derby-10.11.1.1-3.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10092-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z derby-10.11.1.1-3.2 on GA media These are all security issues fixed in the derby-10.11.1.1-3.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10092 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2005-4849/ SUSE CVE CVE-2005-4849 page https://www.suse.com/security/cve/CVE-2006-7216/ SUSE CVE CVE-2006-7216 page https://www.suse.com/security/cve/CVE-2006-7217/ SUSE CVE CVE-2006-7217 page https://www.suse.com/security/cve/CVE-2015-1832/ SUSE CVE CVE-2015-1832 page openSUSE Tumbleweed derby-10.11.1.1-3.2 derby-javadoc-10.11.1.1-3.2 derby-10.11.1.1-3.2 as a component of openSUSE Tumbleweed derby-javadoc-10.11.1.1-3.2 as a component of openSUSE Tumbleweed Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information. CVE-2005-4849 openSUSE Tumbleweed:derby-10.11.1.1-3.2 openSUSE Tumbleweed:derby-javadoc-10.11.1.1-3.2 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2005-4849.html CVE-2005-4849 https://bugzilla.suse.com/291035 SUSE Bug 291035 Apache Derby before 10.2.1.6 does not determine privilege requirements for lock table statements at compilation time, and consequently does not enforce privilege requirements at execution time, which allows remote authenticated users to lock arbitrary tables. CVE-2006-7216 openSUSE Tumbleweed:derby-10.11.1.1-3.2 openSUSE Tumbleweed:derby-javadoc-10.11.1.1-3.2 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-7216.html CVE-2006-7216 https://bugzilla.suse.com/291035 SUSE Bug 291035 Apache Derby before 10.2.1.6 does not determine schema privilege requirements during the DropSchemaNode bind phase, which allows remote authenticated users to execute arbitrary drop schema statements in SQL authorization mode. CVE-2006-7217 openSUSE Tumbleweed:derby-10.11.1.1-3.2 openSUSE Tumbleweed:derby-javadoc-10.11.1.1-3.2 moderate 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-7217.html CVE-2006-7217 https://bugzilla.suse.com/291035 SUSE Bug 291035 XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype. CVE-2015-1832 openSUSE Tumbleweed:derby-10.11.1.1-3.2 openSUSE Tumbleweed:derby-javadoc-10.11.1.1-3.2 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-1832.html CVE-2015-1832 https://bugzilla.suse.com/1002763 SUSE Bug 1002763