtMx0LTMs4JOJhX3WiBrzsaFpnS
O3LQyNXA3L3rEQSENaCORc4z8L7WAmdnCqM6GnSYJFSdrX/PckN0NNPK01VLB0Ux
2HcFzUBJWLMGeGv8P5Qy3MUGl54wJmYv4I70aXuB3i64QBVI2DTBjG6MODzFOXTD
lxZCQ8bNaiYOLf4Ch0oDJfNti9qA6iLSeaHa5KaEVieypV6hFgxoOiPCFbRgDWp3
vyQnFb/RCsGWtpsEMTitXaVHc8ZiQrxONIDXIH1EmbHG7jAaIRmbqisTmvtsHJmG
JqIReHTW+4Woxm4=
=hJiB
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Nov 26 08:16:36 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon