www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rhille...@apache.org
Subject [ANNOUNCE] Apache Derby released
Date Wed, 19 May 2010 15:53:28 GMT
The Apache Derby project is pleased to announce release In addition to introducing
many new features, this release fixes a security flaw. Please see below for more details.

Apache Derby is a subproject of the Apache DB project. Derby is a pure Java relational database
engine which conforms to the ISO/ANSI SQL and JDBC standards. Derby aims to be easy for developers
and end-users to work with.

Derby can be obtained from the Derby download site:


Derby contains the following new features:

    * Sequence Generators - Named generators for allocating successive, evenly spaced numbers.
See feature T176 of the SQL Standard.
    * User-defined types - Named types bound to serializable Java objects.
    * Restricted table functions - Limits on the columns and rows returned by table functions.
    * XPLAIN statistics collection - Query plan statistics stored in tables for later analysis.
    * GROUP BY ROLLUP - A subset of the SQL Standard ROLLUP functionality on the GROUP BY
clause. See feature T431 of the SQL Standard.
    * CROSS JOIN - CROSS JOIN syntax. See feature F401-04 of the SQL Standard.
    * Named columns join - USING clauses in joins.
    * SHOW FUNCTIONS - IJ command that lists stored functions.
    * In-memory back end enhancements - Numerous improvements, including the ability to delete
in-memory databases.
    * ORDER BY in subqueries - Syntax for explicitly ordering rows returned by subqueries.
See features F851, F852, and F855 of the SQL Standard.
    * OFFSET, FETCH FIRST/NEXT in subqueries - Generalized syntax for retrieving row subsets.
See features F856, F857, F858, F859, F861, F862, F863, and F864 of the SQL Standard.
    * NATURAL JOIN - Support for NATURAL JOIN. See feature T431 of the SQL Standard.
    * Qualified identifers in ij - Ability to reference cursors and prepared statements in
other connections.
    * Configurable hash algorithm - Ability to customize the hash algorithm used by BUILTIN
    * Context-sniffing scripts - Ability of shipped scripts to locate Derby jars when DERBY_HOME
isn't set.
    * Case-insensitive strings - Ability to ignore case in string comparisons and sorts.

In addition, Derby contains many bug and documentation fixes.

Please try out this new release.


Derby also fixes a security flaw tracked by the Apache Common Vulnerabilities and
Exposures id "CVE-2009-4269". This flaw made it easy to crack passwords managed by Derby's
BUILTIN authentication logic. Originally, the BUILTIN logic was intended only for testing
purposes. However, Derby's user documentation suggested that this scheme was production-ready
and it appears that many users rely on BUILTIN authentication in production. Tracked by DERBY-4483,
the flaw is addressed as follows:

1) The bug itself is corrected for newly created 10.6 databases.

2) Password substitution is not allowed when logging into a database where the bug is corrected
and BUILTIN passwords are stored in the database. See the release note for DERBY-4483.

3) Derby's default password-hashing scheme is changed from SHA-1 to SHA-256, which is harder
to crack.

4) The user guides are glossed with warnings against production use of the BUILTIN authentication

Users are urged to

i) Migrate production systems off the BUILTIN mechanism onto Derby's LDAP and user-customized
authentication schemes.

ii) Or hard-upgrade to immediately and perform the following additional steps:

a) Set derby.authentication.builtin.algorithm to a stronger authentication scheme like SHA-256
or SHA-512.

b) Reset all passwords stored in the database.

c) Stop using strong password substitution. Instead, encrypt all network traffic using SSL/TLS.


View raw message