qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob Godfrey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-7745) [Java Broker] Bump dependency version of Apache Derby
Date Fri, 14 Apr 2017 14:16:41 GMT

    [ https://issues.apache.org/jira/browse/QPID-7745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15969080#comment-15969080
] 

Rob Godfrey commented on QPID-7745:
-----------------------------------

Looking at that CVE, I assume that the way Qpid uses Derby there is no risk associated with
that issue (since it doesn't use XML datatypes, and the Derby store is not exposed in any
way for others to work with the database directly).

Agree on the plan to update the dependency (obviously).

> [Java Broker] Bump dependency version of Apache Derby
> -----------------------------------------------------
>
>                 Key: QPID-7745
>                 URL: https://issues.apache.org/jira/browse/QPID-7745
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker
>    Affects Versions: qpid-java-6.0.6, qpid-java-6.1.2, qpid-java-broker-7.0.0
>            Reporter: Lorenz Quack
>             Fix For: qpid-java-broker-7.0.0
>
>
> We are currently depending on [Apache Derby|https://db.apache.org/derby/] version 10.11.1.1
which was released August 26, 2014.
> It contains a vulnerability [CVE-2015-1832|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832]
> Since then there were two releases 1.12.1.1 (October 11, 2015) and 1.13.1.1 (October
25, 2016) which both contain a fix for the above CVE.
> We should review the changes and move to a version without known CVE.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message