openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Donald Woods <>
Subject Fwd: [ANNOUNCE] Apache Derby released
Date Wed, 19 May 2010 16:14:18 GMT

-------- Original Message --------
Subject: [ANNOUNCE] Apache Derby released
Date: 19 May 2010 15:53:28 -0000

The Apache Derby project is pleased to announce release In
addition to introducing many new features, this release fixes a security
flaw. Please see below for more details.

Apache Derby is a subproject of the Apache DB project. Derby is a pure
Java relational database engine which conforms to the ISO/ANSI SQL and
JDBC standards. Derby aims to be easy for developers and end-users to
work with.

Derby can be obtained from the Derby download site:

Derby contains the following new features:

    * Sequence Generators - Named generators for allocating successive,
evenly spaced numbers. See feature T176 of the SQL Standard.
    * User-defined types - Named types bound to serializable Java objects.
    * Restricted table functions - Limits on the columns and rows
returned by table functions.
    * XPLAIN statistics collection - Query plan statistics stored in
tables for later analysis.
    * GROUP BY ROLLUP - A subset of the SQL Standard ROLLUP
functionality on the GROUP BY clause. See feature T431 of the SQL Standard.
    * CROSS JOIN - CROSS JOIN syntax. See feature F401-04 of the SQL
    * Named columns join - USING clauses in joins.
    * SHOW FUNCTIONS - IJ command that lists stored functions.
    * In-memory back end enhancements - Numerous improvements, including
the ability to delete in-memory databases.
    * ORDER BY in subqueries - Syntax for explicitly ordering rows
returned by subqueries. See features F851, F852, and F855 of the SQL
    * OFFSET, FETCH FIRST/NEXT in subqueries - Generalized syntax for
retrieving row subsets. See features F856, F857, F858, F859, F861, F862,
F863, and F864 of the SQL Standard.
    * NATURAL JOIN - Support for NATURAL JOIN. See feature T431 of the
SQL Standard.
    * Qualified identifers in ij - Ability to reference cursors and
prepared statements in other connections.
    * Configurable hash algorithm - Ability to customize the hash
algorithm used by BUILTIN authentication.
    * Context-sniffing scripts - Ability of shipped scripts to locate
Derby jars when DERBY_HOME isn't set.
    * Case-insensitive strings - Ability to ignore case in string
comparisons and sorts.

In addition, Derby contains many bug and documentation fixes.

Please try out this new release.


Derby also fixes a security flaw tracked by the Apache Common
Vulnerabilities and Exposures id "CVE-2009-4269". This flaw made it easy
to crack passwords managed by Derby's BUILTIN authentication logic.
Originally, the BUILTIN logic was intended only for testing purposes.
However, Derby's user documentation suggested that this scheme was
production-ready and it appears that many users rely on BUILTIN
authentication in production. Tracked by DERBY-4483, the flaw is
addressed as follows:

1) The bug itself is corrected for newly created 10.6 databases.

2) Password substitution is not allowed when logging into a database
where the bug is corrected and BUILTIN passwords are stored in the
database. See the release note for DERBY-4483.

3) Derby's default password-hashing scheme is changed from SHA-1 to
SHA-256, which is harder to crack.

4) The user guides are glossed with warnings against production use of
the BUILTIN authentication mechanism.

Users are urged to

i) Migrate production systems off the BUILTIN mechanism onto Derby's
LDAP and user-customized authentication schemes.

ii) Or hard-upgrade to immediately and perform the following
additional steps:

a) Set derby.authentication.builtin.algorithm to a stronger
authentication scheme like SHA-256 or SHA-512.

b) Reset all passwords stored in the database.

c) Stop using strong password substitution. Instead, encrypt all network
traffic using SSL/TLS.


View raw message