Skip to content

Upgrade apache derby, derbyclient and derbytools to 10.17.1.0 #35961

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ivonaest wants to merge 2 commits into from
Closed

Upgrade apache derby, derbyclient and derbytools to 10.17.1.0 #35961

ivonaest wants to merge 2 commits into from
+3 −3

Conversation

@ivonaest
Copy link
Contributor

@ivonaest ivonaest commented Dec 4, 2025

Summary

  1. Why:
    To remove CVEs:

    • CVE-2022-46337 is a vulnerability that lets attackers bypass LDAP login checks using specifically crafted username which gives them access to the database where they can run database functions without proper authorisation.

  2. What:

    • Upgrade derby, derbyclient and derbytools to 10.17.1.0 to remove CVE-2022-46337

Additional evidence

Partial output from security scanner Trivy:
spring-framework cves derby

Categorization

  • security/CVE

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Dec 4, 2025
@bclozel
Copy link
Member

bclozel commented Dec 4, 2025

Thanks but we'd rather deal with those updates ourselves. In #35924, I initially thought that this CVE warning was reported in your application, not against our own build. As those are compile-only dependency and never published as dependencies to our POMs, CVEs should not be the main motivation but rather compatibility.

@bclozel bclozel closed this Dec 4, 2025
@bclozel bclozel added status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Dec 4, 2025
@ivonaest
Copy link
Contributor Author

ivonaest commented Dec 4, 2025

@bclozel I understand. I'll let you handle these CVEs then. Please feel free to reach out if you'll need any support with future CVE handling.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

status: declined A suggestion or change that we don't feel we should currently apply

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ivonaest @bclozel @spring-projects-issues