db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Hillegas <rick.hille...@oracle.com>
Subject [ANNOUNCE] Apache Derby released
Date Wed, 19 May 2010 15:58:10 GMT
The Apache Derby project is pleased to announce release In 
addition to introducing many new features, this release fixes a security 
flaw. Please see below for more details.

Apache Derby is a subproject of the Apache DB project. Derby is a pure 
Java relational database engine which conforms to the ISO/ANSI SQL and 
JDBC standards. Derby aims to be easy for developers and end-users to 
work with.

Derby can be obtained from the Derby download site:


Derby contains the following new features:

    * Sequence Generators - Named generators for allocating successive, 
evenly spaced numbers. See feature T176 of the SQL Standard.
    * User-defined types - Named types bound to serializable Java objects.
    * Restricted table functions - Limits on the columns and rows 
returned by table functions.
    * XPLAIN statistics collection - Query plan statistics stored in 
tables for later analysis.
    * GROUP BY ROLLUP - A subset of the SQL Standard ROLLUP 
functionality on the GROUP BY clause. See feature T431 of the SQL Standard.
    * CROSS JOIN - CROSS JOIN syntax. See feature F401-04 of the SQL 
    * Named columns join - USING clauses in joins.
    * SHOW FUNCTIONS - IJ command that lists stored functions.
    * In-memory back end enhancements - Numerous improvements, including 
the ability to delete in-memory databases.
    * ORDER BY in subqueries - Syntax for explicitly ordering rows 
returned by subqueries. See features F851, F852, and F855 of the SQL 
    * OFFSET, FETCH FIRST/NEXT in subqueries - Generalized syntax for 
retrieving row subsets. See features F856, F857, F858, F859, F861, F862, 
F863, and F864 of the SQL Standard.
    * NATURAL JOIN - Support for NATURAL JOIN. See feature T431 of the 
SQL Standard.
    * Qualified identifers in ij - Ability to reference cursors and 
prepared statements in other connections.
    * Configurable hash algorithm - Ability to customize the hash 
algorithm used by BUILTIN authentication.
    * Context-sniffing scripts - Ability of shipped scripts to locate 
Derby jars when DERBY_HOME isn't set.
    * Case-insensitive strings - Ability to ignore case in string 
comparisons and sorts.

In addition, Derby contains many bug and documentation fixes.

Please try out this new release.


Derby also fixes a security flaw tracked by the Apache Common 
Vulnerabilities and Exposures id "CVE-2009-4269". This flaw made it easy 
to crack passwords managed by Derby's BUILTIN authentication logic. 
Originally, the BUILTIN logic was intended only for testing purposes. 
However, Derby's user documentation suggested that this scheme was 
production-ready and it appears that many users rely on BUILTIN 
authentication in production. Tracked by DERBY-4483, the flaw is 
addressed as follows:

1) The bug itself is corrected for newly created 10.6 databases.

2) Password substitution is not allowed when logging into a database 
where the bug is corrected and BUILTIN passwords are stored in the 
database. See the release note for DERBY-4483.

3) Derby's default password-hashing scheme is changed from SHA-1 to 
SHA-256, which is harder to crack.

4) The user guides are glossed with warnings against production use of 
the BUILTIN authentication mechanism.

Users are urged to

i) Migrate production systems off the BUILTIN mechanism onto Derby's 
LDAP and user-customized authentication schemes.

ii) Or hard-upgrade to immediately and perform the following 
additional steps:

a) Set derby.authentication.builtin.algorithm to a stronger 
authentication scheme like SHA-256 or SHA-512.

b) Reset all passwords stored in the database.

c) Stop using strong password substitution. Instead, encrypt all network 
traffic using SSL/TLS.


View raw message