You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Rob Godfrey (JIRA)" <ji...@apache.org> on 2017/04/14 14:16:41 UTC
[jira] [Commented] (QPID-7745) [Java Broker] Bump dependency
version of Apache Derby
[ https://issues.apache.org/jira/browse/QPID-7745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15969080#comment-15969080 ]
Rob Godfrey commented on QPID-7745:
-----------------------------------
Looking at that CVE, I assume that the way Qpid uses Derby there is no risk associated with that issue (since it doesn't use XML datatypes, and the Derby store is not exposed in any way for others to work with the database directly).
Agree on the plan to update the dependency (obviously).
> [Java Broker] Bump dependency version of Apache Derby
> -----------------------------------------------------
>
> Key: QPID-7745
> URL: https://issues.apache.org/jira/browse/QPID-7745
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: qpid-java-6.0.6, qpid-java-6.1.2, qpid-java-broker-7.0.0
> Reporter: Lorenz Quack
> Fix For: qpid-java-broker-7.0.0
>
>
> We are currently depending on [Apache Derby|https://db.apache.org/derby/] version 10.11.1.1 which was released August 26, 2014.
> It contains a vulnerability [CVE-2015-1832|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832]
> Since then there were two releases 1.12.1.1 (October 11, 2015) and 1.13.1.1 (October 25, 2016) which both contain a fix for the above CVE.
> We should review the changes and move to a version without known CVE.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org